Skip to main content
Security

AI provider credentials

Set, rotate, and verify GitHub Copilot and Claude credentials for a sandbox group.

Provider credentials store the external API tokens that sandboxes in a group use to authenticate with AI services such as GitHub Copilot and Anthropic Claude. Configuring credentials at the sandbox group level makes them available to all sandboxes without requiring each user to supply their own token. This article shows you how to set, rotate, and verify credentials.

Prerequisites

Before you begin
  • An Azure account with an active subscription. Create one for free.
  • A sandbox group deployed in a supported region. See Create a sandbox group.
  • The Container Apps SandboxGroup Data Owner role assignment on the sandbox group.
  • A valid GitHub fine-grained Personal Access Token for Copilot, or an Anthropic API key for Claude.

How provider credentials work

Provider credentials are stored as ACA Sandboxes connections on the sandbox group. When a sandbox starts, the platform injects the configured tokens so that the AI tooling inside the sandbox can authenticate without user interaction.

Credentials are stored securely and are never exposed through the portal after saving. Each provider has its own connection entry and can be configured or rotated independently.


Configuring credentials

GitHub Copilot

To configure a GitHub Copilot token:

  1. Select Set Token next to GitHub Copilot.
  2. Paste your GitHub fine-grained Personal Access Token in the Token field. Tokens must start with github_pat_. Classic tokens that begin with ghp_ are not compatible with Copilot.
  3. Select Save.

The status changes to Configured when the token is accepted and the connection is established.

GitHub token requirements

RequirementDetail
Token typeFine-grained Personal Access Token only
PrefixMust start with github_pat_
PermissionsCopilot access must be granted on the token
Classic tokensNot supported (ghp_ prefix will be rejected)

Claude (Anthropic)

To configure an Anthropic API key:

  1. Select Set Token next to Claude.
  2. Paste your Anthropic API key in the API key field. Keys must start with sk-ant-.
  3. Select Save.

The status changes to Configured when the key is accepted and the connection is established.

Anthropic API key requirements

RequirementDetail
Key typeStandard Anthropic API key
PrefixMust start with sk-ant-
ScopeKey must have access to the Claude API

Credential statuses

StatusMeaningAction
ConfiguredA valid token is stored and ready for useNo action needed
Needs re-authenticationA connection exists but authorization has expiredSelect Set Token and provide a new token
Not configuredNo token has been saved for this providerSelect Set Token to add a token

Rotating credentials

Provider tokens should be rotated periodically following your organization's security policy.

To rotate a token:

  1. Select Set Token next to the provider whose token you want to rotate.
  2. Enter the new token in the field.
  3. Select Save.

The old token is replaced immediately. Running sandboxes that loaded the token at startup are not automatically restarted. To pick up the new token, restart or recreate the sandboxes.


More ways to manage credentials

Python SDK

from azure.containerapps.sandbox import SandboxGroupClient

client = SandboxGroupClient(subscription_id="...", resource_group="...", credential=credential)
client.set_credential(
sandbox_group="my-group",
provider="github-copilot",
token="github_pat_...",
)

See the Python SDK quickstart for a full lifecycle example.


  • Create a sandbox group: Set up the parent resource before configuring credentials.
  • Identity: Assign managed identities for token-free Azure resource access.
  • Secrets: Store arbitrary key-value secrets for sandbox injection.
  • Connectors: Connect sandboxes to external APIs via the connector namespace.
  • ACA CLI reference: Full command-line documentation.