For users who want (or need) to generate their own git access token, this page describes 1) the permissions that must be included for each provider 2) why those permissions are requested.
Why do the extra work of creating an access token (sometimes called a "PAT" or "Personal Access Token") with your git provider, when it's almost always easier to just log into GitClear to enable a a secure connection to your git provider? There are three common reasons advanced users choose to set up PATs:
If you're running GitClear Enterprise. Letting users set up their git connection via access token allows connecting to on-prem git servers at any URL. Here (in Enterprise), the default login is via email & password since it would require substantial configuration to stand up an Oauth provider relationship with your on-prem instance.
If you're in a large bureaucracy with complex rules. A common scenario with our Azure customers is that they are one organization with a tenant that may have thousands of organizations. In this case, permitting Oauth login for a single provider can be challenging or impossible. Setting up manual access tokens is a way to enable processing without a protracted back-and-forth with the network admin (assuming you have secured their blessing).
You want to add quota without adding users. The more connections GitClear has to a git provider, the faster it can process commits, PRs, etc. Thus, some customers like to submit access tokens for users, even when those users won't be personally accessing GitClear
When logging into Enterprise, connection setup occurs on the screen that naturally follows user registration. The "Remote connection setup" page will prompt for the "git provider" and "access token" you wish to use, with instructions like the ones on this page.
For users of the SaaS (www.gitclear.com) product, the Provision User endpoint allows an access token to be manually/explicitly added to your existing entity.
Now we'll describe which permissions GitClear needs to process the various git providers that are supported by the product as of 2026.
Microsoft's instructions for creating a personal access token with Azure are here.
Go to the login page for Azure DevOps and log in with your account.
Click your settings icon (next to your avatar, on the top right) and click Personal access tokens.
Click New Token.
Set an appropriate name and expiration date for the token. If your token expires, you'll need to create a new one and update it in GitClear.
Copy the expiration date as its required as input for the PAT token setup
Make sure the organization is set to All accessible organizations. GitClear requires accessing several cross-organizational endpoints (e.g., to retrieve contributor details).
Under Scopes, make sure at least the following are selected:
Code: Read
Graph: Read
Pull Request Threads: Read and Write
Service Hooks: Read & Execute
User Profile: Read
Click Create. Copy the token from the screen that appears and paste it into the API Token field. To complete the Azure PAT setup we will also require:
the expires_at of the selected token from point (4)
the organization_slug which can be found by going to Azure Devops -> Select your Organization -> Organization Settings -> Overview -> Name
Note: If you get an Azure specific error during the user provisioning, please see Debugging Azure Error Codes when provisioning user with PAT 
Code: Read allows GitClear to fetch your commit history and diff data, which is the foundation of all analysis. Graph: Read is required to look up contributor identities across your organization — without it, GitClear cannot correctly attribute commits to individuals. Pull Request Threads: Read and Write lets GitClear read PR metadata and post analysis comments back to your pull requests. Token Administration: Read and manage is needed to verify and manage the token's own validity and scope. User Profile: Read allows GitClear to retrieve display names and email addresses to populate contributor profiles.
Microsoft's instructions for creating a personal access token with Azure are here.
Log into your Azure on-prem instance.
Click your settings icon (next to your avatar, on the top right) and click Security. You should see a list of Personal Access Tokens.
Click New Token.
Set an appropriate name and expiration date. If your token expires, you'll need to create a new one and update it in GitClear.
Copy the expiration date as its required as input for the PAT token setup
Make sure the organization is set to All accessible organizations. GitClear requires accessing several cross-organizational endpoints.
Under Scopes, make sure at least the following are selected:
Code: Read
Graph: Read
Pull Request Threads: Read and Write
Service Hooks: Read & Execute
User Profile: Read
Click Create. Copy the token from the screen that appears and paste it into the API Token field. To complete the Azure PAT setup we will also require:
the expires_at of the selected token from point (4)
the organization_slug which can be found by going to Azure Devops -> Select your Organization -> Organization Settings -> Overview -> Name
Note: If you get an Azure specific error during the user provisioning, please see Debugging Azure Error Codes when provisioning user with PAT 
Code: Read allows GitClear to fetch your commit history and diff data, which is the foundation of all analysis. Graph: Read is required to look up contributor identities across your organization — without it, GitClear cannot correctly attribute commits to individuals. Pull Request Threads: Read and Write lets GitClear read PR metadata and post analysis comments back to your pull requests. Token Administration: Read and manage is needed to verify and manage the token's own validity and scope. User Profile: Read allows GitClear to retrieve display names and email addresses to populate contributor profiles.
Go to the App passwords page on Bitbucket.org.
Click Create App Password.
Give the app password a name (e.g., "GitClear") and enable the following minimal permissions:
Account: Read
Repositories: Write
Pull Requests: Read
Click Create and note the autogenerated password that appears in the popup.
Find your Bitbucket username under the Account settings page (from the links on the left).
Enter your token in this format:your_username:your_app_password
Click Connect endpoint.
Account: Read allows GitClear to retrieve your username and profile information, which is used to identify contributors. Repositories: Write is required not to modify your code, but because Bitbucket bundles webhook management under this permission level — GitClear needs to register a webhook so it is notified of new commits in real time. Pull Requests: Read lets GitClear fetch PR metadata, including titles, descriptions, reviewers, and merge status, which feeds into PR-level analysis.
From any page on your Bitbucket Server installation, click your avatar (top-right) and click Manage Account.
Click Personal access tokens in the left menu.
Click Create a token (top-right).
Choose a name for your token (recommended: "GitClear").
Set permissions:
Projects: Read
Repositories: Admin (required for GitClear to set up webhooks; without this, commit processing will have high latency)
Copy the token from the page that appears and paste it into the form.
Projects: Read allows GitClear to enumerate the projects and repositories available under your Bitbucket Server instance. Repositories: Admin is required specifically so GitClear can register webhooks on your repositories. Webhooks notify GitClear immediately when new commits are pushed; without them, GitClear must fall back to periodic polling, which significantly increases the delay before new commits appear in your dashboard. The Admin permission is not used to modify repository settings in any other way.
If your server is older than version 5.5, Personal Access Tokens are not supported. Use your username and password instead, formatted as:
Note: This method is strongly discouraged if you are on Bitbucket Server 5.5 or later. Personal Access Tokens are more flexible and secure.
From any page on GitHub, click your profile picture (top-right) and select Settings.
In the left menu, click Developer Settings.
Click Personal access tokens.
Click Generate new token.
Make sure the token has the following scopes:
manage_billing:copilot
read:enterprise
read:org
read:org_hook
repo
write:repo_hook
user
Click Generate token.
Copy the token from the page that appears and paste it into the form to finish GitClear setup.
repo grants read access to your repositories' commits, branches, and pull requests — this is the core data GitClear analyzes. write:repo_hook allows GitClear to register a webhook on each repository so it is notified of new pushes in real time, rather than relying on polling. read:org_hook lets GitClear inspect existing organization-level webhooks to avoid creating duplicates. user provides access to profile information such as name and email address, which GitClear uses to correctly identify and attribute commits to contributors.
From any page on GitLab, click your profile picture (top-right) and select Settings.
In the left menu, click Access Tokens.
Fill out the form, making sure to enable the following scopes:
api
read_user
Click Create personal access token.
Copy the token from the page that appears and paste it into the form to finish GitClear setup.
api grants full access to the GitLab API, which GitClear uses to read repository data, commits, diffs, merge requests, and to register webhooks for real-time commit notifications. read_user provides access to your profile details — name, username, and email — which GitClear uses to correctly attribute commits to individual contributors across your projects.