Skip to main content
GitHub Copilot is GitHub’s AI coding assistant. It provides access to Copilot models for your GitHub account and plan. OpenClaw can use Copilot as a model provider or agent runtime in three different ways.

Three ways to use Copilot in OpenClaw

Use the native device-login flow to obtain a GitHub token, then exchange it for Copilot API tokens when OpenClaw runs. This is the default and simplest path because it does not require VS Code.
1

Run the login command

You will be prompted to visit a URL and enter a one-time code. Keep the terminal open until it completes.
2

Set a default model

Or in config:

GitHub Enterprise (data residency)

If your organization uses a data-residency GitHub Enterprise tenant (a *.ghe.com host such as your-org.ghe.com), Copilot lives on tenant-local endpoints rather than public github.com. OpenClaw exposes this as a first-class auth choice so you do not have to hand-edit URLs.
1

Pick the Enterprise auth choice

In onboarding or openclaw models auth, choose GitHub Copilot (Enterprise / data residency). You will be prompted for your Enterprise domain (for example your-org.ghe.com), then the device login runs against that tenant.Enter the tenant root only (your-org.ghe.com). Derived service hosts such as api.your-org.ghe.com or copilot-api.your-org.ghe.com are not accepted; OpenClaw derives those endpoints from the tenant root automatically.
2

Domain is persisted to config

The chosen host is stored under the provider params so later token refreshes and completions target the tenant automatically:
The device flow, token exchange, and completions resolve to https://your-org.ghe.com/login/device/code, https://api.your-org.ghe.com/copilot_internal/v2/token, and https://copilot-api.your-org.ghe.com respectively. Data-residency tokens carry a tenant stamp and no proxy hint, so the completions base URL falls back to the tenant Copilot host instead of the public endpoint.
Switching domains always re-runs the device login. If you already have a stored Copilot token and pick a different domain (public github.com ↔ a *.ghe.com tenant, or one tenant to another), OpenClaw will not reuse the existing token — it forces a fresh login so the token is scoped to the domain being written to config. Re-running login for the same domain still offers to reuse the current token. Switching back to public github.com clears the persisted githubDomain so config returns to the default.
The COPILOT_GITHUB_DOMAIN environment variable overrides the resolved domain for every Copilot path that resolves it — the Enterprise device login (--method device-enterprise), the standalone openclaw models auth login-github-copilot shortcut, token refresh, embeddings, and completions. Set it to your *.ghe.com host for fully headless or CI setups. Leave it unset (and the config param absent) to use public github.com. Logins persist the domain they minted the token for (and clear it when logging in against public github.com), so routing stays correct even after the environment variable is unset.

Optional flags

Non-interactive onboarding

The device-login flow requires an interactive TTY. For headless setup, import an existing GitHub OAuth access token with openclaw onboard --non-interactive:
You can also omit --auth-choice; passing --github-copilot-token infers the GitHub Copilot provider auth choice. If the flag is omitted, onboarding falls back to COPILOT_GITHUB_TOKEN, GH_TOKEN, then GITHUB_TOKEN. Use --secret-input-mode ref with COPILOT_GITHUB_TOKEN set to store an env-backed tokenRef instead of plaintext in auth-profiles.json.
The device-login flow requires an interactive TTY. Run it directly in a terminal, not in a non-interactive script or CI pipeline.
Copilot model availability depends on your GitHub plan. If a model is rejected, try another ID (for example github-copilot/gpt-5.5). See GitHub’s supported models per Copilot plan for the current model list.
Once the device-login (or env-var) auth path has resolved a GitHub token, OpenClaw refreshes the model catalog on demand from ${baseUrl}/models (the same endpoint VS Code Copilot uses) so the runtime tracks per-account entitlement and accurate context windows without manifest churn. Newly published Copilot models become visible without an OpenClaw upgrade, and context windows reflect the real per-model limits (e.g. 400k for the gpt-5.x series, 1M for the internal claude-opus-*-1m variants).The bundled static catalog stays as the visible fallback when discovery is disabled, the user has no GitHub auth profile, the token-exchange fails, or the /models HTTPS call errors. To opt out and rely entirely on the static manifest catalog (offline / air-gapped scenarios):
Claude model IDs use the Anthropic Messages transport automatically. Gemini models use the OpenAI Chat Completions transport; GPT and o-series models keep the OpenAI Responses transport. OpenClaw selects the correct transport based on the model ref.
OpenClaw sends Copilot IDE-style request headers on Copilot transports (VS Code editor/plugin versions and the vscode-chat integration id), marks tool-result follow-up turns as agent-initiated, and sets the Copilot vision header when a turn carries image input.
OpenClaw resolves Copilot auth from environment variables in the following priority order:When multiple variables are set, OpenClaw uses the highest-priority one. The device-login flow (openclaw models auth login-github-copilot) stores its token in the auth profile store and takes precedence over all environment variables.
The login stores a GitHub token in the auth profile store (profile id github-copilot:github) and exchanges it for a short-lived Copilot API token when OpenClaw runs. You do not need to manage the token manually.

Memory search embeddings

GitHub Copilot can also serve as an embedding provider for memory search. If you have a Copilot subscription and have logged in, OpenClaw can use it for embeddings without a separate API key.

Config

Set memorySearch.provider explicitly to use GitHub Copilot embeddings. If a GitHub token is available, OpenClaw discovers available embedding models from the Copilot API and picks the best one automatically.

How it works

  1. OpenClaw resolves your GitHub token (from env vars or auth profile).
  2. Exchanges it for a short-lived Copilot API token.
  3. Queries the Copilot /models endpoint to discover available embedding models.
  4. Picks the best model (preference order: text-embedding-3-small, text-embedding-3-large, text-embedding-ada-002).
  5. Sends embedding requests to the Copilot /embeddings endpoint.
Model availability depends on your GitHub plan. If no embedding models are available, OpenClaw skips Copilot and tries the next provider.

Model selection

Choosing providers, model refs, and failover behavior.

OAuth and auth

Auth details and credential reuse rules.