Tokens and Authentication
Every tool call hits the GitHub API with the token you provide. Scoping that token correctly is the first line of defense. You have two main options: a fine-grained personal access token you manage yourself, or short-lived tokens minted by Vercel Connect.
Align GitHub PAT with tool presets
Create a fine-grained token
Fine-grained personal access tokens let you restrict access per repository and per permission category. This is the recommended type for any production assistant.
- Go to github.com/settings/personal-access-tokens/new
- Select only the repositories your agent needs
- Enable permissions based on the preset you plan to use (see matrix below)
Map permissions to presets
| Preset | Repository access | Contents | Pull requests | Issues | Actions | Administration |
|---|---|---|---|---|---|---|
repo-explorer | selected repos | read | — | — | — | — |
code-review | selected repos | read | read (or write for comments) | — | — | — |
issue-triage | selected repos | read | — | write | — | — |
ci-ops | selected repos | read | — | — | write | — |
maintainer | selected repos | write | write | write | write | write (for repo creation and forking) |
Mint tokens with Vercel Connect
For agents deployed on Vercel, Vercel Connect replaces long-lived PATs entirely. You attach a GitHub connector (a Vercel-managed GitHub App) to your project, and your server code requests a short-lived, scoped token at runtime — no secret to store, rotate, or leak.
Create a GitHub connector
Create a connector from the Vercel dashboard (or vercel connect in the CLI) with the type github, then install it on the GitHub organization or user account your agent needs, selecting the repositories to expose.
Link it to your project
Link the connector to the Vercel project that runs your agent. On Vercel, the SDK authenticates automatically with the deployment's OIDC token. For local development, run vercel link then vercel env pull to get a development OIDC token.
Request a token at runtime
Install @vercel/connect and call getToken with the permissions your preset needs, then pass the result as token:
import { getToken } from '@vercel/connect'
import { createGithubTools } from '@github-tools/sdk'
import { generateText } from 'ai'
const token = await getToken('github/my-connector', {
subject: { type: 'app' },
scopes: ['contents:read', 'pull_requests:read'],
})
const { text } = await generateText({
model: 'anthropic/claude-sonnet-4.6',
tools: createGithubTools({ token, preset: 'code-review' }),
prompt: 'Summarize the open PRs on my-org/my-repo.',
})
Call getToken per request rather than caching the string yourself — the SDK keeps an in-process cache and refreshes tokens as they approach expiry. For multi-tenant connectors (one connector installed on several GitHub organizations), pass installationId to target a specific installation.
Why Connect over a PAT
| Fine-grained PAT | Vercel Connect | |
|---|---|---|
| Lifetime | Until expiry/revocation | Short-lived, auto-refreshed |
| Storage | Env var / secret manager | Nothing to store — minted at runtime |
| Scoping | Set once at creation | Per-request scopes and repositories |
| Multi-tenant | One token per org | One connector, many installations |
| Rotation | Manual | Automatic |
auth: 'eve') backed by Vercel Connect, so each user of your agent authorizes their own GitHub access. For now, pass token explicitly as shown above.Apply least-privilege step by step
Start with read-only
Enable only contents: read and use preset: 'repo-explorer'.
Validate in staging
Run the agent against a test repository and review all tool calls before adding write scopes.
Add writes for approved operations
Enable write permissions only for the specific families you need, and combine with approval control.
requireApproval: true.