fix(github): Cast app ID to string for PyJWT 2.12.0 iss claim

michelletran-sentry · claude · michelletran-sentry · commit 33d02c91869c · 2026-03-31T12:40:33.000-04:00
PyJWT 2.11.0+ validates that the iss claim must be a string during
encoding. The github-app.id and github.integration-app-id options are
registered with default=0 (int), so options.get() returns an int,
causing InvalidClaimError. Cast to str() in both JWT generation paths.

Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/src/sentry/integrations/github/utils.py b/src/sentry/integrations/github/utils.py
@@ -16,7 +16,7 @@
 
 def get_jwt(github_id: str | None = None, github_private_key: str | None = None) -> str:
     if github_id is None:
-        github_id = options.get("github-app.id")
+        github_id = str(options.get("github-app.id"))
     if github_private_key is None:
         github_private_key = options.get("github-app.private-key")
     exp_ = datetime.datetime.utcnow() + datetime.timedelta(minutes=10)
diff --git a/src/sentry_plugins/github/client.py b/src/sentry_plugins/github/client.py
@@ -99,7 +99,7 @@ def get_jwt(self) -> str:
             # JWT expiration time (10 minute maximum)
             "exp": exp,
             # Integration's GitHub identifier
-            "iss": options.get("github.integration-app-id"),
+            "iss": str(options.get("github.integration-app-id")),
         }
 
         return jwt.encode(payload, options.get("github.integration-private-key"), algorithm="RS256")

Original file line number	Diff line number	Diff line change
`@@ -99,7 +99,7 @@ def get_jwt(self) -> str:`
`99`	`99`	`# JWT expiration time (10 minute maximum)`
`100`	`100`	`"exp": exp,`
`101`	`101`	`# Integration's GitHub identifier`
`102`		`- "iss": options.get("github.integration-app-id"),`
	`102`	`+ "iss": str(options.get("github.integration-app-id")),`
`103`	`103`	`}`
`104`	`104`
`105`	`105`	`return jwt.encode(payload, options.get("github.integration-private-key"), algorithm="RS256")`