Skip to content
This repository was archived by the owner on Mar 25, 2026. It is now read-only.

Commit 8d801c6

Browse files
Copilotbrunoborges
andcommitted
Port upstream BYOK documentation clarifications
Add bearer token authentication section and limitations to BYOK documentation. Updates ProviderConfig Javadoc to clarify static token behavior. From upstream commit: 05e3c46 (Clarify BYOK token usage and limitations) Co-authored-by: brunoborges <129743+brunoborges@users.noreply.github.com>
1 parent d73799c commit 8d801c6

2 files changed

Lines changed: 39 additions & 0 deletions

File tree

src/main/java/com/github/copilot/sdk/json/ProviderConfig.java

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -159,6 +159,11 @@ public String getBearerToken() {
159159
* Sets a bearer token for authentication.
160160
* <p>
161161
* This is an alternative to API key authentication.
162+
* <p>
163+
* <strong>Note:</strong> The bearer token is a <strong>static token
164+
* string</strong>. The SDK does not refresh this token automatically. If your
165+
* token expires, requests will fail and you'll need to create a new session
166+
* with a fresh token.
162167
*
163168
* @param bearerToken
164169
* the bearer token

src/site/markdown/advanced.md

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -129,6 +129,8 @@ session.send(new MessageOptions()
129129

130130
Use your own OpenAI or Azure OpenAI API key instead of GitHub Copilot.
131131

132+
### API Key Authentication
133+
132134
```java
133135
var session = client.createSession(
134136
new SessionConfig()
@@ -139,6 +141,38 @@ var session = client.createSession(
139141
).get();
140142
```
141143

144+
### Bearer Token Authentication
145+
146+
Some providers require bearer token authentication instead of API keys:
147+
148+
```java
149+
var session = client.createSession(
150+
new SessionConfig()
151+
.setProvider(new ProviderConfig()
152+
.setType("openai")
153+
.setBaseUrl("https://my-custom-endpoint.example.com/v1")
154+
.setBearerToken(System.getenv("MY_BEARER_TOKEN")))
155+
).get();
156+
```
157+
158+
> **Note:** The `bearerToken` option accepts a **static token string** only. The SDK does not refresh this token automatically. If your token expires, requests will fail and you'll need to create a new session with a fresh token.
159+
160+
### Limitations
161+
162+
When using BYOK, be aware of these limitations:
163+
164+
#### Identity Limitations
165+
166+
BYOK authentication uses **static credentials only**. The following identity providers are NOT supported:
167+
168+
-**Microsoft Entra ID (Azure AD)** - No support for Entra managed identities or service principals
169+
-**Third-party identity providers** - No OIDC, SAML, or other federated identity
170+
-**Managed identities** - Azure Managed Identity is not supported
171+
172+
You must use an API key or static bearer token that you manage yourself.
173+
174+
**Why not Entra ID?** While Entra ID does issue bearer tokens, these tokens are short-lived (typically 1 hour) and require automatic refresh via the Azure Identity SDK. The `bearerToken` option only accepts a static string—there is no callback mechanism for the SDK to request fresh tokens. For long-running workloads requiring Entra authentication, you would need to implement your own token refresh logic and create new sessions with updated tokens.
175+
142176
---
143177

144178
## Infinite Sessions

0 commit comments

Comments
 (0)