# How to Sell Access to a Private GitHub Repo

> Learn how to sell access to a private GitHub repository using Dodo Payments license keys and the GitHub API to automate invitations on successful payment.
- **Author**: Ayush Agarwal
- **Published**: 2026-03-28
- **Category**: Payments, Developer Tools, How-To
- **URL**: https://dodopayments.com/blogs/sell-github-repo-access

---

Selling access to a private GitHub repository has become a popular way for developers to monetize their work. Whether you are selling a SaaS boilerplate, a starter kit, or a specialized library, the challenge is always the same: how do you automate the process of granting access once a payment is confirmed?

In this guide, we will show you how to build a fully automated system for selling GitHub repo access using Dodo Payments and the GitHub API. We will use Dodo's native license key feature to authorize users and a simple webhook handler to trigger the GitHub invitation. This setup ensures that your customers get instant access to your code while you focus on building.

## Why Sell Access to GitHub Repos?

GitHub is the natural home for code. By selling access to a private repository, you provide your customers with a familiar environment where they can receive updates, report issues, and contribute back. It is much more professional than sending a ZIP file via email.

> License key management looks simple until you need activation limits, device tracking, and expiration logic across thousands of customers. Building this yourself is a distraction from your core product.
>
> \- Ayush Agarwal, Co-founder & CPTO at Dodo Payments

For developers, this model is highly scalable. You can sell the same boilerplate or library to hundreds of customers without any manual intervention. When you combine this with Dodo Payments, you also get the benefit of a Merchant of Record that handles all the global tax and compliance issues for you.

## The Architecture of Automated Access

The system we are building consists of three main parts: the Dodo Payments checkout, a webhook handler on your server, and the GitHub API. When a user completes a purchase, Dodo sends a webhook to your server. Your server then uses the GitHub API to invite the user to your private repository.

```mermaid
flowchart LR
    A[Customer] -->|"Purchases Access"| B[Dodo Payments]
    B -->|"Webhook: payment.succeeded"| C[Your Server]
    C -->|"GitHub API: Invite User"| D[GitHub Repo]
    D -->|"Email Invitation"| A
    C -->|"Issue License Key"| B
    B -->|"Email Key"| A
```

This flow ensures that the user receives both a license key for your software and an invitation to the repository almost instantly.

## Setting Up Dodo Payments for License Keys

The first step is to configure your product in the Dodo Payments dashboard to issue license keys. License keys are unique tokens that authorize access to your product. They are ideal for gating access to digital goods like GitHub repositories.

1. **Create a Product**: In your Dodo dashboard, create a new product for your repository access.
2. **Enable License Keys**: In the product settings, toggle the "License Keys" option.
3. **Configure Expiry**: You can set the license keys to never expire or to expire after a certain period if you are selling a subscription.
4. **Set Activation Limits**: For repo access, you might want to limit the number of GitHub accounts a single license key can be associated with.

Once configured, Dodo will automatically generate a unique license key for every successful purchase and include it in the customer's confirmation email.

## Authenticating with the GitHub API

To automate invitations, you will need a GitHub Personal Access Token (PAT) with the `repo` and `admin:org` scopes. This token allows your server to act on your behalf to invite users to your repository.

```bash
# Store your GitHub token in your .env file
GITHUB_TOKEN=your_github_pat_here
GITHUB_REPO_OWNER=your_username
GITHUB_REPO_NAME=your_private_repo
```

We recommend using a fine-grained PAT for better security, limiting its access to only the specific repository you are selling.

## Building the Webhook Handler

Now, let's build the core of our system: the webhook handler. We will use Node.js and Express for this example, but the logic applies to any backend framework. We will use the `octokit` library to interact with the GitHub API.

```javascript
const { Octokit } = require("@octokit/rest");
const DodoPayments = require("dodopayments");

const octokit = new Octokit({ auth: process.env.GITHUB_TOKEN });
const dodo = new DodoPayments({
  bearerToken: process.env.DODO_PAYMENTS_API_KEY,
  webhookKey: process.env.DODO_PAYMENTS_WEBHOOK_KEY,
});

app.post("/webhook", async (req, res) => {
  const payload = req.body;
  const headers = req.headers;

  try {
    const event = dodo.webhooks.unwrap(payload, headers);

    if (event.type === "payment.succeeded") {
      const { customer, metadata } = event.data;
      const githubUsername = metadata.github_username;

      // Invite the user to the GitHub repository
      await octokit.repos.addCollaborator({
        owner: process.env.GITHUB_REPO_OWNER,
        repo: process.env.GITHUB_REPO_NAME,
        username: githubUsername,
        permission: "pull",
      });

      console.log(
        `Invited ${githubUsername} to ${process.env.GITHUB_REPO_NAME}`,
      );
    }

    res.status(200).send("OK");
  } catch (error) {
    console.error("Webhook error:", error);
    res.status(401).send("Invalid signature");
  }
});
```

In this example, we assume that you have collected the user's GitHub username during the checkout process using Dodo's custom metadata fields. This ensures that you have the correct information to send the invitation.

