Skip to main content

Overview

Post comments anonymously on GitHub issues and pull requests using the @gitgost-anonymous bot account. Maintain a consistent anonymous identity using user tokens, build karma, and participate in discussions without revealing who you are.

Endpoints

Issue Comments

POST /v1/gh/:owner/:repo/issues/:number/comments/anonymous

Pull Request Comments

POST /v1/gh/:owner/:repo/pulls/:number/comments/anonymous
Both endpoints use identical request/response formats. PR comments use the same GitHub API as issue comments.

Path Parameters

owner
string
required
GitHub repository owner (user or organization)
repo
string
required
Repository name
number
number
required
Issue or pull request number (must be positive integer)

Authentication

No authentication required. No API keys, tokens, or GitHub accounts needed. Anonymous participation is the core feature.

Request Body

body
string
required
Comment text in Markdown format (must not be empty after trimming whitespace)
user_token
string
default:"auto-generated"
Your anonymous identity token. Omit to generate a new identity, or provide an existing token to maintain consistency across comments.

Response

comment_url
string
required
Full GitHub URL of the posted commentExample: https://github.com/owner/repo/issues/42#issuecomment-123456789
hash
string
required
8-character identity hash visible in the comment footer
karma
number
required
Your karma score for this issue/PR (increments with each comment)
user_token
string
required
Your user token (newly generated if not provided in request). Save this to maintain identity.

Examples

Post Comment on Issue

curl -X POST https://gitgost.leapcell.app/v1/gh/owner/repo/issues/42/comments/anonymous \
  -H "Content-Type: application/json" \
  -d '{
    "body": "I can confirm this bug. It also occurs on macOS 14.2 with Go 1.21.5."
  }'

Post Comment on Pull Request

curl -X POST https://gitgost.leapcell.app/v1/gh/owner/repo/pulls/123/comments/anonymous \
  -H "Content-Type: application/json" \
  -d '{
    "user_token": "XYZABC123456789",
    "body": "This looks good to me. I tested it on my production workload and it resolves the memory leak."
  }'

Response Examples

Success (200 OK)

{
  "comment_url": "https://github.com/owner/repo/issues/42#issuecomment-123456789",
  "hash": "a1b2c3d4",
  "karma": 3,
  "user_token": "XYZABC123456789"
}

Validation Errors (400 Bad Request)

{
  "error": "body is required"
}

{
  "error": "invalid issue number"
}

{
  "error": "invalid payload"
}

Moderation Errors

Hash Blocked (403 Forbidden) 
{
  "error": "hash bloqueado por reportes"
}
Cooldown Active (429 Too Many Requests) 
{
  "error": "cooldown activo por reportes"
}

Comment Format

Your comment body is automatically appended with a footer: Your Input: 
I can confirm this bug. It also occurs on macOS 14.2.
Posted Comment: 
I can confirm this bug. It also occurs on macOS 14.2.

---
goster-a1b2c3d4 · karma (3) · [report](https://gitgost.leapcell.app/v1/moderation/report?hash=a1b2c3d4)
hash
string
Your 8-character identity hash for this issue/PR
karma
number
Your current karma score (reputation)
report
url
Link for others to report abusive content

Karma System

Karma represents your reputation as an anonymous contributor per issue/PR. Each issue/PR has a separate karma score.

How Karma Works

1

Initial karma

Starts at 0 when you first comment
2

Increment per comment

Each comment increases karma by +1
3

Report impact

If you receive 3+ reports, karma resets to 0
4

Display

Karma shows in every comment footer

Karma Benefits

  • Reputation: Higher karma shows you’re a consistent contributor
  • Trust: Demonstrates good-faith participation
  • Visibility: Makes your comments more credible

Karma Calculation

// New comment
currentKarma := getKarma(hash)  // e.g., 2
karma := currentKarma + 1       // Now 3

