Logo

Accessing Private GitHub Repositories

Use a personal access token to give Quotient read access to private repos via the GitHub MCP server

The GitHub MCP connection in the marketplace uses OAuth to connect through Quotient's GitHub App. This works well for public repositories, but GitHub's hosted MCP server does not surface private repositories or organization repositories through this OAuth flow. Since the most common reason to connect GitHub is to work with private repos — drafting changelogs from commits, summarizing PRs, writing release notes — this is a meaningful limitation.

The workaround is straightforward: create a GitHub personal access token (PAT) and connect the GitHub MCP server as a custom server using that token. Quotient will authenticate as you through the PAT and will be able to see any repo the token has access to.

Step 1: Create a Personal Access Token

GitHub offers two types of personal access tokens: fine-grained tokens (recommended) and classic tokens. Both work with this setup. Fine-grained tokens are more precise and let you restrict access to specific repositories; classic tokens are simpler to configure.

Go to GitHub > Settings > Developer settings > Personal access tokens to create one.

A note on read-only access

A personal access token essentially lets Quotient authenticate to GitHub on your behalf, with whatever permissions the token carries. We strongly recommend keeping your token read-only. Quotient's primary use case for GitHub is reading commits, pull requests, and diffs to generate content — it does not need write access for this.

We do not document write-scope configurations here. If you have a specific use case that requires write access (for example, having Quotient open PRs or create issues), reach out to us and we can help you configure appropriate scopes.

Fine-grained token (recommended)

Fine-grained tokens let you limit access to specific repositories and grant only the permissions you need.

When creating the token, configure the following:

  • Resource owner: Your personal account, or the GitHub organization that owns the repositories you want Quotient to access. If you select an organization, the org may need to approve the token before it becomes active.
  • Repository access: Select Only select repositories and choose the repos you want Quotient to be able to read, or select All repositories if you want broad access across your account or org.
  • Permissions: Under Repository permissions, set the following to Read-only:
    • Contents — required to read files, commits, and diffs
    • Metadata — required for basic repo info (always read-only, enabled automatically)
    • Pull requests — required to read PR descriptions and diffs

Classic token

Classic tokens are scoped by category rather than individual permission. When creating the token, select:

  • repo — grants full access to repositories, but within the repo scope, you are not able to request read-only on its own. This is a known limitation of classic tokens. If fine-grained tokens are an option for you, they are preferable because they allow true read-only access.

If you are connecting Quotient to an organization's repositories, you may also need:

  • read:org — allows Quotient to read organization membership and repository lists within the org

Do not select any write or admin scopes. Leave all other checkboxes unchecked.

Step 2: Connect as a Custom MCP Server

Once you have your token, go to Settings > MCP Servers and click Custom Server at the bottom of the marketplace list.

Configure the server with the following:

  • URL: https://api.githubcopilot.com/mcp/
  • Authentication: API Key
  • Token: Paste your personal access token

Save the connection. Quotient will immediately be able to use the GitHub MCP tools with the permissions carried by your token.

What Happens Next

Once connected, Quotient can read any repository that your token has access to. You can ask it to summarize recent commits, compare branches, draft a changelog from merged PRs, or pull context from a specific file — all without leaving Quotient.

If you need to rotate or revoke the token at any point, generate a new one in GitHub, then update the custom server in Quotient's settings with the new value.