Branch off your dev environment to create an isolated config so you control the agent's blast radius.
Branch configs are prefixed with the environment slug. dev_agent_copilot lives under dev and inherits from its root unless you override.
Scope it down to only the credentials Copilot's agent acts with (a scoped GITHUB_TOKEN, API keys for your services, etc.)
Do not let the agent populate or modify its own secrets. A human decides what goes in this config. The token in the next step is read-only, so the agent can't write back.
Bound to this one config, with an expiration so a leaked token dies on its own. Capture it into an environment variable so the next steps can reference it without pasting the raw value around.
Service tokens are read-only by default. The agent can fetch secrets, never change them. This is the agent's identity.
Bind the agent's token to a single directory so the CLI only uses it there. Run this from the project folder Copilot will work in.
The --scope . flag locks the token to the current directory. Any doppler command run inside that folder, doppler run launches below, and anything Copilot's agent itself invokes, resolves with this scoped agent token and never your personal CLI token.
Note: Run the agent in a sandbox scoped to that directory. And proceed with caution on production workloads: a non-deterministic agent with live credentials is real blast radius, so keep it pointed at dev/test configs unless you have a specific reason not to.
Copilot CLI (gh copilot) is a terminal binary, so wrap it directly.
Copilot editor extension (VS Code, etc.) inherits the environment of the editor process, so launch the editor through doppler run.
Copilot's agent-mode command execution and any tool calls in that editor session inherit the scoped credentials.
Steps 1-6 give Copilot the credentials it acts with. The MCP server lets Copilot see and operate Doppler itself: list projects, inspect a config, and understand the secret layout before depending on it. Useful in almost any session, so set it up alongside the injection above. In VSCode, this lives in the workspace MCP config.
The MCP server uses the same scoped, read-only token you minted in Step 4. mcp.json is plain JSON and does not expand shell variables, so a literal "$DOPPLER_COPILOT_TOKEN" in an env block gets sent as the token, and auth fails. Paste the raw token value directly instead.
If you'd rather not paste the value into a file, authenticate once with npx @dopplerhq/mcp-server login and drop the env block entirely, or wrap the server in doppler run --command "DOPPLER_TOKEN=$DOPPLER_COPILOT_TOKEN npx -y @dopplerhq/mcp-server --read-only" so a shell (not VSCode) resolves the variable. Enable the server from Copilot's tools picker in agent mode after saving.
Trusted by the world’s best DevOps and security teams. Doppler is the secrets manager developers love.