// If flagged (3+ reports)
if reports > 2 {
    karma = 0  // Reset to 0
    markFlaggedAction(hash)  // 6-hour cooldown
}

updateKarma(hash, karma)
Source Reference: internal/http/handlers.go:1064-1075, 1136-1147

Hash System

Hash Generation

Your hash is a deterministic HMAC-SHA256 derived from: 
input := fmt.Sprintf("%s/%s#%d|%s", owner, repo, number, userToken)
h := hmac.New(sha256.New, secretKey)
h.Write([]byte(input))
hash := hex.EncodeToString(h.Sum(nil))[:8]
Key Properties:
  • Deterministic: Same token = same hash per issue/PR
  • Unique: Different hash for each issue/PR
  • Anonymous: Not linked to any personal information
  • Cryptographic: Cannot be forged or impersonated
Source Reference: internal/http/handlers.go:1359-1364

Hash Use Cases

Identity Tracking

Identify your comments across the issue/PR

Karma Association

Track reputation for this specific issue/PR

Moderation

Enable reporting and blocking of abusive users

Consistency

Same hash for all your comments on this thread

Moderation System

GitGost includes a community-driven moderation system to prevent abuse while maintaining anonymity.

Reporting Content

Anyone can report a hash by clicking the [report] link in comment footers or visiting: 
https://gitgost.leapcell.app/v1/moderation/report?hash=a1b2c3d4

Report Thresholds

  • No action taken
  • Internal monitoring only
  • User can continue posting
  • Hash flagged as problematic
  • 6-hour cooldown applied
  • Karma reset to 0
  • All existing comments updated to show karma=0
  • Cannot post during cooldown
  • Hash permanently blocked
  • All comments by this hash automatically deleted
  • Cannot post new comments
  • Error 403 on future attempts
Source Reference: internal/http/handlers.go:1053-1075, 1125-1147, 1253-1260

Report Window

Reports expire after 30 days: 
const reportWindow = 30 * 24 * time.Hour
Old reports are automatically pruned, giving flagged users a fresh start. Source Reference: internal/http/handlers.go:609-612

Anti-Spam Measures

  • Per-IP deduplication: Same IP can only report a hash once
  • Time-based windows: Reports older than 30 days don’t count
  • Automatic deletion: Comments from blocked hashes are removed
  • Cooldown periods: Prevent rapid re-offending

User Token Management

Critical: User tokens cannot be recovered if lost. Save them immediately.

Best Practices

# Save to file
echo "XYZABC123456789" > ~/.gitgost/token-repo-issue42.txt

# Use later
TOKEN=$(cat ~/.gitgost/token-repo-issue42.txt)
curl -X POST ... -d "{\"user_token\": \"$TOKEN\", ...}"

Token Naming Convention

Organize tokens by repository and issue/PR: 
gitgost-token-{owner}-{repo}-{type}{number}

Examples:
- gitgost-token-facebook-react-issue42
- gitgost-token-golang-go-pr12345
- gitgost-token-microsoft-vscode-issue7890

Rate Limiting

No explicit per-endpoint rate limits, but service-wide abuse detection applies.

Global Monitoring

GitGost monitors for:
  • Rapid comment posting patterns
  • Coordinated abuse across multiple IPs
  • Spam content
  • Mass reporting
Suspicious activity may trigger:
  • Automatic hash flagging
  • Service-wide panic mode
  • Temporary IP blocks
  • Normal participation: No limits
  • Avoid: Posting >10 comments/minute
  • Avoid: Identical comments across multiple issues
  • Best practice: Thoughtful, substantive contributions

Implementation Details

The server appends the footer to your body: 
reportURL := fmt.Sprintf("%s://%s/v1/moderation/report?hash=%s", 
    getScheme(c.Request), c.Request.Host, hash)

legend := fmt.Sprintf(
    "\n\n---\ngoster-%s · karma (%d) · [report](%s)", 
    hash, karma, reportURL)

bodyWithLegend := req.Body + legend
Source Reference: internal/http/handlers.go:1076-1079, 1148-1151

