Two Quiet Changes, One Bigger Story: Copilot’s Infrastructure Is Growing Up
GitHub is rolling out two foundational updates that will reshape how organizations integrate with Copilot and GitHub Apps. First, Copilot usage metrics report download links are moving off infrastructure-specific Azure Front Door domains to a stable, GitHub-owned or enterprise-owned pattern. Second, GitHub App installation tokens are getting a new, longer, stateless format designed for higher performance and reliability at scale. Individually, these sound like low-level technical tweaks. Together, they signal a clear direction: GitHub is hardening the plumbing behind Copilot and GitHub Apps as AI assistants become core to daily development workflows. For admins, DevOps teams, and developers, these changes mean revisiting allowlists, scripts, dashboards, and validation logic that quietly depend on old URL patterns or 40-character tokens. Treat this moment as a chance to modernize your Copilot admin guide and developer tooling updates so future infrastructure changes become non-events instead of fire drills.
New Copilot Usage Metrics URLs: More Stable, Easier to Allowlist
Starting May 20, 2026, Copilot usage metrics report download URLs returned by the Copilot Usage Metrics API will move away from copilot-reports-*.b01.azurefd.net and onto stable domains. For GitHub Enterprise Cloud customers, the new pattern is copilot-reports.github.com. For ghe.com environments, it becomes copilot-reports.*.ghe.com. This shift matters because the previous Azure Front Door domains were tied to specific infrastructure deployments and could change when services were redeployed or reconfigured. By anchoring reports to GitHub-controlled domains, report download URLs stay consistent even as the underlying infrastructure evolves. That improves reliability for automation and creates a predictable, trustworthy target for firewall and proxy allowlists. During a transition period, the old Azure Front Door pattern will continue to work, but it will eventually be deprecated. If you rely on Copilot usage metrics for governance, budgeting, or adoption tracking, treat allowlist and script updates as a near-term priority rather than a “nice to have.”
GitHub App Tokens Are Getting Longer and Stateless: What’s Changing
GitHub is also updating the format of GitHub App installation tokens (the ghs_ tokens) in a staged rollout beginning April 27, 2026. The new tokens are stateless, which improves issuance performance under heavy load and increases the reliability of the API surface. Practically, that means tokens will be much longer—around 520 characters and variable in length—rather than the fixed 40 characters many integrations currently assume. The new format for installation tokens will look like ghs_APPID_JWT. The prefix ghs_ remains unchanged, but the JWT portion is signed by an internal GitHub issuer and must be treated as opaque. Client applications should not attempt to validate or interpret the JWT contents; it simply carries internal details such as target installation, app identity, and validation metadata. Existing tokens remain valid until they expire, and GitHub Enterprise Server isn’t affected. This change initially targets GitHub Enterprise Cloud and Data Residency environments.
Timeline and Impact for Admins, DevOps, and Tool Builders
The URL and token changes will roll out in phases, and different roles will feel the impact in different ways. For URLs, allowlist updates must be in place before May 20, 2026 so that Copilot usage metrics downloads continue uninterrupted when the new copilot-reports.github.com or copilot-reports.*.ghe.com patterns go live. In rare cases when Azure Front Door is unavailable, downloads can fall back to *.blob.core.windows.net, which security teams may also need to allow. For tokens, the staged rollout begins April 27 and runs into late June. Initially, the new token format will appear in GitHub Actions-issued GITHUB_TOKEN and first-party featured integrations such as Dependabot, Slack, and Teams, then extend to all GitHub App installation tokens. GitHub plans a brownout period to surface integrations that still depend on fixed-length tokens. Upcoming rollouts will also apply the new format to server-to-server tokens, including Actions GITHUB_TOKEN, with future changes planned for user-to-server tokens used in Copilot code review flows.
How to Adapt Your Integrations Now—and Future-Proof Them
To avoid surprises, teams should audit and update their integrations proactively. For Copilot usage metrics, update firewall and proxy allowlists to include copilot-reports.github.com (for github.com environments) or copilot-reports.*.ghe.com (for ghe.com). If uninterrupted report access is critical, ensure *.blob.core.windows.net is also allowed. Next, inspect automation scripts, data pipelines, and dashboards to remove any assumptions about Azure Front Door domains; use the URLs returned by the Copilot Usage Metrics API as-is. For GitHub App tokens, treat them strictly as opaque strings. Remove any regex checks such as ghs_[A-Za-z0-9]{36} and any logic that assumes tokens are exactly 40 characters. Verify that database columns, environment variables, and logging systems can safely handle strings of at least 520 characters. Finally, review CI pipelines and provisioning tools that parse or validate tokens, especially where GitHub App-based governance, provisioning, or Copilot admin workflows are automated.