The API's documentation speaks of two different kinds of "OAuth" tokens.
- The first kind are the normal ones (
client_secret
,client_id
) that you get for whatever application you're building. - Then the are the kind that are given to you when you have the user sign in via GitHub.
Part of that is the scope associated with the token.
You can ask the user to give you access to their gists via the scopes and then, using that token, post the gist for them.
You just need to make sure you're certain their email address is correct and associated with their account.