Codecov Tokens

All about authenticating your uploads with Codecov.

Codecov uses secret tokens to make sure the uploads we process for a project really come from that project. Tokens prevent fake or accidental uploads from making it into, for example, the main branch. A single bad upload to main affects the data we show for main itself as well as for pull requests that are based on main.

The way you configure a Codecov token is different depending on your CI provider, the type of token you're using, and the way you send uploads to Codecov.

When do I need a token?

For private repositories, all uploads require a token.

For public repositories, a token is required to send uploads to commits on protected branches. A protected branch corresponds to an actual branch in your repository (like main or master). An unprotected branch is any branch with a colon-separated prefix on it (like forkname:main or pr300:master).

The prefix for an unprotected branch name is something a CI job comes up with when it sends requests to Codecov and is not part of the repository or its branches.

Note: we have not yet taken down our legacy upload endpoint which is used in older Codecov configurations. This endpoint attempts to process tokenless uploads regardless of the branch name, but it is unreliable, unmaintained, and may be removed in the future.

Types of tokens

Repository tokens

Each repository has a unique Codecov token that will work for only that repository. Click the "Configure" button next to a repository in the Codecov UI or go to a repository's "Configuration" tab to view the token.

Codecov landing page showing a table of repositories. Each row in the table has a button labeled "Configure" on the right-hand side.

Codecov repository list

Codecov UI to guide a user through first-time setup for a new repository. There is a selector which will display different instructions depending on the CI provider chosen. "Using GitHub Actions" is currently selected. Next, a section labeled "Step 1: add repository token as repository secret". It states admin access is required to access the relevant settings in GitHub Actions. It also displays a recommended secret name, CODECOV_TOKEN, and a token value (a UUID).

Repository first-time setup screen

If a global upload token has been generated for the repository's owner, it will be shown on this screen instead of a per-repository token. The per-repository token can still be viewed in the repository's "Configuration" tab in the "General" section.

Global upload tokens

Account owners or organization administrators can create a single global upload token which will work for all of the repositories owned by the account or organization. Setting a global upload token as an organization-wide secret in CI settings makes it easier to set up Codecov for new repositories.

Create one in the account or organization's settings page in the Codecov UI:

Codecov settings page for an account/organization. The "Global Upload Token" tab is selected. It cautions that global upload tokens are secret and should not be shared. There is a button labeled "Generate" with the accompanying text: "Generating a global token allows you to apply the same upload token to all of your repos. This can make configuration easier and more streamlined."

If an account or organization has a global upload token, the Codecov UI will display it instead of a repository token for every repository belonging to the account or organization.

Self-hosted upload tokens

Self-hosted Codecov installations can define a token in their installation YAML. Learn more in the documentation for self-hosting Codecov.

Using your token

Once you have your token, there are two steps needed to set it up:

  • In your CI provider's settings, create a secret CODECOV_TOKEN variable and set its value to your token's value
  • In your CI job definition, pass the value of the CODECOV_TOKEN variable to the Codecov CLI / uploader

The details of these steps differ depending on your CI provider and how you send uploads to Codecov.

Example: GitHub Actions + Official Codecov Action

Official GitHub Actions documentation: Using secrets in GitHub Actions and Storing credentials for Dependabot to use.

If you are are using a global upload token and have the necessary permissions, open the "Settings" page for your organization on GitHub.

Otherwise, open the "Settings" page for your repository (as shown below). Expand the "Secrets and variables" section and select "Actions". Click the "New repository secret" button.

Create a new repository secret called CODECOV_TOKEN. Set its value to your Codecov token. Make sure not to include anything other than the token; for example, don't include anything like CODECOV_TOKEN=.

Next, update your GitHub Actions testing workflow so that it runs the official Codecov action.

steps:
- uses: codecov/codecov-action@v4
  with:
    token: ${{ secrets.CODECOV_TOKEN }}

And that's it. Uploads from private GitHub repos, or protected branches on public repos, now happen with a token.

Uploading without a token

Codecov does not require a token for an upload when both the following conditions are true:

  • the repository is public
  • the upload is for a commit that is on an unprotected branch (like forkname:main)

Projects that accept contributions from forks can add a prefix to the contribution's branch name and send uploads to Codecov without having to expose any CI secrets.

Maintainers who don't have administrator permissions for their projects can partially work around the token requirement by adding : to every branch name.

Using the latest Codecov GitHub Action

The latest version of the Codecov GitHub Action automatically modifies the branch name when a token isn't available. Codecov should work smoothly on pull requests from forks out of the box.

Using the Codecov CLI or other CI providers

If you're using the official CI action for another CI provider, or your CI jobs use the Codecov CLI directly, your CI jobs will need to come up with an unprotected branch name on their own. This could be based on the PR number, the username of the fork's author, or something else.

Legacy upload methods

🚧

Tokenless uploads from legacy uploaders are unreliable

Tokenless uploads from legacy uploaders, or from CI actions that wrap them, share a global, Codecov-wide rate limit imposed by CI services. When this rate limit is exceeded, uploads fail and Codecov won't post CI statuses or PR comments.

Please update to the latest versions of our CI actions or the Codecov CLI for more reliable tokenless uploads.

Codecov's legacy uploaders and older versions of our pre-made CI actions use a legacy upload endpoint with different authentication requirements. This legacy endpoint attempts to accept all tokenless uploads, regardless of the branch name, for public projects that use certain CI providers (Travis-CI, CircleCI, Azure, GitHub Actions).

This legacy endpoint is unreliable, unmaintained, and may be removed in the future. Please upgrade to the latest version of the Codecov CLI or the pre-made CI action for your CI provider.