AI provider credentials
Set, rotate, and verify GitHub Copilot and Claude credentials for a sandbox group.
Provider credentials store the external API tokens that sandboxes in a group use to authenticate with AI services such as GitHub Copilot and Anthropic Claude. Configuring credentials at the sandbox group level makes them available to all sandboxes without requiring each user to supply their own token. This article shows you how to set, rotate, and verify credentials.
Prerequisites
- An Azure account with an active subscription. Create one for free.
- A sandbox group deployed in a supported region. See Create a sandbox group.
- The Container Apps SandboxGroup Data Owner role assignment on the sandbox group.
- A valid GitHub fine-grained Personal Access Token for Copilot, or an Anthropic API key for Claude.
How provider credentials work
Provider credentials are stored as ACA Sandboxes connections on the sandbox group. When a sandbox starts, the platform injects the configured tokens so that the AI tooling inside the sandbox can authenticate without user interaction.
Credentials are stored securely and are never exposed through the portal after saving. Each provider has its own connection entry and can be configured or rotated independently.
Configuring credentials
GitHub Copilot
To configure a GitHub Copilot token:
- Select Set Token next to GitHub Copilot.
- Paste your GitHub fine-grained Personal Access Token in the Token field. Tokens must start with
github_pat_. Classic tokens that begin withghp_are not compatible with Copilot. - Select Save.
The status changes to Configured when the token is accepted and the connection is established.
GitHub token requirements
| Requirement | Detail |
|---|---|
| Token type | Fine-grained Personal Access Token only |
| Prefix | Must start with github_pat_ |
| Permissions | Copilot access must be granted on the token |
| Classic tokens | Not supported (ghp_ prefix will be rejected) |
Claude (Anthropic)
To configure an Anthropic API key:
- Select Set Token next to Claude.
- Paste your Anthropic API key in the API key field. Keys must start with
sk-ant-. - Select Save.
The status changes to Configured when the key is accepted and the connection is established.
Anthropic API key requirements
| Requirement | Detail |
|---|---|
| Key type | Standard Anthropic API key |
| Prefix | Must start with sk-ant- |
| Scope | Key must have access to the Claude API |
Credential statuses
| Status | Meaning | Action |
|---|---|---|
| Configured | A valid token is stored and ready for use | No action needed |
| Needs re-authentication | A connection exists but authorization has expired | Select Set Token and provide a new token |
| Not configured | No token has been saved for this provider | Select Set Token to add a token |
Rotating credentials
Provider tokens should be rotated periodically following your organization's security policy.
To rotate a token:
- Select Set Token next to the provider whose token you want to rotate.
- Enter the new token in the field.
- Select Save.
The old token is replaced immediately. Running sandboxes that loaded the token at startup are not automatically restarted. To pick up the new token, restart or recreate the sandboxes.
More ways to manage credentials
Python SDK
from azure.containerapps.sandbox import SandboxGroupClient
client = SandboxGroupClient(subscription_id="...", resource_group="...", credential=credential)
client.set_credential(
sandbox_group="my-group",
provider="github-copilot",
token="github_pat_...",
)
See the Python SDK quickstart for a full lifecycle example.
Related content
- Create a sandbox group: Set up the parent resource before configuring credentials.
- Identity: Assign managed identities for token-free Azure resource access.
- Secrets: Store arbitrary key-value secrets for sandbox injection.
- Connectors: Connect sandboxes to external APIs via the connector namespace.
- ACA CLI reference: Full command-line documentation.