Skip to content

Allow BYOK for business/enterprise users with client_byok policy#308608

Merged
pierceboggan merged 2 commits intomainfrom
pierceboggan/byok-biz-enterprise-client-policy
Apr 9, 2026
Merged

Allow BYOK for business/enterprise users with client_byok policy#308608
pierceboggan merged 2 commits intomainfrom
pierceboggan/byok-biz-enterprise-client-policy

Conversation

@pierceboggan
Copy link
Copy Markdown
Contributor

@pierceboggan pierceboggan commented Apr 8, 2026

BYOK (Bring Your Own Key) is currently gated to internal and individual Copilot users. Business and enterprise users should also be able to use BYOK when their organization has opted in via the client_byok policy (token field client_byok=1).

Approach

Three changes in the copilot extension, mirroring what's already wired up on the VS Code core side (chatEntitlementService, chatModelsWidget):

  1. CopilotToken.isClientBYOKEnabled() — New method that reads client_byok from the token, following the same pattern as isMcpEnabled() / isEditorPreviewFeaturesEnabled().

  2. isBYOKEnabled() update — Adds copilotToken.isClientBYOKEnabled() to the allowlist so business/enterprise users with the policy can use BYOK providers.

  3. github.copilot.clientByokEnabled context key — Set from contextKeys.contribution.ts on auth change, following the exact previewFeaturesDisabledContextKey pattern. This context key is already read by chatEntitlementService.clientByokEnabled in VS Code core to gate the "Add Models" button for managed entitlements.

Testing

  • A business/enterprise user with client_byok=1 in their token should see BYOK providers enabled and the "Add Models" button active in the model picker.
  • Users without the flag should see no change in behavior.
  • Individual and internal users remain unaffected (already allowed).

@pierceboggan
Allow BYOK for business/enterprise users with client_byok policy
4f7c163 
- Add isClientBYOKEnabled() method to CopilotToken class
- Update isBYOKEnabled to allow users with client_byok=1 token flag
- Add github.copilot.clientByokEnabled context key for VS Code core model picker

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 8, 2026 20:59
@pierceboggan pierceboggan requested a review from lramos15 April 8, 2026 21:00
@pierceboggan pierceboggan enabled auto-merge (squash) April 8, 2026 21:00
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR extends Copilot Chat BYOK (Bring Your Own Key) enablement to business/enterprise users when their Copilot token includes the client_byok=1 policy flag, aligning the extension-side gating and context keys with existing VS Code core behavior.

Changes:

  • Add CopilotToken.isClientBYOKEnabled() to expose the client_byok token field.
  • Update BYOK allowlisting to include users with client_byok=1 (still excluding GHE).
  • Introduce and maintain a new github.copilot.clientByokEnabled context key on authentication changes for VS Code core to consume.
Show a summary per file
File Description
extensions/copilot/src/platform/authentication/common/copilotToken.ts Adds a token helper for the client_byok policy flag.
extensions/copilot/src/extension/contextKeys/vscode-node/contextKeys.contribution.ts Sets github.copilot.clientByokEnabled context key based on the current Copilot token.
extensions/copilot/src/extension/byok/common/byokProvider.ts Allows BYOK for business/enterprise users when client_byok=1 is present (and not on GHE).

Copilot's findings

  • Files reviewed: 3/3 changed files
  • Comments generated: 1

Comment thread extensions/copilot/src/platform/authentication/common/copilotToken.ts
Comment on lines +220 to +222
isClientBYOKEnabled(): boolean {
return this.getTokenValue('client_byok') === '1';
}
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Method name isClientBYOKEnabled uses an all-caps acronym in the middle of a camelCase identifier. For consistency with existing token helpers like isMcpEnabled() / isEditorPreviewFeaturesEnabled(), consider renaming to isClientByokEnabled() and updating call sites accordingly.

Copilot generated this review using guidance from repository custom instructions.
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 8, 2026

Screenshot Changes

Base: 729f7873 Current: c275ca7b

Changed (1)

editor/inlineChatAffordance/InlineChatOverlay/Light
Before After
before after

@austindyoung austindyoung mentioned this pull request Apr 8, 2026
Open
@pierceboggan pierceboggan merged commit 4c4b990 into main Apr 9, 2026
23 checks passed
@pierceboggan pierceboggan deleted the pierceboggan/byok-biz-enterprise-client-policy branch April 9, 2026 13:07
@vs-code-engineering vs-code-engineering Bot added this to the 1.116.0 milestone Apr 9, 2026
joshspicer pushed a commit that referenced this pull request Apr 9, 2026
@pierceboggan @joshspicer
Allow BYOK for business/enterprise users with client_byok policy (#30…
88e1c7b 
…8608)

- Add isClientBYOKEnabled() method to CopilotToken class
- Update isBYOKEnabled to allow users with client_byok=1 token flag
- Add github.copilot.clientByokEnabled context key for VS Code core model picker

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lramos15 lramos15 lramos15 approved these changes

Assignees

@pierceboggan pierceboggan

Labels

None yet

Projects

None yet

Milestone

1.116.0

Development

Successfully merging this pull request may close these issues.

3 participants

@pierceboggan @lramos15