From 778c9072fd22f8b9568ede8eaf117c478a8f8ff3 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 11 Feb 2026 18:23:44 +0000
Subject: [PATCH 1/3] Initial plan
From 8ee8e87b88516342494a535a5205ed14ab66c069 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 11 Feb 2026 18:35:07 +0000
Subject: [PATCH 2/3] Remove CSS styling from tokens.mdx and use Astro cards
Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
---
docs/src/content/docs/reference/tokens.mdx | 101 ++++++++-------------
1 file changed, 39 insertions(+), 62 deletions(-)
diff --git a/docs/src/content/docs/reference/tokens.mdx b/docs/src/content/docs/reference/tokens.mdx
index 274836135a0..bca0f20aade 100644
--- a/docs/src/content/docs/reference/tokens.mdx
+++ b/docs/src/content/docs/reference/tokens.mdx
@@ -6,6 +6,7 @@ sidebar:
disable-agentic-editing: true
---
+import { Card, CardGrid } from '@astrojs/starlight/components';
import Video from '../../../components/Video.astro';
## Which token(s) do I need?
@@ -24,8 +25,6 @@ You can set up your tokens manually in the GitHub UI or use the CLI for a stream
### Adding tokens using the CLI
-
-
```bash
gh aw secrets set COPILOT_GITHUB_TOKEN --value "YOUR_COPILOT_PAT"
```
@@ -42,29 +41,16 @@ You can validate token permissions and configuration with:
gh aw init --tokens --engine
```
-
-
### Adding tokens using the GitHub UI
-
-
1. Go to your repository on GitHub
2. Click on "Settings" → "Secrets and variables" → "Actions"
3. Click "New repository secret" and add the token name and value
-
-
-
-
-
-
-
-
- Repository secrets in GitHub Actions settings showing three configured tokens
-
-
-
-
+
+
+
+
## Who owns the resource?
@@ -72,36 +58,33 @@ Ownership affects token requirements for repositories and Projects (v2). If the
To confirm ownership, check the owner name and avatar at the top of the page or in the URL (`github.com/owner-name/...`). Clicking the owner takes you to a personal profile or an organization page, which confirms it instantly. Here are examples of both (left: user-owned, right: org-owned):
-
-
+
+
-
+
-
- User-owned repository: avatar shows a personal profile icon, URL includes username
-
-
+
+ Avatar shows a personal profile icon, URL includes username
+
-
-
+
+
-
+
-
- Organization-owned repository: avatar shows organization icon, URL includes org name
-
-
-
+
+ Avatar shows organization icon, URL includes org name
+
+
## Token Reference
### `GITHUB_TOKEN`
-Automatically set
-
+
-GitHub Actions automatically provides this token with scoped access to the current repository.
+**Automatically set** — GitHub Actions automatically provides this token with scoped access to the current repository.
**When to use**:
@@ -121,16 +104,15 @@ GitHub Actions automatically provides this token with scoped access to the curre
- Capabilities: read/write access to the current repository; permissions follow workflow `permissions:`.
- Limitations: no cross-repo access, cannot trigger workflows via API, cannot authenticate Copilot engine, not supported for remote GitHub MCP server mode.
-
+
-A fine-grained or classic PAT that enables cross-repo access and remote GitHub tools.
+**Personal Access Token** — A fine-grained or classic PAT that enables cross-repo access and remote GitHub tools.
**When to use**:
@@ -158,17 +140,16 @@ Create a [fine-grained PAT](https://github.com/settings/personal-access-tokens/n
- If you need to isolate GitHub MCP server permissions, set `GH_AW_GITHUB_MCP_SERVER_TOKEN`.
-
+
-A specialized token for the GitHub MCP server that can override the standard token chain. Use this when you need different permission levels for MCP server operations versus other workflow operations.
+**Personal Access Token** — A specialized token for the GitHub MCP server that can override the standard token chain. Use this when you need different permission levels for MCP server operations versus other workflow operations.
**When to use**:
@@ -276,16 +257,15 @@ At workflow start, a token is automatically minted with permissions matching you
- Set the resource owner to the organization when the repository is organization-owned.
- `GITHUB_TOKEN` is not supported in remote mode. Use `GH_AW_GITHUB_TOKEN` or a GitHub App instead.
-
+
-A specialized token for [GitHub Projects](https://docs.github.com/en/issues/planning-and-tracking-with-projects/learning-about-projects/about-projects) operations, required because the default `GITHUB_TOKEN` cannot access the Projects API.
+**Personal Access Token** — A specialized token for [GitHub Projects](https://docs.github.com/en/issues/planning-and-tracking-with-projects/learning-about-projects/about-projects) operations, required because the default `GITHUB_TOKEN` cannot access the Projects API.
**When to use**:
@@ -389,17 +369,16 @@ safe-outputs:
- To opt-in to creating projects, the agent must include `create_if_missing: true` in its output, and the token must have sufficient permissions to create projects in the organization.
- Use `GH_AW_PROJECT_GITHUB_TOKEN` for Projects-specific isolation; use `GH_AW_GITHUB_TOKEN` if it already has Projects permissions and you do not need isolation.
-
+
-The recommended token for Copilot operations including the Copilot engine, agent sessions, and bot assignments.
+**Personal Access Token** — The recommended token for Copilot operations including the Copilot engine, agent sessions, and bot assignments.
**When to use**:
@@ -467,17 +446,16 @@ per-output -> global safe-outputs -> workflow-level -> `COPILOT_GITHUB_TOKEN` ->
- These organization permissions must be explicitly granted during token creation and may require administrator approval.
- `GITHUB_TOKEN` is not included in the fallback chain (lacks "Copilot Requests" permission). `COPILOT_CLI_TOKEN` and `GH_AW_COPILOT_TOKEN` are no longer supported as of v0.26+.
