Terminology clarifications:

In the documentation, Hybrid GitOps Runtimes are also referred to as GitOps Runtimes.

As a GitOps platform, Codefresh needs to create and access your Git repositories to both store runtime configuration settings for the account, and allow Argo CD to sync Kubernetes resources and templates from the different repositories to your cluster.

We use Git personal access tokens for this: one for Runtimes, and another for each user.

At all times,_both tokens are always securely stored on your cluster_ and never stored locally on our platform.

***Git Runtime token**

The Git Runtime token is a Git access token required during the Runtime installation. It is typically associated with a service or robot account and managed by the account administrator.

It is used to create a Git repository to store configuration settings shared across all Runtimes in the account, such as Helm charts and values files. It also enables Argo CD to clone the Git repos, pull changes, and sync to the K8s cluster.

***Git user token**

The Git user token is also a Git access token, unique to each user in the account. It is created after Runtime installation and managed individually by each user. Enables users to manage Git repositories and authorize Git operations or actions directly from the UI or CLI.

Read more on[Git tokens for GitOps]({{site.baseurl}}/docs/security/git-tokens/).

Codefresh requires two types of Git tokens for authentication in GitOps, a Git Runtime token, and a Git user token. The Runtime and user tokens are both Git access tokens, that Codefresh uses for different purposes. See[Git Runtime tokens versus Git user tokens in Codefresh](#git-runtime-tokens-versus-git-user-tokens-in-codefresh).

* The[Git Runtime token](#git-runtime-token-scopes) is mandatory for every GitOps Runtime. It must be provided during the Runtime installation, andcan bea service/Robot account token.

Codefresh requires two types of Git tokens for authentication in GitOps, a Git Runtime token, and a Git user token. The Runtime and user tokens are both Git access tokens which Codefresh uses for different purposes. See[Git Runtime tokens versus Git user tokens in Codefresh](#git-runtime-tokens-versus-git-user-tokens-in-codefresh).

* The[Git Runtime token](#git-runtime-token-scopes) is mandatory for every GitOps Runtime. It must be provided during the Runtime installation, andis typically associated witha service/robot account.

* The[Git user token](#git-user-access-token-scopes) is an access token that is unique to every user in the Codefresh platform. It is required after installation for every Runtime which the user has access to.

At all times,_both tokens are always securely stored on your cluster_ and never stored locally on our platform.

Users can also create and use Git tokens with custom scopes for both GitOps Runtimes and for Git repositories associated with the Runtimes that they need to access. See[Git user tokens with custom scopes](#git-user-tokens-with-custom-scopes).

The table below summarizes the main differences between the Git Runtime and user tokens in Codefresh.

The table below summarizes the main differences between the Git Runtimetokenand Git user tokens in Codefresh.

{: .table .table-bordered .table-hover}

|| Git Runtime token| Git user token|

| --------------------------| ---------------------| ------------------|

| Usage| {::nomarkdown}<ul><li><i>During installation</i>, to create theGit repositoryand install the GitOps Runtime.</li><li><i>After installation</i>, used by:<ul><li>Argo CD to clone the Git repos, pull changes, and sync to the K8s cluster.</li><li> Argo Events to create web hooks in Git repositories.</li><li><codeclass="highlighter-rouge">cap-app-proxy</code> to clone the Shared Configuration Repository</li></ul> {:/}| Authenticate and authorize user actions in Codefresh UI and CLI to Git repositories for every provisioned GitOps Runtime. <br>Users can view and manage the Git user tokens assigned to the Runtimes in the[Git Personal Access Token](https://g.codefresh.io/2.0/user-settings){:target="\_blank"} page.|

| Usage| {::nomarkdown}<ul><li><i>During installation</i>, to create theShared Configuration Repository to store shared runtime settingsand install the GitOps Runtime.</li><li><i>After installation</i>, used by:<ul><li>Argo CD to clone the Git repos, pull changes, and sync to the K8s cluster.</li><li>Used during promotion to perform commits, and pull requests for GitHub.<li> Argo Events to create web hooks in Git repositories.</li><li><codeclass="highlighter-rouge">cap-app-proxy</code> to clone the Shared Configuration Repository</li></ul> {:/}| Authenticate and authorize user actions in Codefresh UI and CLI to Git repositories for every provisioned GitOps Runtime. <br>Users can view and manage the Git user tokens assigned to the Runtimes in the[Git Personal Access Token](https://g.codefresh.io/2.0/user-settings){:target="\_blank"} page.|

| Created | Before Runtime installation; see[required scopes for Git Runtime tokens](#git-runtime-token-scopes). | After Runtime installation; see[required scopes for Git user tokens](#git-user-access-token-scopes).

| Managed by| Admin at account-level| User|

| Associated Account Type| (Recommended)[Service account or robot account](#use-a-servicerobot-account-for-gitops-runtimes)| User account|