Feature Request: User-Delegated Billing & Simple Prompt-Response API for Third-Party Applications

[benpaddlejones]

Problem Statement

The current SDK architecture assumes the Copilot CLI runs server-side with a single set of credentials, meaning all API usage is billed to the application operator, not the end users who trigger the requests.

This creates a significant barrier for building educational platforms, SaaS applications, and developer tools where:

1. Users are already authenticated with GitHub (OAuth)
2. Users may have their own Copilot subscriptions (Individual, Business, or Enterprise via their organisation)
3. The application operator shouldn't bear the cost of every user's AI interactions

Use Case: Educational Platform

I'm building an HSC (High School Certificate) programming education platform where:

• Students authenticate via GitHub OAuth (scope: read:user read:org)
• Students submit code/diagrams for AI-powered feedback
• The school has Copilot Business seats for students

Current limitation: If I use the SDK, all student requests bill to MY Copilot subscription, not theirs—even though they're authenticated GitHub users with their own Copilot access.

Current Architecture Problem

┌─────────────────────────────────────────────────────────────────┐
│  Web Application Server                                         │
│  ┌─────────────────┐                                            │
│  │ CopilotClient() │ ← Authenticates with SERVER credentials    │
│  └────────┬────────┘                                            │
│           │                                                     │
│           ▼                                                     │
│  ┌─────────────────┐                                            │
│  │ Copilot CLI     │ ← Bills to: Server operator's account      │
│  │ (server mode)   │                                            │
│  └────────┬────────┘                                            │
└───────────┼─────────────────────────────────────────────────────┘
            │
            ▼
┌─────────────────────────────────────────────────────────────────┐
│  User (Student)                                                 │
│  - Has GitHub OAuth token from app login                        │
│  - Has Copilot access via school's Business subscription        │
│  - ❌ Cannot use THEIR Copilot allowance through the app        │
└─────────────────────────────────────────────────────────────────┘

Proposed Solution

1. User-Delegated Authentication & Billing

Allow passing a user's GitHub OAuth token to bill requests to their Copilot subscription:

# Python SDK example
session = await client.create_session({
    "user_auth_token": user.github_access_token,  # User's OAuth token
    "bill_to_user": True,  # Bill to the token owner's Copilot subscription
})

response = await session.sendAndWait({
    "prompt": "Review this code for best practices..."
})

// TypeScript SDK example
const session = await client.createSession({
    userAuthToken: user.githubAccessToken,
    billToUser: true,
});

This would require:

• A new OAuth scope (e.g., copilot:use or copilot:billing)
• Server-side validation that the token has Copilot access
• Graceful error if user doesn't have a Copilot subscription

2. Simple Prompt-Response API (Non-Agentic Mode)

Many applications need simple prompt → response workflows without the full agentic capabilities (file editing, terminal access, multi-step planning). A lightweight mode would be valuable:

# Simple mode - no tools, no agentic behavior, just LLM completion
session = await client.create_session({
    "mode": "simple",  # or "completion" / "non-agentic"
    "model": "gpt-4.1",
    "user_auth_token": user.github_access_token,
})

# Single-turn completion
result = await session.complete({
    "prompt": "Evaluate this student's code against the rubric...",
    "system": "You are an HSC Software Engineering examiner...",
    "max_tokens": 500,
})

print(result.content)  # Just the response text
print(result.usage)    # Token counts for tracking

Benefits of simple mode:

• Lower latency (no tool orchestration overhead)
• Predictable costs (no unexpected multi-step executions)
• Clearer token/cost reporting
• Easier to reason about for non-agentic use cases

Use Cases Enabled

Application Type	Description
Educational platforms	AI tutoring, code review, assignment feedback billed to student's school Copilot seats
Code review tools	PR feedback tools where developers use their own Copilot subscription
Documentation generators	User-triggered doc generation billed to user
Internal enterprise tools	Company tools where employees use their Business seats
IDE plugins	Third-party IDE extensions that leverage user's existing Copilot subscription

API Design Considerations

Authentication Flow

1. User logs into app via GitHub OAuth
   - App requests scope: "read:user copilot:use" (new scope)
   
2. App receives OAuth access_token
   - Token can be used for Copilot API calls on user's behalf
   
3. App creates SDK session with user's token
   - SDK validates token has Copilot access
   - Requests bill to user's subscription
   
4. If user lacks Copilot subscription:
   - Return clear error: "User does not have an active Copilot subscription"
   - App can fall back to its own billing or show upgrade prompt

Error Handling

try:
    session = await client.create_session({
        "user_auth_token": user_token,
        "bill_to_user": True,
    })
except CopilotSubscriptionError as e:
    # User doesn't have Copilot access
    # Fall back to app-billed mode or show error
    pass
except CopilotQuotaExceededError as e:
    # User has hit their usage limits
    pass

Billing Transparency

result = await session.complete({"prompt": "..."})

print(result.billing)
# {
#     "billed_to": "user",
#     "user_id": 12345,
#     "subscription_type": "business",
#     "tokens_used": {"input": 150, "output": 200},
# }

Alternatives Considered

Alternative	Why It Doesn't Work
BYOK (Bring Your Own Key)	Users don't have API keys; Copilot uses GitHub auth
Create CLI per user	CLI auth is device-based, not per-request
Direct OpenAI/Anthropic API	Loses Copilot's managed billing, compliance, and features
Client-side SDK only	Many apps need server-side processing (validation, logging, persistence)

Security Considerations

• OAuth tokens should be validated server-side before use
• Rate limiting should apply per-user to prevent abuse
• Audit logging for compliance (which user made which request)
• Token refresh handling for long-running sessions

Related

• This aligns with how other platforms handle delegated billing (e.g., Stripe Connect, AWS Marketplace)
• Similar to GitHub Actions' billing model where workflow runs bill to the repo owner, not the action author

---

Summary

Adding user-delegated billing and a simple prompt-response mode would unlock a whole category of applications that can't currently be built with the SDK—especially in education, enterprise tooling, and developer services where users already have Copilot subscriptions through their organisations.

I'd be happy to provide more details on our specific use case or help test an implementation.

[github-actions]

Thank you for this detailed and well-researched feature request, @benpaddlejones!

I've labeled this as an enhancement. This proposal for user-delegated billing and a simple prompt-response API mode addresses a real gap for SaaS applications, educational platforms, and enterprise tools where end users have their own Copilot subscriptions.

Your use case for the HSC programming education platform clearly illustrates the problem, and the proposed API design with OAuth token delegation is well thought out. The comparison to existing patterns like Stripe Connect and GitHub Actions billing is particularly helpful.

This request will be reviewed by the SDK maintainers. Given the architectural implications (OAuth scopes, billing infrastructure, API design across multiple language SDKs), it may take some time to evaluate feasibility and priority.

AI generated by Issue Triage Agent