-
+
-Primary token used by `assign-to-agent:` safe outputs to programmatically assign Copilot agents to issues or pull requests.
+**Personal Access Token** — Primary token used by `assign-to-agent:` safe outputs to programmatically assign Copilot agents to issues or pull requests.
**When to use**:
@@ -565,17 +543,16 @@ See [GitHub's official documentation on assigning issues to Copilot](https://doc
This ensures the token has the appropriate permissions to assign agents to issues and pull requests in the repository.
-
+
---
### `GITHUB_MCP_SERVER_TOKEN`
-Automatically set
-
+
-Environment variable automatically set by gh-aw based on your GitHub tools configuration.
+**Automatically set** — Environment variable automatically set by gh-aw based on your GitHub tools configuration.
**When to use**:
@@ -593,7 +570,7 @@ Derived from GitHub tools configuration and token fallback settings.
- Configure tokens using `GH_AW_GITHUB_TOKEN`, `GH_AW_GITHUB_MCP_SERVER_TOKEN`, or workflow-level `github-token` instead.
-
+
---
From cb720eb4ac12c82f0e5b67f2e6fc13a4f03dba55 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 11 Feb 2026 19:25:37 +0000
Subject: [PATCH 3/3] Remove Card components from token sections per feedback
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
docs/src/content/docs/reference/tokens.mdx | 28 ----------------------
1 file changed, 28 deletions(-)
diff --git a/docs/src/content/docs/reference/tokens.mdx b/docs/src/content/docs/reference/tokens.mdx
index bca0f20aade..737e014be0d 100644
--- a/docs/src/content/docs/reference/tokens.mdx
+++ b/docs/src/content/docs/reference/tokens.mdx
@@ -82,8 +82,6 @@ To confirm ownership, check the owner name and avatar at the top of the page or
### `GITHUB_TOKEN`
-
-
**Automatically set** — GitHub Actions automatically provides this token with scoped access to the current repository.
**When to use**:
@@ -104,14 +102,10 @@ To confirm ownership, check the owner name and avatar at the top of the page or
- Capabilities: read/write access to the current repository; permissions follow workflow `permissions:`.
- Limitations: no cross-repo access, cannot trigger workflows via API, cannot authenticate Copilot engine, not supported for remote GitHub MCP server mode.
-
-
---
### `GH_AW_GITHUB_TOKEN`
-
-
**Personal Access Token** — A fine-grained or classic PAT that enables cross-repo access and remote GitHub tools.
**When to use**:
@@ -140,15 +134,11 @@ Create a [fine-grained PAT](https://github.com/settings/personal-access-tokens/n
- If you need to isolate GitHub MCP server permissions, set `GH_AW_GITHUB_MCP_SERVER_TOKEN`.
-
-
---
### `GH_AW_GITHUB_MCP_SERVER_TOKEN`
-
-
**Personal Access Token** — A specialized token for the GitHub MCP server that can override the standard token chain. Use this when you need different permission levels for MCP server operations versus other workflow operations.
**When to use**:
@@ -257,14 +247,10 @@ At workflow start, a token is automatically minted with permissions matching you
- Set the resource owner to the organization when the repository is organization-owned.
- `GITHUB_TOKEN` is not supported in remote mode. Use `GH_AW_GITHUB_TOKEN` or a GitHub App instead.
-
-
---
### `GH_AW_PROJECT_GITHUB_TOKEN`
-
-
**Personal Access Token** — A specialized token for [GitHub Projects](https://docs.github.com/en/issues/planning-and-tracking-with-projects/learning-about-projects/about-projects) operations, required because the default `GITHUB_TOKEN` cannot access the Projects API.
**When to use**:
@@ -369,15 +355,11 @@ safe-outputs:
- To opt-in to creating projects, the agent must include `create_if_missing: true` in its output, and the token must have sufficient permissions to create projects in the organization.
- Use `GH_AW_PROJECT_GITHUB_TOKEN` for Projects-specific isolation; use `GH_AW_GITHUB_TOKEN` if it already has Projects permissions and you do not need isolation.
-
-
---
### `COPILOT_GITHUB_TOKEN`
-
-
**Personal Access Token** — The recommended token for Copilot operations including the Copilot engine, agent sessions, and bot assignments.
**When to use**:
@@ -446,15 +428,11 @@ per-output -> global safe-outputs -> workflow-level -> `COPILOT_GITHUB_TOKEN` ->
- These organization permissions must be explicitly granted during token creation and may require administrator approval.
- `GITHUB_TOKEN` is not included in the fallback chain (lacks "Copilot Requests" permission). `COPILOT_CLI_TOKEN` and `GH_AW_COPILOT_TOKEN` are no longer supported as of v0.26+.
-
-
---
### `GH_AW_AGENT_TOKEN`
-
-
**Personal Access Token** — Primary token used by `assign-to-agent:` safe outputs to programmatically assign Copilot agents to issues or pull requests.
**When to use**:
@@ -543,15 +521,11 @@ See [GitHub's official documentation on assigning issues to Copilot](https://doc
This ensures the token has the appropriate permissions to assign agents to issues and pull requests in the repository.
-
-
---
### `GITHUB_MCP_SERVER_TOKEN`
-
-
**Automatically set** — Environment variable automatically set by gh-aw based on your GitHub tools configuration.
**When to use**:
@@ -570,8 +544,6 @@ Derived from GitHub tools configuration and token fallback settings.
- Configure tokens using `GH_AW_GITHUB_TOKEN`, `GH_AW_GITHUB_MCP_SERVER_TOKEN`, or workflow-level `github-token` instead.
-
-
---
- 
- 
+ 
+