Skip to main content
Lettuce ships three first-class git-provider integrations: GitHub App, GitLab OAuth, and Bitbucket OAuth. As the admin connecting your organization to Lettuce, you’ll see the same shape for all three — Connect → authorize → pick repos → done. This page is the one-screen map of what each provider asks for and what Lettuce does with it. Each per-provider page walks you through the click-by-click connect flow.

Two ways to add a repo

FlowWhen to useWhat you get
Connect a providerYour team’s repos live on GitHub / GitLab / Bitbucket.A picker of every repo Lettuce can see, one-click add, push webhooks wired automatically.
Paste a git URLPublic repos, mirrors, anything that isn’t on the three big hosts.Manual git clone over HTTPS. Webhooks are off by default — wire them up via Add a webhook if you want auto-refresh.
The two paths coexist. Even with all three providers connected, the Other (paste URL) tab in the Add-repo dialog stays available for the long tail.

Shared per-account webhook secret

All three providers point at one URL per account, signed by one secret per account:
https://diet.uselettuce.dev/v1/{provider}/webhook/{account_id}
The secret is auto-generated the first time your account adds a repo (or opens the Webhook card under Account settings). Lettuce stores it once and reuses it for every repo on every provider — so adding a fourth repo to your GitHub install doesn’t generate yet another secret to copy around. Signature schemes differ:
ProviderHeaderAlgorithm
GitHubX-Hub-Signature-256HMAC-SHA256 over the request body
GitLabX-Gitlab-TokenLiteral token compare (GitLab does not HMAC)
BitbucketX-Hub-SignatureHMAC-SHA256 over the request body
Lettuce verifies the appropriate header for each delivery before doing any work, so a forged delivery is rejected with 401.

Scopes at a glance

ProviderScope / permissionWhy
GitHub Appcontents:readRead repo contents for clone + index.
GitHub Appmetadata:readList repos visible to the installation.
GitHub Appwebhooks:writeRegister the per-account push hook.
GitLab OAuthapiOAuth-bound REST access (list projects, register hooks).
GitLab OAuthread_repositoryGit-over-HTTPS clone access.
GitLab OAuthwrite_repositoryRequired to register the push webhook.
Bitbucket OAuthrepositoryRead-only repo + clone access.
Bitbucket OAuthwebhookRegister the push webhook on each added repo.
Lettuce never asks for write access to your code. The GitLab write_repository scope is a quirk of GitLab’s permission model — it’s needed only because the webhook-registration API is gated by it. We don’t push commits.

Token lifecycle

ProviderWhat’s stored on your accountRefresh strategy
GitHub AppThe installation Lettuce holds against your org. Each clone re-mints a short-lived installation token.No refresh needed — every clone re-mints.
GitLab OAuthPer-account access + refresh token. Access tokens last ~2h on gitlab.com.Proactive refresh within 60s of expiry; the UI flags a Reconnect prompt if refresh ever fails.
Bitbucket OAuthPer-account access + refresh token. Access tokens last ~2h.Proactive refresh ~5 min before expiry; the UI flags a Reconnect prompt if refresh ever fails.
If you (or another admin on your team) revoke Lettuce on the provider side, or the upstream rotates secrets, the Add-repo dialog and the Settings → Connected integrations row both surface a Reconnect prompt instead of failing the whole add-repo flow.

Disconnect

Owners can disconnect any provider from Settings → Connected integrations. Existing repos keep their git URLs:
  • Public repos still re-clone on schedule.
  • Private repos break until you reconnect (Lettuce no longer has a token to mint a clone URL).
Disconnect is non-destructive on the provider side — Lettuce simply forgets the OAuth grant. To fully revoke, also remove the App or OAuth grant from your GitHub / GitLab / Bitbucket settings.

Per-provider setup

  • GitHub App — install the Lettuce GitHub App on your org, pick repos.
  • GitLab OAuth — authorize Lettuce on your GitLab account, pick projects.
  • Bitbucket OAuth — grant Lettuce access on Bitbucket, pick repos across workspaces.
Self-hosted admin note. If you run Lettuce inside your own infrastructure, the one-time registration of each provider’s App / OAuth client lives in Self-hosted install (§5). On Lettuce Cloud you don’t have to think about that — the per-provider pages below describe what an org admin clicks through on the SaaS.