diff --git a/internal/cmd/checklevelprov.go b/internal/cmd/checklevelprov.go
index 40782235..b2b8cde5 100644
--- a/internal/cmd/checklevelprov.go
+++ b/internal/cmd/checklevelprov.go
@@ -14,6 +14,7 @@ import (
 	"google.golang.org/protobuf/encoding/protojson"
 
 	"github.com/slsa-framework/slsa-source-poc/pkg/attest"
+	"github.com/slsa-framework/slsa-source-poc/pkg/auth"
 	"github.com/slsa-framework/slsa-source-poc/pkg/ghcontrol"
 	"github.com/slsa-framework/slsa-source-poc/pkg/policy"
 )
@@ -78,12 +79,19 @@ func addCheckLevelProv(parentCmd *cobra.Command) {
 }
 
 func doCheckLevelProv(checkLevelProvArgs *checkLevelProvOpts) error {
-	ghconnection := ghcontrol.NewGhConnection(checkLevelProvArgs.owner, checkLevelProvArgs.repository, ghcontrol.BranchToFullRef(checkLevelProvArgs.branch)).WithAuthToken(githubToken)
+	t := githubToken
+	var err error
+	if t == "" {
+		t, err = auth.New().ReadToken()
+		if err != nil {
+			return err
+		}
+	}
+	ghconnection := ghcontrol.NewGhConnection(checkLevelProvArgs.owner, checkLevelProvArgs.repository, ghcontrol.BranchToFullRef(checkLevelProvArgs.branch)).WithAuthToken(t)
 	ghconnection.Options.AllowMergeCommits = checkLevelProvArgs.allowMergeCommits
 	ctx := context.Background()
 
 	prevCommit := checkLevelProvArgs.prevCommit
-	var err error
 	if prevCommit == "" {
 		prevCommit, err = ghconnection.GetPriorCommit(ctx, checkLevelProvArgs.commit)
 		if err != nil {
diff --git a/internal/cmd/options.go b/internal/cmd/options.go
index 27765c0d..4428d4b7 100644
--- a/internal/cmd/options.go
+++ b/internal/cmd/options.go
@@ -12,6 +12,7 @@ import (
 	"github.com/carabiner-dev/vcslocator"
 	"github.com/spf13/cobra"
 
+	"github.com/slsa-framework/slsa-source-poc/pkg/auth"
 	"github.com/slsa-framework/slsa-source-poc/pkg/ghcontrol"
 	"github.com/slsa-framework/slsa-source-poc/pkg/sourcetool/models"
 )
@@ -122,7 +123,16 @@ func (bo *branchOptions) EnsureDefaults() error {
 		return nil
 	}
 
-	gcx := ghcontrol.NewGhConnection(bo.owner, bo.repository, "").WithAuthToken(githubToken)
+	t := githubToken
+	var err error
+	if t == "" {
+		t, err = auth.New().ReadToken()
+		if err != nil {
+			return err
+		}
+	}
+
+	gcx := ghcontrol.NewGhConnection(bo.owner, bo.repository, "").WithAuthToken(t)
 	branch, err := gcx.GetDefaultBranch(context.Background())
 	if err != nil {
 		return fmt.Errorf("reading repository default branch: %w", err)
@@ -181,7 +191,16 @@ func (co *commitOptions) EnsureDefaults() error {
 	}
 
 	if co.commit == "" {
-		gcx := ghcontrol.NewGhConnection(co.owner, co.repository, "").WithAuthToken(githubToken)
+		t := githubToken
+		var err error
+		if t == "" {
+			t, err = auth.New().ReadToken()
+			if err != nil {
+				return err
+			}
+		}
+
+		gcx := ghcontrol.NewGhConnection(co.owner, co.repository, "").WithAuthToken(t)
 		digest, err := gcx.GetLatestCommit(context.Background(), co.branch)
 		if err != nil {
 			return fmt.Errorf("fetching last commit from %q: %w", co.branch, err)