🔐 Source Control Tokens
Every Early AI agent requires a valid TOKEN to interact with your source control platform.
This token enables the CLI to read files, create commits, and optionally post comments or summaries on pull requests.
This guide explains:
- Which token types are supported
- The required scopes or permissions
- How to generate tokens for GitHub, Bitbucket, and GitLab
🎯 Purpose of the TOKEN
All Early AI agents — including GitHub PR, CLI PR, Commit CLI, and Repo CLI — use the TOKEN for one or more of the following:
- ✅ Reading repository contents
- ✅ Pushing or committing generated test files
- ✅ Reading or updating PR or commit metadata
- ✅ Commenting or updating PR summaries (when applicable)
⚠️ Without a valid token, the agent cannot read code or push new test files.
🧩 GitHub Tokens
Classic Personal Access Token (Recommended)
The simplest and most compatible option.
Works across all CI/CD platforms (GitHub Actions, Jenkins, CircleCI, etc.).
Required scopes:
repo— full repository access (includes contents, pull requests, and commits)read:packages— required if installing the CLI from GitHub Packages
Create one here:
https://github.com/settings/tokens/new?type=classic
Fine-Grained Personal Access Token (FGPAT)
More secure and restricted to specific repositories.
Minimum required repository permissions:
- Contents → Read & Write
- Pull Requests → Read & Write (if PR operations are needed)
- Metadata → Read
⚠️ Fine-grained tokens do not support GitHub Packages.
You’ll still need a classic PAT for theNPM_TOKENused during CLI installation.
See NPM Authentication.
Create one here:
https://github.com/settings/personal-access-tokens/new
🪣 Bitbucket Tokens
Bitbucket uses App Passwords instead of PATs.
Minimum required permissions:
- Repositories → Read & Write
- (Optional) Pull Requests → Read & Write, if using PR-based agents
Generate an App Password:
- Go to Bitbucket Settings → Personal Bitbucket Settings → App passwords
- Click Create app password
- Select:
- ✅ Repositories → Read & Write
- ✅ Pull requests → Read & Write (if needed)
- Save and use it as the
TOKEN.
More info:
https://support.atlassian.com/bitbucket-cloud/docs/app-passwords/
🦊 GitLab Tokens
GitLab uses Personal Access Tokens.
Minimum required scopes:
api— full access to project and repository APIsread_repository— to read codewrite_repository— to push generated test files
Create one here:
https://gitlab.com/-/profile/personal_access_tokens
🧭 SCM Compatibility Overview
| SCM | Token Type | Required Permissions / Scopes | Notes |
|---|---|---|---|
| GitHub | Classic PAT or FGPAT | repo, read:packages or (contents, pull_requests, metadata) | Classic PAT recommended for CLI installation |
| Bitbucket | App Password | Repositories: Read & Write, Pull Requests: Read & Write | Use for CLI PR or Commit agents |
| GitLab | Personal Access Token | api, read_repository, write_repository | Supported for Commit and Repo agents |