The returned key is a bare (RSA, DSA, ...) key that cannot be used when implementing OpenPGP without "transferring" it to the correct OpenPGP key package. I would not recommend doing this, why you can create a key package again, you will have no chance to build binding signatures for subkeys and user IDs (this requires access to private keys), and this will fail and will not build something useful for this.
The “OpenPGP model” for community key exchange retrieves the current copy from the key server network (including all current certificates and reconnaissance) instead of relying on possibly obsolete versions in “third-party locations” such as GitHub. This is possible by fingerprints and key identifiers, which (more or less unambiguously, see below) indicate specific keys - they do not look for mail addresses, everyone can create keys with arbitrary user identifiers, and key servers do not perform any verification.
Instead, take a look at the API output, which returns keyid objects for all keys (some for the subkey):
[ { "id": 3, "primary_key_id": null, "key_id": "3262EFF25BA0D270", "public_key": "xsBNBFayYZ...", "emails": [ { "email": " mastahyeti@users.noreply.github.com ", "verified": true } ], [snip] } ]
To use such a key identifier, run gpg --recv-keys <key-id> . And uncheck GitHub to follow best practices and include full fingerprint:
These 64-bit hexadecimal values ( 3262EFF25BA0D270 in this example) are identifiers of a long key. Although any softkey links should always include a key fingerprint and not abbreviated key identifiers , at least they do not provide a short key identifiers that are severely affected by collision attacks .