## Collecting GitHub Usernames during Checkout

To make the automation work, you need to know the customer's GitHub username. You can collect this information on your checkout page by adding a custom field to the Dodo Payments checkout session.

```javascript
const session = await dodo.checkoutSessions.create({
  product_cart: [{ product_id: "pdt_123", quantity: 1 }],
  customer: { email: "customer@example.com" },
  metadata: {
    github_username: "customer_github_handle",
  },
});
```

When the payment succeeds, this metadata is passed along in the webhook payload, allowing your server to know exactly who to invite.

## Managing Access and Revocations

What happens if a user requests a refund or their subscription expires? You need a way to revoke their access to the repository. Dodo Payments makes this easy with its webhook system. You can listen for `refund.succeeded` or `subscription.cancelled` events and trigger a removal from the GitHub repository.

```javascript
if (event.type === "subscription.cancelled") {
  const { metadata } = event.data;
  const githubUsername = metadata.github_username;

  await octokit.repos.removeCollaborator({
    owner: process.env.GITHUB_REPO_OWNER,
    repo: process.env.GITHUB_REPO_NAME,
    username: githubUsername,
  });

  console.log(`Removed ${githubUsername} from ${process.env.GITHUB_REPO_NAME}`);
}
```

This ensures that your private code remains protected and that only active, paying customers have access.

## Best Practices for Selling Code Access

When selling access to a GitHub repository, keep these best practices in mind:

- **Use a Dedicated Organization**: If you are selling multiple repositories, consider creating a GitHub Organization. This makes it easier to manage permissions and teams.
- **Provide Clear Instructions**: In your confirmation email, explain exactly how the user will receive their invitation and what they need to do to accept it.
- **Automate Everything**: The more manual steps you have, the more likely something is to go wrong. Aim for a "zero-touch" fulfillment process.
- **Monitor for Abuse**: Keep an eye on your repository's activity. If you notice a single user downloading the entire repo multiple times from different IPs, they might be sharing their access.
- **Keep Your Code Updated**: One of the main reasons people buy repo access is for the updates. Ensure you are regularly pushing improvements and bug fixes.

## Merchant of Record: The Secret Sauce

Selling digital goods globally is a tax nightmare. Every country has different rules for VAT, sales tax, and digital services. If you were to handle this yourself, you would spend more time on paperwork than on code.

Dodo Payments acts as your Merchant of Record. This means they are the legal seller of your product. They calculate the correct tax for every customer, collect it, and remit it to the proper authorities. They also handle compliance with global regulations like GDPR and CCPA. This allows you to sell your GitHub repo access to customers in over 220+ countries and regions with zero tax liability.

## Conclusion

Selling access to a private GitHub repository is a powerful way to monetize your expertise. By combining the professional environment of GitHub with the robust payment and license management of Dodo Payments, you can build a highly automated and scalable business.

Whether you are selling a [SaaS boilerplate](https://dodopayments.com/blogs/replace-stripe-saas-boilerplate) or a specialized [data product](https://dodopayments.com/blogs/sell-datasets-data-products), the principles remain the same: automate the access, protect your code, and let Dodo handle the taxes.

For more information on building with Dodo Payments, check out our guides on [how to sell software online](https://dodopayments.com/blogs/how-to-sell-software-online) and [software license management](https://dodopayments.com/blogs/software-license-management). You can also explore the [best platforms to sell digital products](https://dodopayments.com/blogs/best-platform-sell-digital-products) to see how Dodo compares.

Ready to start selling? [Sign up for Dodo Payments](https://dodopayments.com) today and get your GitHub repo monetization up and running in minutes.

## FAQ

### Can I sell access to multiple repositories with one purchase?

Yes! You can modify your webhook handler to invite the user to multiple repositories. Simply loop through a list of repository names and call the GitHub API for each one.

### How do I handle users who don't have a GitHub account?

In your checkout instructions, make it clear that a GitHub account is required. If a user provides an invalid username, your webhook handler should catch the error and perhaps send an automated email asking them to provide a valid handle.

### Is it safe to store my GitHub PAT on my server?

Yes, as long as you use environment variables and follow standard security practices. Ensure your server is not publicly accessible and that your `.env` file is never committed to version control.

### Can I sell repo access as a subscription?

Absolutely. Dodo Payments has native support for subscriptions. You can listen for subscription events to grant and revoke access as the user's payment status changes.

### What if a user changes their GitHub username?

If a user changes their username, they will need to contact you to update their access. You can then manually update their collaborator status in GitHub or build a simple admin tool to handle this.

## Final Thoughts

The developer economy is booming, and selling code is at the heart of it. By using tools like Dodo Payments and GitHub, you are leveraging the best of both worlds: a world-class developer platform and a world-class payment infrastructure.

Explore our [license keys documentation](https://docs.dodopayments.com/features/license-keys) and [webhook guide](https://docs.dodopayments.com/developer-resources/webhooks) to dive deeper into the technical details. Your journey to monetizing your code starts today.