A flaw was found in ghinstallation that when a request to fresh an installation token failed, the HTTP request and response would be returned for debugging. The returned request contained the short-lived (10-min maximum) bearer JWT for the app.