GitHub Personal Access Token Setup
Configure a GitHub Personal Access Token (PAT) to enable repository creation, code sync, and issue management for your Trinity agents.
Concepts
When You Need a PAT
| Feature | Requires PAT |
|---|---|
| Create new GitHub repo for an agent | Yes |
| Push agent code to GitHub | Yes |
| Pull updates from private repos | Yes |
| Create/update GitHub Issues from agents | Yes |
| Clone from public templates | No |
| Pull from public repos (read-only) | No |
Who Owns the Platform PAT
Trinity stores a single platform-wide PAT that every agent inherits unless an agent has its own per-agent override. In the standard setup, the Trinity admincreates this token in their own GitHub account — which means:
Choosing a Token Type
| If you want... | Pick | Tradeoff |
|---|---|---|
| Simplest setup; fine with agents inheriting access to every repo your account can reach | Classic PAT | Wider blast radius if the token leaks. New agents work instantly — no GitHub-side steps. |
| Agents scoped to a specific list of repos, nothing else | Fine-grained PAT | Smaller blast radius. Every time you add an agent on a new repo, you edit the token to include that repo. |
Classic is faster to operate. Fine-grained is safer. Pick the tradeoff that matches your organization's risk posture.
Option A: Classic Token (simplest, widest access)
A classic PAT with repo scope grants access to every repository your GitHub user can see— personal repos, plus any org repos your account has access to. Best when you're comfortable with that reach and want zero-maintenance setup.
repo scope checked.Step 1: Create the token
Click Generate new token → Generate new token (classic)
Set a descriptive name: Trinity Platform
Set expiration (90 days recommended, or "No expiration" for persistent setups)
Select required scopes:
| Scope | Required | Purpose |
|---|---|---|
| repo | Yes | Full control of repositories |
| workflow | Optional | Trigger GitHub Actions |
| read:org | Optional | Read organization membership |
Click Generate token
Copy the token immediately — you cannot view it again
Step 2: Configure in Trinity
Go to Settings in Trinity (sidebar → Settings)
Find the GitHub Personal Access Token (PAT) section
Paste your token
Click Test to verify it works
Click Save
Saving auto-propagates to running agents. When the platform PAT changes, Trinity pushes the new token into every running agent's .env file within seconds — no restart required. The save response lists which agents were updated, skipped, or failed. Agents with a per-agent PAT override, or agents that never configured GitHub, are skipped. Per-agent failures are reported but never block the save.
Option B: Fine-Grained Token (scoped, safer, more maintenance)
A fine-grained PAT is limited to a specific list of repositories and a specific set of permissions. Agents can only touch what you listed — not the admin's other repos. Best for production and for admins whose personal GitHub account also holds unrelated work you don't want agents near.
Step 1: Create the token
Click Generate new token
Set name and expiration
Under Repository access, choose "All repositories" or "Only select repositories"
Under Permissions, expand "Repository permissions" and set:
| Permission | Level | Purpose |
|---|---|---|
| Contents | Read and write | Push/pull code |
| Issues | Read and write | Create and manage issues |
| Metadata | Read-only | Required (auto-selected) |
| Pull requests | Read and write | Optional: create PRs |
| Workflows | Read and write | Optional: GitHub Actions |
Click Generate token
Copy the token immediately
Choosing Between Token Types
| Consideration | Classic Token | Fine-Grained Token |
|---|---|---|
| Setup complexity | Simple | More steps |
| Repository scope | All repos by default | Can limit to specific repos |
| Permission granularity | Broad scopes | Individual permissions |
| Token format | ghp_... | github_pat_... |
| Recommended for | Development, personal use | Production, shared teams |
Hosting Agents from External Contributors
A useful consequence of how classic PATs work: a classic PAT reaches every repo its owner can access, including repos that were shared with the owner as a collaborator. This unlocks a simple workflow for letting external agent developers deploy their agents on your Trinity instance without handing over tokens or transferring repos.
The pattern
- External developer has their agent code in their own GitHub repo.
- They invite the Trinity admin's GitHub user as a collaborator, with role:
- • Write — if the agent needs to push back (Working Branch mode, scheduled commits, etc.). This is the usual case.
- • Read — if the agent only pulls (Source mode / deploy-only).
- Admin accepts the invitation.
- Trinity's classic PAT now reaches the repo immediately — no token change, no restart. Deploy the agent from that repo like any other.
- When the engagement ends, the external developer removes the admin as a collaborator. Access disappears the same moment. The PAT is untouched.
Important caveats
Updating the Token Later
Most edits to an existing PAT happen in-place in GitHub — the token string stays the same, so you do not need to paste a new token into Trinity. The main exceptions are regenerating, rotating, or (for fine-grained tokens) changing permissions in ways that may require org re-approval.
Fine-grained PAT — editable in-place
- • Repository list — adding or removing repos. Common when you deploy a new agent that needs access to a repo not in the original list.
- • Expiration date — extend or shorten.
- • Name / description.
Fine-grained PAT — when to regenerate
- • Permission changes (e.g. adding
Issues: Read and write) — the UI may let you save permission changes in-place, but org PAT policies can require re-approval and some deployments see inconsistent behavior. Safest path: regenerate the token and paste the new one into Trinity Settings. If the token is on a personal account with no org policy, in-place editing usually works; you can try it first. - • Token lost / suspected compromise — always regenerate.
Classic PAT
- • Scopes are editable in-place (check/uncheck boxes and save).
- • The token string itself only changes if you click Regenerate.
After any change that produces a new token string, update it in Trinity via Settings → GitHub Personal Access Token → Test → Save. Trinity auto-propagates the new token to all running agents that use the platform PAT within seconds.
API
| Endpoint | Method | Description |
|---|---|---|
| /api/settings/api-keys | GET | Check PAT status |
| /api/settings/api-keys/github/test | POST | Test a PAT |
| /api/settings/api-keys/github | PUT | Save PAT |
MCP tool: initialize_github_sync(agent_name, repo_url) uses the configured PAT.
Troubleshooting
"Resource not accessible by personal access token"
Cause: Token lacks required permissions.
Fix (Classic): Regenerate with repo scope checked.
Fix (Fine-Grained):Add "Contents: Read and write" permission.
"SSO authorization required"
Cause:Organization uses SAML SSO and the token isn't authorized.
Fix: Go to github.com/settings/tokens, find your token, click Configure SSO, and authorize for the organization.
"Bad credentials" error
Cause: Token is expired, revoked, or mistyped.
Fix: Generate a new token and reconfigure in Trinity Settings.
Security Best Practices
Limitations
See Also
Trinity docs
- • GitHub Sync — Using git sync after PAT is configured
- • Creating Agents — Creating agents from GitHub templates
- • Platform Settings — Other settings configuration
GitHub references
- • Managing your personal access tokens — Official GitHub docs: how PATs work, creation, deletion, security
- • About authentication to GitHub — Official: full picture of GitHub authentication methods and when to use each
- • Introducing fine-grained personal access tokens — GitHub Blog: why fine-grained PATs exist and what problems they solve
- • GitHub Classic vs. Fine-grained Personal Access Tokens — Third-party explainer: clear side-by-side comparison with practical scenarios