# Authentication
The GitHub Copilot SDK supports multiple authentication methods to fit different use cases. Choose the method that best matches your deployment scenario.
## Authentication methods
| Method | Use Case | Copilot Subscription Required |
|--------|----------|-------------------------------|
| [GitHub Signed-in User](#github-signed-in-user) | Interactive apps where users sign in with GitHub | Yes |
| [OAuth GitHub App](#oauth-github-app) | Apps acting on behalf of users via OAuth | Yes |
| [Environment Variables](#environment-variables) | CI/CD, automation, server-to-server | Yes |
| [BYOK (Bring Your Own Key)](./byok.md) | Using your own API keys (Azure AI Foundry, OpenAI, etc.) | No |
## GitHub signed-in user
This is the default authentication method when running the Copilot CLI interactively. Users authenticate via GitHub OAuth device flow, and the SDK uses their stored credentials.
**How it works:**
1. User runs `copilot` CLI and signs in via GitHub OAuth
1. Credentials are stored securely in the system keychain
1. SDK automatically uses stored credentials
**SDK Configuration:**
Node.js / TypeScript
```typescript
import { CopilotClient } from "@github/copilot-sdk";
// Default: uses logged-in user credentials
const client = new CopilotClient();
```
Python
```python
from copilot import CopilotClient
# Default: uses logged-in user credentials
client = CopilotClient()
await client.start()
```
Go
```go
package main
import copilot "github.com/github/copilot-sdk/go"
func main() {
// Default: uses logged-in user credentials
client := copilot.NewClient(nil)
_ = client
}
```
```go
import copilot "github.com/github/copilot-sdk/go"
// Default: uses logged-in user credentials
client := copilot.NewClient(nil)
```
.NET
```csharp
using GitHub.Copilot;
// Default: uses logged-in user credentials
await using var client = new CopilotClient();
```
Java
```java
import com.github.copilot.CopilotClient;
// Default: uses logged-in user credentials
var client = new CopilotClient();
client.start().get();
```
**When to use:**
* Desktop applications where users interact directly
* Development and testing environments
* Any scenario where a user can sign in interactively
## OAuth GitHub App
Use an OAuth GitHub App to authenticate users through your application and pass their credentials to the SDK. This enables your application to make Copilot API requests on behalf of users who authorize your app.
**How it works:**
1. User authorizes your OAuth GitHub App
1. Your app receives a user access token (`gho_` or `ghu_` prefix)
1. Pass the token to the SDK via `gitHubToken` option
**SDK Configuration:**
Node.js / TypeScript
```typescript
import { CopilotClient } from "@github/copilot-sdk";
const client = new CopilotClient({
gitHubToken: userAccessToken, // Token from OAuth flow
useLoggedInUser: false, // Don't use stored CLI credentials
});
```
Python
```python
from copilot import CopilotClient
client = CopilotClient({
"github_token": user_access_token, # Token from OAuth flow
"use_logged_in_user": False, # Don't use stored CLI credentials
})
await client.start()
```
Go
```go
package main
import copilot "github.com/github/copilot-sdk/go"
func main() {
userAccessToken := "token"
client := copilot.NewClient(&copilot.ClientOptions{
GitHubToken: userAccessToken,
UseLoggedInUser: copilot.Bool(false),
})
_ = client
}
```
```go
import copilot "github.com/github/copilot-sdk/go"
client := copilot.NewClient(&copilot.ClientOptions{
GitHubToken: userAccessToken, // Token from OAuth flow
UseLoggedInUser: copilot.Bool(false), // Don't use stored CLI credentials
})
```
.NET
```csharp
using GitHub.Copilot;
var userAccessToken = "token";
await using var client = new CopilotClient(new CopilotClientOptions
{
GitHubToken = userAccessToken,
UseLoggedInUser = false,
});
```
```csharp
using GitHub.Copilot;
await using var client = new CopilotClient(new CopilotClientOptions
{
GitHubToken = userAccessToken, // Token from OAuth flow
UseLoggedInUser = false, // Don't use stored CLI credentials
});
```
Java
```java
import com.github.copilot.CopilotClient;
import com.github.copilot.rpc.*;
var client = new CopilotClient(new CopilotClientOptions()
.setGitHubToken(userAccessToken) // Token from OAuth flow
.setUseLoggedInUser(false) // Don't use stored CLI credentials
);
client.start().get();
```
**Supported token types:**
* `gho_` - OAuth user access tokens
* `ghu_` - GitHub App user access tokens
* `github_pat_` - Fine-grained personal access tokens
**Not supported:**
* `ghp_` - Classic personal access tokens (deprecated)
**When to use:**
* Web applications where users sign in via GitHub
* SaaS applications building on top of Copilot
* Any multi-user application where you need to make requests on behalf of different users
## Environment variables
For automation, CI/CD pipelines, and server-to-server scenarios, you can authenticate using environment variables.
