Note
GitHub Copilot Extensions is in public beta and subject to change.
Prerequisites
Before you configure your Copilot agent to communicate with GitHub, you should understand how your Copilot agent communicates with the Copilot platform. See "Configuring your Copilot agent to communicate with the Copilot platform."
Verifying that payloads are coming from GitHub
Before your Copilot agent begins processing a request, you should verify that the request came from GitHub, and that it is intended for your agent. All agent requests contain the Github-Public-Key-Identifier and Github-Public-Key-Signature headers. To verify the signature for a particular request, compare the signature in the Github-Public-Key-Signature header with a signed copy of the request body using the current public key listed at https://api.github.com/meta/public_keys/copilot_api.
For more details and examples of signature verification in specific languages, see the github-technology-partners/signature-verification repository.
Fetching resources from the GitHub API
Requests to your Copilot agent will receive an X-Github-Token header. This header contains an API token that can be used to fetch resources from the GitHub API on behalf of the user interacting with your agent. The permissions of this token are the overlap of the user's own permissions and the permissions granted to your GitHub App installation.
For an example of how you might use X-Github-Token, see the following code sample:
async function whoami(req) {
const response = await fetch(
// The GitHub API endpoint for the authenticated user
"https://api.github.com/user",
{
headers: {
"Authorization": `Bearer ${req.headers.get("x-github-token")}`
}
}
)
const user = await response.json()
return user
}
To learn more about working with GitHub's API and explore official software development kits (SDKs), see the octokit organization.