Credentials are injected as request headers only. Query-parameter and
request-body injection are not supported: upstream responses can reflect query
strings and bodies, which would risk leaking the injected credential back to
the agent.
GitHub is an allowlisted credential host, but routes for api.github.com are
held to an extra narrowness standard so a single token can only be attached
to the exact endpoint you intend:
The route must specify an explicit method (no wildcard *).
The pathPatternmust have at least two path segments
(/repos/acme/widgets, not / or /user).
A route that violates either rule is rejected at creation time.
Create a fine-grained personal access token in GitHub with the minimum
scope for the job:
Resource owner / repositories: select only the specific repositories the
agent needs (for example acme/widgets), never “All repositories.”
Permissions: grant only what the endpoint requires (for example
Issues: Read and write for posting issue comments). Leave everything else
at No access.
Expiration: set a short expiration and rotate on schedule.
Scope the route to one method and one deep path. GitHub accepts both
Authorization: Bearer <token> and Authorization: token <token>; either
injectFormat works.
The agent calls the github alias with its own agent token. The proxy matches
the route, injects the PAT as the Authorization header, and forwards the
request. The agent never sees the token.
curl -X POST https://proxy.steward.fi/github/repos/acme/widgets/issues/1/comments \ -H "Authorization: Bearer <agent-token>" \ -H "Idempotency-Key: $(uuidgen)" \ -H "Content-Type: application/json" \ -d '{ "body": "posted by the agent via steward" }'