**Supported environment variables (in priority order):**
1. `COPILOT_GITHUB_TOKEN` - Recommended for explicit Copilot usage
1. `GH_TOKEN` - GitHub CLI compatible
1. `GITHUB_TOKEN` - GitHub Actions compatible
**How it works:**
1. Set one of the supported environment variables with a valid token
1. The SDK automatically detects and uses the token
**SDK Configuration:**
No code changes needed—the SDK automatically detects environment variables:
Node.js / TypeScript
```typescript
import { CopilotClient } from "@github/copilot-sdk";
// Token is read from environment variable automatically
const client = new CopilotClient();
```
Python
```python
from copilot import CopilotClient
# Token is read from environment variable automatically
client = CopilotClient()
await client.start()
```
**When to use:**
* CI/CD pipelines (GitHub Actions, Jenkins, etc.)
* Automated testing
* Server-side applications with service accounts
* Development when you don't want to use interactive login
## BYOK (bring your own key)
BYOK allows you to use your own API keys from model providers like Azure AI Foundry, OpenAI, or Anthropic. This bypasses GitHub Copilot authentication entirely.
**Key benefits:**
* No GitHub Copilot subscription required
* Use enterprise model deployments
* Direct billing with your model provider
* Support for Azure AI Foundry, OpenAI, Anthropic, and OpenAI-compatible endpoints
**See the [BYOK documentation](./byok.md) for complete details**, including:
* Azure AI Foundry setup
* Provider configuration options
* Limitations and considerations
* Complete code examples
## Authentication priority
When multiple authentication methods are available, the SDK uses them in this priority order:
1. **Explicit `gitHubToken`** - Token passed directly to the SDK client or session configuration
1. **HMAC key** - `CAPI_HMAC_KEY` or `COPILOT_HMAC_KEY` environment variables
1. **Direct API token** - `GITHUB_COPILOT_API_TOKEN` with `COPILOT_API_URL`
1. **Environment variable tokens** - `COPILOT_GITHUB_TOKEN` → `GH_TOKEN` → `GITHUB_TOKEN`
1. **Stored OAuth credentials** - From previous `copilot` CLI login
1. **GitHub CLI** - `gh auth` credentials
For multi-user server mode, pass a per-session `gitHubToken` so each session runs with the correct GitHub identity; see [Multi-user and server deployments](../setup/multi-tenancy.md).
## Disabling auto-login
To prevent the SDK from automatically using stored credentials or `gh` CLI auth, use the `useLoggedInUser: false` option:
Node.js / TypeScript
```typescript
const client = new CopilotClient({
useLoggedInUser: false, // Only use explicit tokens
});
```
Python
```python
from copilot import CopilotClient
client = CopilotClient({
"use_logged_in_user": False,
})
```
```python
client = CopilotClient({
"use_logged_in_user": False, # Only use explicit tokens
})
```
Go
```go
package main
import copilot "github.com/github/copilot-sdk/go"
func main() {
client := copilot.NewClient(&copilot.ClientOptions{
UseLoggedInUser: copilot.Bool(false),
})
_ = client
}
```
```go
client := copilot.NewClient(&copilot.ClientOptions{
UseLoggedInUser: copilot.Bool(false), // Only use explicit tokens
})
```
.NET
```csharp
await using var client = new CopilotClient(new CopilotClientOptions
{
UseLoggedInUser = false, // Only use explicit tokens
});
```
Java
```java
import com.github.copilot.CopilotClient;
import com.github.copilot.rpc.*;
var client = new CopilotClient(new CopilotClientOptions()
.setUseLoggedInUser(false) // Only use explicit tokens
);
client.start().get();
```
## Next steps
* [BYOK Documentation](./byok.md) - Learn how to use your own API keys
* [Getting Started Guide](../getting-started.md) - Build your first Copilot-powered app
* [MCP Servers](../features/mcp.md) - Connect to external tools