Skip to main content
The REST API is now versioned. For more information, see "About API versioning."

REST API endpoints for GitHub Actions OIDC

Use the REST API to interact with JWTs for OIDC subject claims in GitHub Actions.

About GitHub Actions OIDC

You can use the REST API to query and manage a customization template for an OpenID Connect (OIDC) subject claim. For more information, see "About security hardening with OpenID Connect."

Set the GitHub Actions OIDC custom issuer policy for an enterprise

Sets the GitHub Actions OpenID Connect (OIDC) custom issuer policy for an enterprise.

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

Fine-grained access tokens for "Set the GitHub Actions OIDC custom issuer policy for an enterprise"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

  • "Enterprise administration" business permissions (write)

Parameters for "Set the GitHub Actions OIDC custom issuer policy for an enterprise"

Headers
Name, Type, Description
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
Name, Type, Description
enterprise string Required

The slug version of the enterprise name. You can also substitute this value with the enterprise id.

Body parameters
Name, Type, Description
include_enterprise_slug boolean

Whether the enterprise customer requested a custom issuer URL.

HTTP response status codes for "Set the GitHub Actions OIDC custom issuer policy for an enterprise"

Status codeDescription
204

No Content

Code samples for "Set the GitHub Actions OIDC custom issuer policy for an enterprise"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

put/enterprises/{enterprise}/actions/oidc/customization/issuer
curl -L \ -X PUT \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/enterprises/ENTERPRISE/actions/oidc/customization/issuer \ -d '{"include_enterprise_slug":true}'

Response

Status: 204

Get the customization template for an OIDC subject claim for an organization

Gets the customization template for an OpenID Connect (OIDC) subject claim.

OAuth app tokens and personal access tokens (classic) need the read:org scope to use this endpoint.

Fine-grained access tokens for "Get the customization template for an OIDC subject claim for an organization"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

  • "Administration" organization permissions (read)

Parameters for "Get the customization template for an OIDC subject claim for an organization"

Headers
Name, Type, Description
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
Name, Type, Description
org string Required

The organization name. The name is not case sensitive.

HTTP response status codes for "Get the customization template for an OIDC subject claim for an organization"

Status codeDescription
200

A JSON serialized template for OIDC subject claim customization

Code samples for "Get the customization template for an OIDC subject claim for an organization"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

get/orgs/{org}/actions/oidc/customization/sub
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/orgs/ORG/actions/oidc/customization/sub

A JSON serialized template for OIDC subject claim customization

Status: 200
{ "include_claim_keys": [ "repo", "context" ] }

Set the customization template for an OIDC subject claim for an organization

Creates or updates the customization template for an OpenID Connect (OIDC) subject claim.

OAuth app tokens and personal access tokens (classic) need the write:org scope to use this endpoint.

Fine-grained access tokens for "Set the customization template for an OIDC subject claim for an organization"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

  • "Administration" organization permissions (write)

Parameters for "Set the customization template for an OIDC subject claim for an organization"

Headers
Name, Type, Description
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
Name, Type, Description
org string Required

The organization name. The name is not case sensitive.

Body parameters
Name, Type, Description
include_claim_keys array of strings Required

Array of unique strings. Each claim key can only contain alphanumeric characters and underscores.

HTTP response status codes for "Set the customization template for an OIDC subject claim for an organization"

Status codeDescription
201

Empty response

403

Forbidden

404

Resource not found

Code samples for "Set the customization template for an OIDC subject claim for an organization"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

put/orgs/{org}/actions/oidc/customization/sub
curl -L \ -X PUT \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/orgs/ORG/actions/oidc/customization/sub \ -d '{"include_claim_keys":["repo","context"]}'

Empty response

Get the customization template for an OIDC subject claim for a repository

Gets the customization template for an OpenID Connect (OIDC) subject claim.

OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

Fine-grained access tokens for "Get the customization template for an OIDC subject claim for a repository"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

  • "Actions" repository permissions (read)

This endpoint can be used without authentication or the aforementioned permissions if only public resources are requested.

Parameters for "Get the customization template for an OIDC subject claim for a repository"

Headers
Name, Type, Description
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
Name, Type, Description
owner string Required

The account owner of the repository. The name is not case sensitive.

repo string Required

The name of the repository without the .git extension. The name is not case sensitive.

HTTP response status codes for "Get the customization template for an OIDC subject claim for a repository"

Status codeDescription
200

Status response

400

Bad Request

404

Resource not found

Code samples for "Get the customization template for an OIDC subject claim for a repository"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

get/repos/{owner}/{repo}/actions/oidc/customization/sub
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/OWNER/REPO/actions/oidc/customization/sub

Status response

Status: 200
{ "use_default": false, "include_claim_keys": [ "repo", "context" ] }

Set the customization template for an OIDC subject claim for a repository

Sets the customization template and opt-in or opt-out flag for an OpenID Connect (OIDC) subject claim for a repository.

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

Fine-grained access tokens for "Set the customization template for an OIDC subject claim for a repository"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

  • "Actions" repository permissions (write)

Parameters for "Set the customization template for an OIDC subject claim for a repository"

Headers
Name, Type, Description
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
Name, Type, Description
owner string Required

The account owner of the repository. The name is not case sensitive.

repo string Required

The name of the repository without the .git extension. The name is not case sensitive.

Body parameters
Name, Type, Description
use_default boolean Required

Whether to use the default template or not. If true, the include_claim_keys field is ignored.

include_claim_keys array of strings

Array of unique strings. Each claim key can only contain alphanumeric characters and underscores.

HTTP response status codes for "Set the customization template for an OIDC subject claim for a repository"

Status codeDescription
201

Empty response

400

Bad Request

404

Resource not found

422

Validation failed, or the endpoint has been spammed.

Code samples for "Set the customization template for an OIDC subject claim for a repository"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

put/repos/{owner}/{repo}/actions/oidc/customization/sub
curl -L \ -X PUT \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/OWNER/REPO/actions/oidc/customization/sub \ -d '{"use_default":false,"include_claim_keys":["repo","context"]}'

Empty response