Three ways to use Copilot in OpenClaw
- Built-in provider (github-copilot)
- Copilot SDK harness plugin (copilot)
- Copilot Proxy plugin (copilot-proxy)
Use the native device-login flow to obtain a GitHub token, then exchange it for
Copilot API tokens when OpenClaw runs. This is the default and simplest path
because it does not require VS Code.You will be prompted to visit a URL and enter a one-time code. Keep the
terminal open until it completes.Or in config:
1
Run the login command
2
Set a default model
GitHub Enterprise (data residency)
If your organization uses a data-residency GitHub Enterprise tenant (a*.ghe.com host such as your-org.ghe.com), Copilot lives on tenant-local
endpoints rather than public github.com. OpenClaw exposes this as a
first-class auth choice so you do not have to hand-edit URLs.
1
Pick the Enterprise auth choice
In onboarding or
openclaw models auth, choose
GitHub Copilot (Enterprise / data residency). You will be prompted for
your Enterprise domain (for example your-org.ghe.com), then the device
login runs against that tenant.Enter the tenant root only (your-org.ghe.com). Derived service hosts such
as api.your-org.ghe.com or copilot-api.your-org.ghe.com are not accepted;
OpenClaw derives those endpoints from the tenant root automatically.2
Domain is persisted to config
The chosen host is stored under the provider params so later token refreshes
and completions target the tenant automatically:
https://your-org.ghe.com/login/device/code,
https://api.your-org.ghe.com/copilot_internal/v2/token, and
https://copilot-api.your-org.ghe.com respectively. Data-residency tokens carry
a tenant stamp and no proxy hint, so the completions base URL falls back to the
tenant Copilot host instead of the public endpoint.
Switching domains always re-runs the device login. If you already have a stored
Copilot token and pick a different domain (public
github.com ↔ a *.ghe.com
tenant, or one tenant to another), OpenClaw will not reuse the existing token —
it forces a fresh login so the token is scoped to the domain being written to
config. Re-running login for the same domain still offers to reuse the current
token. Switching back to public github.com clears the persisted
githubDomain so config returns to the default.The
COPILOT_GITHUB_DOMAIN environment variable overrides the resolved domain
for every Copilot path that resolves it — the Enterprise device login
(--method device-enterprise), the standalone
openclaw models auth login-github-copilot shortcut, token refresh, embeddings,
and completions. Set it to your *.ghe.com host for fully headless or CI
setups. Leave it unset (and the config param absent) to use public github.com.
Logins persist the domain they minted the token for (and clear it when logging
in against public github.com), so routing stays correct even after the
environment variable is unset.Optional flags
Non-interactive onboarding
The device-login flow requires an interactive TTY. For headless setup, import an existing GitHub OAuth access token withopenclaw onboard --non-interactive:
--auth-choice; passing --github-copilot-token infers the
GitHub Copilot provider auth choice. If the flag is omitted, onboarding falls
back to COPILOT_GITHUB_TOKEN, GH_TOKEN, then GITHUB_TOKEN. Use
--secret-input-mode ref with COPILOT_GITHUB_TOKEN set to store an env-backed
tokenRef instead of plaintext in auth-profiles.json.
Interactive TTY required
Interactive TTY required
The device-login flow requires an interactive TTY. Run it directly in a
terminal, not in a non-interactive script or CI pipeline.
Model availability depends on your plan
Model availability depends on your plan
Copilot model availability depends on your GitHub plan. If a model is
rejected, try another ID (for example
github-copilot/gpt-5.5). See
GitHub’s supported models per Copilot plan
for the current model list.Live catalog refresh from the Copilot API
Live catalog refresh from the Copilot API
Once the device-login (or env-var) auth path has resolved a GitHub token,
OpenClaw refreshes the model catalog on demand from
${baseUrl}/models
(the same endpoint VS Code Copilot uses) so the runtime tracks
per-account entitlement and accurate context windows without manifest
churn. Newly published Copilot models become visible without an OpenClaw
upgrade, and context windows reflect the real per-model limits
(e.g. 400k for the gpt-5.x series, 1M for the internal
claude-opus-*-1m variants).The bundled static catalog stays as the visible fallback when discovery
is disabled, the user has no GitHub auth profile, the token-exchange
fails, or the /models HTTPS call errors. To opt out and rely entirely
on the static manifest catalog (offline / air-gapped scenarios):Transport selection
Transport selection
Claude model IDs use the Anthropic Messages transport automatically.
Gemini models use the OpenAI Chat Completions transport; GPT and o-series
models keep the OpenAI Responses transport. OpenClaw selects the correct
transport based on the model ref.
Request compatibility
Request compatibility
OpenClaw sends Copilot IDE-style request headers on Copilot transports
(VS Code editor/plugin versions and the
vscode-chat integration id),
marks tool-result follow-up turns as agent-initiated, and sets the Copilot
vision header when a turn carries image input.Environment variable resolution order
Environment variable resolution order
OpenClaw resolves Copilot auth from environment variables in the following
priority order:
When multiple variables are set, OpenClaw uses the highest-priority one.
The device-login flow (
openclaw models auth login-github-copilot) stores
its token in the auth profile store and takes precedence over all environment
variables.Token storage
Token storage
The login stores a GitHub token in the auth profile store (profile id
github-copilot:github) and exchanges it for a short-lived Copilot API
token when OpenClaw runs. You do not need to manage the token manually.Memory search embeddings
GitHub Copilot can also serve as an embedding provider for memory search. If you have a Copilot subscription and have logged in, OpenClaw can use it for embeddings without a separate API key.Config
SetmemorySearch.provider explicitly to use GitHub Copilot embeddings. If a
GitHub token is available, OpenClaw discovers available embedding models from
the Copilot API and picks the best one automatically.
How it works
- OpenClaw resolves your GitHub token (from env vars or auth profile).
- Exchanges it for a short-lived Copilot API token.
- Queries the Copilot
/modelsendpoint to discover available embedding models. - Picks the best model (preference order:
text-embedding-3-small,text-embedding-3-large,text-embedding-ada-002). - Sends embedding requests to the Copilot
/embeddingsendpoint.
Related
Model selection
Choosing providers, model refs, and failover behavior.
OAuth and auth
Auth details and credential reuse rules.