Creating Git Access Tokens for Projects
How to create personal access tokens (PATs) required to connect to Git repositories from Oxygen Content Fusion (for GitHub, GitLab, Bitbucket, and Azure DevOps).
To create a project in Oxygen Content Fusion via the Import from Git option, you must provide Git credentials (username and access token). Oxygen Content Fusion needs read and write permissions on the repository contents to clone the repository, create branches for review tasks, and commit changes.
This topic describes (on a general level) how to create tokens with the required permissions on the main Git platforms. Exact details (menus, labels) may vary by platform version.
General Recommendations
Regardless of platform, follow these practices:
- Least privilege - Grant only the permissions needed for Git operations (clone, pull, push, branch).
- Limit to repositories - Where possible, restrict the token to the repositories used with Content Fusion, not all repositories in the account.
- Expiration and rotation - Set an expiration date and rotate tokens periodically, and revoke tokens that are no longer used.
- Confidentiality - Do not share tokens or commit them in code. Use environment variables or Git accounts configured in Content Fusion.
GitHub
GitHub uses Personal Access Tokens (PATs). For Oxygen Content Fusion, you need read and write permissions on repository contents.
- Classic token - When creating it, select the repo scope (grants full access to private and public repositories, including Contents read/write).
- Fine-grained PAT (recommended):
- Under Repository access, choose Only select repositories and select the repositories used with Content Fusion.
- Under , set Contents to Read and write.
GitLab
GitLab uses Personal Access Tokens with explicit scopes. For full Git operations (clone, pull, push, branches), you need the following:
- read_repository – Read access (clone, pull).
- write_repository – Write access (push, create branches).
Bitbucket (Bitbucket Cloud)
Bitbucket Cloud uses Access tokens to provide specific access to Bitbucket APIs and repository operations. You create them from , then use Create access token and choose the appropriate permissions.
For use with Oxygen Content Fusion (clone, pull, push, branches), grant at least the following permissions:
- Repository: Read – View content (clone, pull).
- Repository: Write – Modify content (push, branches).
These permissions are sufficient for normal Git operations. Repository-level Admin or Delete is not required. Access tokens are scoped to the repository (or workspace) where you create them.
Azure DevOps
Azure DevOps uses Personal Access Tokens (PATs). When creating one, you choose Scopes (areas of access) and the organization or project.
For Git access to repositories (clone, pull, push, branches) set the following:
- Code: Read & Write – Allows reading and writing code in Git repositories.
Limit the PAT to the organization and, if possible, to the projects or repositories used with Content Fusion. Microsoft recommends using OAuth tokens where possible. PATs are appropriate when other authentication methods are not available.
Permissions Summary
| Platform | Credential type | Required permissions / scopes |
|---|---|---|
| GitHub | Personal Access Token (classic or fine-grained) | Repository permissions → Contents: Read and Write; limit to desired repositories (fine-grained). |
| GitLab | Personal Access Token | read_repository, write_repository. |
| Bitbucket Cloud | Access token | Repository: Read, Repository: Write (Repository settings → Security → Access tokens). |
| Azure DevOps | Personal Access Token | Code: Read & Write. |