Up and running in a minute.
Pyor talks straight to GitHub from your machine — there’s no Pyor account to create and no server in between. Setup is one thing: a GitHub token Pyor can use on your behalf. Here’s how, and exactly why each part is needed.
Create a classic Personal Access Token.
On GitHub, head to Settings → Developer settings → Personal access tokens and generate a classic token. Give it a name you’ll recognize later (e.g. “Pyor”) and an expiry that suits your org’s policy.
Select exactly these four scopes — no more. Pyor asks for the minimum that a complete review workflow needs, and nothing it doesn’t:
repoRead pull requests and their diffs, and — within the permissions you already have on a repo — post reviews, reply to threads, and merge.notificationsBuild your inbox: the review requests, comments, and activity GitHub would otherwise show under the bell.read:orgSee team review requests and the pull requests in the organizations you belong to.read:userIdentify you — so Pyor knows which reviews, requests, and comments are yours.Authorize SAML SSO, if your org requires it.
If you review for an organization that enforces SAML single sign-on, your token has to be authorized for it before it can see that org’s pull requests. This is self-serve — you do it yourself, and no org-admin approval is needed.
On the same tokens page, find your token in the list and use the “Configure SSO” control next to it, then “Authorize” each organization you review for. That’s it — the org’s PRs show up the next time Pyor refreshes.
No SSO at your org? Skip this step entirely.
Paste the token into Pyor.
Launch Pyor, paste the token, and click Continue. Pyor validates it with a single call to GitHub’s GET /user endpoint — if the token is good, you’re in.
From there it’s stored locally, on your side of the wire:
- On the desktop app — in your operating system’s keychain (macOS Keychain, Windows DPAPI, or Linux libsecret), under the bundle
app.pyor.review. - On the web build — in your browser’s
localStorage.
Either way the token never reaches a Pyor server, because there isn’t one. Setup is required on first launch — there’s no demo mode and nothing to skip, since without a token there’s no GitHub to read.
Why a token, not a “Sign in with GitHub”?
A login button would mean a GitHub App or OAuth flow — and that means a server somewhere holding the keys and brokering every request. Pyor doesn’t have that, on purpose. The app speaks to GitHub directly with a credential that lives only on your machine.
A token you mint and scope yourself keeps the privacy guarantee at the architecture level rather than as a promise: there is no middle to trust, because there is no middle. You can read exactly what Pyor can do — the four scopes above — and revoke it in one click whenever you like.
Token stopped working? (401)
If GitHub starts returning 401 — usually because the token expired, was revoked, or its SSO authorization lapsed — Pyor doesn’t fail silently. It switches to a read-only state over your cached data and shows an “Update token” affordance.
Two things to check, in order:
- Regenerate or replace the token on the GitHub tokens page, then paste the new one via “Update token.”
- Re-check SSO authorization — if an org rotated its SAML config, re-run “Configure SSO” next to the token (step 02).
Still stuck after a fresh token? support@pyor.review — the diagnostic surface in-app shows the last successful call and the failing endpoint, which is the fastest thing to send us.
That’s the whole setup.
Don’t have the app yet, or want to understand the privacy model in full first?