Remove HMAC key authentication method from public SDK auth docs#1994
Merged
Conversation
The HMAC key auth method (CAPI_HMAC_KEY / COPILOT_HMAC_KEY) should not be documented publicly; it was re-added by doc automation. Removes it from the authentication priority list in authenticate.md and the summary in README.md. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR removes references to the HMAC key authentication method (CAPI_HMAC_KEY / COPILOT_HMAC_KEY) from the public Copilot SDK authentication documentation, keeping the published auth guidance limited to supported/public mechanisms.
Changes:
- Removes the HMAC key entry from the authentication priority list in
docs/auth/authenticate.md. - Updates the authentication priority summary in
docs/auth/README.mdto no longer mention HMAC.
Show a summary per file
| File | Description |
|---|---|
| docs/auth/README.md | Updates the high-level authentication priority summary to remove HMAC references. |
| docs/auth/authenticate.md | Removes the HMAC key item from the detailed authentication priority list. |
Review details
Comments suppressed due to low confidence (1)
docs/auth/authenticate.md:307
- The authentication priority list uses " - " between the bold label and its description. In docs/ we generally use a colon for label/description pairs (this also reads better in Markdown and avoids confusion with hyphenated terms).
1. **Explicit `gitHubToken`** - Token passed directly to the SDK client or session configuration
1. **Direct API token** - `GITHUB_COPILOT_API_TOKEN` with `COPILOT_API_URL`
1. **Environment variable tokens** - `COPILOT_GITHUB_TOKEN` → `GH_TOKEN` → `GITHUB_TOKEN`
1. **Stored OAuth credentials** - From previous `copilot` CLI login
1. **GitHub CLI** - `gh auth` credentials
- Files reviewed: 2/2 changed files
- Comments generated: 1
- Review effort level: Low
| ## Authentication priority | ||
|
|
||
| When multiple credentials are configured, an explicit SDK token takes priority, followed by HMAC or direct Copilot API environment authentication, environment variable GitHub tokens, stored Copilot CLI credentials, and then GitHub CLI credentials. See [Authenticate Copilot SDK](authenticate.md#authentication-priority) for details. | ||
| When multiple credentials are configured, an explicit SDK token takes priority, followed by direct Copilot API environment authentication, environment variable GitHub tokens, stored Copilot CLI credentials, and then GitHub CLI credentials. See [Authenticate Copilot SDK](authenticate.md#authentication-priority) for details. |
stephentoub
approved these changes
Jul 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes references to the HMAC key authentication method (
CAPI_HMAC_KEY/COPILOT_HMAC_KEY) from the public Copilot SDK authentication docs. This method should not be documented publicly and appears to have been re-added by docs automation.Changes
docs/auth/authenticate.md— removed the HMAC key entry from the Authentication priority list.docs/auth/README.md— removed "HMAC or" from the authentication-priority summary.Verification
grep -rni hmac docs/returns no matches after the change.docs/referenced the HMAC key.Published page affected: https://docs.github.com/en/copilot/how-tos/copilot-sdk/auth/authenticate#authentication-priority
Note
If automation keeps re-adding this content, the upstream source/generator will also need updating so the change doesn't regress.