Unable to star/unstar a github repo when using the Github API (Github App integration)

Im trying to use the Github Star repo for user API via a Github App to star a Repo for the current user (myself). im debugging in postman for simplicity. I get a user AccessToken via my app "login with github", which works, then with it make the request to star a repo but get back

{
    "message": "Resource not accessible by integration",
    "documentation_url": "https://docs.github.com/rest/reference/activity#star-a-repository-for-the-authenticated-user"
}

This error suggests that the Github App does not have sufficient permissions but I've granted it the ability to star repos seen here.

and here's where I installed it on the target repo. Note it's greyed out and tooltip, which is concerning

noteables:

• I know the token is valid because checking if the user has already starred the repo works, and listing their starred repositories works via GET https://api.github.com/user/starred
• this is a GithubApp not an OAuth App
• the tooltip on the installed Github apps is a red flag, but im not sure how to fix it
• I've tried uninstalling/reinstalling the GithubApp
• I've tried retriggering the GithubApp Auth process to get a fresh token

The goal here is to have that star repo succeed is all, to be specific I'm starring a random repo on Github on behalf of the user not one owned by the user.

The "Choosing permissions for a GitHub App" includes:

> The success of an API request with a user access token depends on the user's permissions as well as the app's permissions.
>
> For example, if the app was granted permission to write the contents of a repository, but the user can only read the contents, then the user access token can only read the contents.
>
> The success of an API request with an installation access token only depends on the app's permissions.

In your case, you have a User Access Token, so you need to check the "Permission levels for a personal account repository".

The OP reports however that it does work with an Oauth App.

The OAuth App is an application registered on GitHub that can be authorized by GitHub users to act on their behalf. The OAuth App uses OAuth tokens to interact with the GitHub API.
It is ideal for web applications or services where multiple users need to grant permissions to the application to perform actions on their behalf.
The OAuth tokens issued to an OAuth App can have varying scopes based on what the user authorizes during the OAuth flow. These scopes can be requested dynamically.
The OAuth 2.0 authorization flow is used, which involves redirecting users to GitHub to authorize the app, after which they are redirected back to the application with an authorization code that can be exchanged for an access token.
It represents an application or service, and can act on behalf of many users.

In the context of starring a repository on behalf of a user, an OAuth App is more suitable because it allows users to authorize the application to perform user-level actions such as starring repositories.

As opposed to a User Access Token, which is more of a static token that is better suited for personal scripts or tools, and lacks the dynamic authorization flow of an OAuth App.

I suspect the OAuth App works because of:

• Its user impersonation, combined with:
• Dynamic scopes
• Trust through user consent
• Flexibility (it can be used by multiple users. Each user who authorizes the app can grant it permissions to act on their behalf.)

It is designed for scenarios where an application needs to interact with GitHub on behalf of users, with permissions granted by the users.
Starring a repository is one of those actions that inherently belongs to a user’s activity, and OAuth is well-suited for handling such cases.

For the OP, in the comments:

> The reason it works now (I think) is because: GitHub Apps performs a user action its done BY THE APP, NOT the user.
Oauth apps when a user action is performed is BY THE USER.
>
> Hopefully that makes sense, I don't believe Github apps are designed to handle starring public repos, so I think the case was an example of using the wrong tool for the job.