Authentication
Overview
Reviewate needs access to your GitHub or GitLab API to read pull requests and post review comments. There are two ways to authenticate:
| Method | Best for | Setup |
|---|---|---|
| API Token | CI pipelines, Docker, self-hosted | Set GITHUB_TOKEN or GITLAB_TOKEN env var |
| CLI Auth | Local development, quick testing | Log in with gh auth login or glab auth login |
When no token environment variable is set, Reviewate automatically falls back to the CLI tool (gh or glab), which uses your existing login session.
GitHub
Personal Access Token (Classic)
- Go to github.com/settings/tokens
- Click Generate new token (classic)
- Select the required scopes:
| Scope | Purpose |
|---|---|
repo | Full access to private repositories (read code, post comments) |
read:org | Read organization membership (optional, for org repos) |
For public repositories only, public_repo is sufficient instead of repo.
- Copy the token and set it:
export GITHUB_TOKEN=ghp_xxxxxxxxxxxx
Fine-Grained Personal Access Token
Fine-grained tokens offer more precise permissions:
- Go to github.com/settings/tokens?type=beta
- Set Repository access to the repos you want to review
- Under Permissions, enable:
- Contents: Read — to read repository code
- Issues: Read and Write — to read linked issues, post comments
- Pull requests: Read and Write — to read PRs and post review comments
- Metadata: Read — required for all fine-grained tokens
CLI Authentication (gh)
If you have the GitHub CLI installed and logged in, no token is needed:
# Log in (one-time setup)
gh auth login
# Verify your login
gh auth status
# Now run Reviewate without setting GITHUB_TOKEN
reviewate owner/repo -p 123
GitLab
Personal Access Token
- Go to gitlab.com/-/user_settings/personal_access_tokens
- Create a new token with the required scopes:
| Scope | Purpose |
|---|---|
api | Full API access (read MRs, post comments, read code) |
Alternatively, for read-only reviews (no comment posting):
| Scope | Purpose |
|---|---|
read_api | Read-only API access |
read_repository | Read repository code |
- Copy the token and set it:
export GITLAB_TOKEN=glpat-xxxxxxxxxxxx
Group or Project Access Tokens
For CI/CD or shared setups, you can use group or project tokens instead of personal tokens:
- Scope:
api - Role: at least Reporter
CLI Authentication (glab)
If you have the GitLab CLI installed and logged in:
# Log in (one-time setup)
glab auth login
# Verify your login
glab auth status
# Now run Reviewate without setting GITLAB_TOKEN
reviewate group/project -p 123 --platform gitlab
CI / Container Environments
In CI pipelines and Docker containers, CLI tools are typically not available. You must use API tokens:
- GitHub Actions: Use
${{ secrets.GITHUB_TOKEN }}(automatic) or a custom PAT in repository secrets - GitLab CI: Set
GITLAB_TOKENin Settings > CI/CD > Variables - Docker: Pass via
-e GITHUB_TOKEN=...or--env-file
See CI Integration for complete pipeline examples.