A Guide to Just-in-Time Access in Copilot

How can you give developers on‑demand access to Copilot without handing out permanent credentials?

Most teams today embed a personal GitHub token in their IDE configuration or CI pipelines and share that token across the engineering group. This static approach contradicts just-in-time access principles, because the token often has broad scopes – read, write, and sometimes admin rights – and it lives in plain text on workstations, in Docker images, and in shared scripts.

Because the token never expires, any developer, contractor, or compromised machine can continue to issue requests to Copilot indefinitely. The result is a blind spot: no one knows who generated a particular suggestion, what data was sent to the service, or whether a request should have been allowed in the first place.

These practices violate the core idea of just-in-time access: grant the minimum privilege for the shortest possible time, and record the decision so you can prove it later. When you apply just-in-time access to Copilot, you want a workflow that issues a short‑lived credential only when a developer explicitly asks for it, optionally routes the request through an approval step, and logs the interaction for audit. Without a control point in the data path, the request still travels directly to Copilot’s API, bypassing any enforcement, masking, or logging layer.

Why just-in-time access matters for Copilot

Copilot processes code snippets, prompts, and sometimes proprietary business logic. If a permanent token is leaked, an attacker could harvest large volumes of source code, embed malicious suggestions, or exhaust your usage quota. Moreover, compliance frameworks expect evidence that access to external services is both scoped and time‑bound. A static token cannot provide that evidence because it lacks per‑request context.

Implementing just-in-time access solves three problems at once:

• It limits the window of exposure – a token is valid only for the approved session.
• It forces a decision point where policies can be evaluated, such as “only senior engineers may request Copilot for production code.”
• It creates an audit record that shows who asked for what, when, and what response was returned.

Introducing hoop.dev as the enforcement point

hoop.dev acts as a Layer 7 gateway that sits between every identity (human, service account, or AI agent) and the Copilot service. All traffic to Copilot is forced through hoop.dev, making the gateway the only place where enforcement can happen. The gateway verifies the user’s OIDC token, checks the request against policy, optionally routes the request to an approver, masks any sensitive response fields, and records the entire session for replay.

Because hoop.dev owns the credential that talks to Copilot, the user never sees the underlying token. The gateway issues a short‑lived, scoped token on behalf of the user, satisfying the just-in-time access principle. If a request violates a rule – for example, a prompt that contains proprietary IP – hoop.dev can block the command before it reaches Copilot or mask the returned snippet so that only authorized eyes can view it.

How the data path enforces policies

When a developer invokes Copilot through their IDE, the client connects to hoop.dev instead of the public Copilot endpoint. hoop.dev performs these steps:

1. Validates the OIDC token against the configured identity provider.
2. Looks up the user’s group membership and any active just‑in‑time approval.
3. Creates a temporary credential for the Copilot API that expires when the session ends.
4. Streams the request to Copilot, applying any inline masking rules.
5. Records the request and response, attaching the user’s identity and approval metadata.

hoop.dev captures a full audit log that shows who asked for what, when, and what response was returned.

Because every request passes through this gateway, hoop.dev can guarantee that just-in-time access is enforced, that sessions are recorded, and that sensitive data never leaves the gateway unmasked.

Practical steps to get started

1. Deploy the hoop.dev gateway in the same network segment where your developers run their IDEs. The quick‑start Docker Compose file gets you up and running in minutes.

2. Register Copilot as a connection in hoop.dev, providing the service‑level token that the gateway will use.

3. Configure OIDC authentication with your corporate IdP (Okta, Azure AD, Google Workspace, etc.). hoop.dev will act as the relying party, reading group claims to drive policy.

4. Define a just‑in‑time policy for Copilot in the hoop.dev policy editor. Include approval workflows for high‑risk prompts and set masking rules for proprietary code patterns.

5. Instruct developers to point their IDEs at the hoop.dev endpoint (or use the hoop.dev CLI) instead of the native Copilot URL. From their perspective nothing changes except the added security guarantees.

For detailed instructions, see the getting‑started guide and the broader learn section.

FAQ

Does hoop.dev replace my GitHub token?
No. hoop.dev stores the token securely and presents a short‑lived credential to Copilot on your behalf. Users never see the permanent token.

Can I keep using my favorite IDE?
Yes. You simply configure the IDE to connect to the hoop.dev endpoint. The workflow remains identical, but every request is now subject to just‑in‑time checks.

What audit data does hoop.dev provide?
Each Copilot session is recorded with the requesting identity, approval timestamps, and any masking actions taken. This log can be exported for compliance reviews.

By placing the enforcement layer in the data path, hoop.dev ensures that just‑in‑time access is not a theoretical concept but a practical, auditable control for every Copilot interaction.

Explore the open‑source repository on GitHub to see how the gateway is built and to contribute your own policies.