Karma Persistence

Karma is stored in-memory with Supabase fallback:
  1. Check in-memory cache
  2. If not found, query Supabase
  3. Cache result in-memory
  4. Update both on changes
Source Reference: internal/http/handlers.go:1375-1405

Report Tracking

Reports stored per-hash with IP and timestamp: 
// Database structure
type Report struct {
    Hash      string
    IP        string
    Timestamp time.Time
}
Prevents duplicate reports from same IP within 30-day window. Source Reference: internal/http/handlers.go:1210-1263

Limitations

Posted comments cannot be edited via the API. GitHub’s edit functionality is not available to anonymous users.
Comments cannot be manually deleted. Only automatic deletion occurs when a hash is blocked (6+ reports).
This endpoint only supports general PR comments, not inline code review comments on specific lines.
Images, files, and attachments not supported. Use external hosting and Markdown links.
Lost tokens cannot be recovered. You’ll need to create a new identity.
Karma doesn’t carry across different issues/PRs. Each thread has independent karma tracking.

Security Considerations

Identity Protection

  • No IP logging
  • No user tracking
  • Cryptographic hash isolation
  • Open source and auditable

Abuse Prevention

  • Community-driven reporting
  • Automatic moderation thresholds
  • Time-based cooldowns
  • Permanent blocking for severe abuse

Privacy by Design

  • No analytics or telemetry
  • No request logging
  • No user profiling
  • Anonymous by default

Cryptographic Integrity

  • HMAC-based hashing
  • Unforgeable identities
  • No token reuse across issues
  • Secure random generation

Best Practices

Writing Effective Anonymous Comments

I can reproduce this on:
- OS: Ubuntu 22.04
- Go version: 1.21.5
- Architecture: arm64

Stack trace:
panic: runtime error: invalid memory address goroutine 42 [running]: main.worker() /app/main.go:123 +0x45

Potential fix: Adding nil check at line 120 resolves the panic.

Maintaining Consistent Identity

1

Save token immediately

Store the user_token as soon as you receive it
2

Use consistent naming

Name saved tokens by repo and issue/PR number
3

Build karma gradually

Post thoughtful comments to increase karma over time
4

Avoid flagging

Follow community guidelines to prevent reports

Anonymous Issues

Create anonymous issues to start new discussions

Anonymous PRs

Submit anonymous code contributions via Git push

Troubleshooting

”body is required”

Ensure the body field contains non-whitespace content: 
// ❌ Invalid
{"body": ""}
{"body": "   "}

// ✅ Valid
{"body": "This looks great!"}

“invalid issue number”

The issue/PR number must be a positive integer: 
# ❌ Invalid
/v1/gh/owner/repo/issues/abc/comments/anonymous
/v1/gh/owner/repo/issues/-1/comments/anonymous

# ✅ Valid
/v1/gh/owner/repo/issues/42/comments/anonymous

“hash bloqueado por reportes”

Your hash has been permanently blocked (6+ reports). This means:
  • Your user token is no longer valid for this issue/PR
  • Past comments have been deleted
  • You must create a new identity (don’t reuse the token)

“cooldown activo por reportes”

Your hash is flagged (3-5 reports) with a 6-hour cooldown:
  • Wait 6 hours before posting again
  • Your karma has been reset to 0
  • Consider whether your previous comments violated guidelines

Token doesn’t maintain identity

Ensure you’re sending the exact token:
  • Copy-paste without modifications
  • Include in user_token field
  • Use same token for same issue/PR
  • Don’t add quotes, spaces, or formatting

Comment not appearing

Check for:
  • Issue/PR number is correct
  • Repository exists and is public
  • Bot has access to the repository
  • You’re not in cooldown period
  • Hash is not blocked

Build docs developers (and LLMs) love

Get started for freeTalk to us