diff --git a/descriptions-next/api.github.com/api.github.com.2022-11-28.json b/descriptions-next/api.github.com/api.github.com.2022-11-28.json index f69092c829..ed91977926 100644 --- a/descriptions-next/api.github.com/api.github.com.2022-11-28.json +++ b/descriptions-next/api.github.com/api.github.com.2022-11-28.json @@ -123894,7 +123894,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -123907,6 +123909,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", diff --git a/descriptions-next/api.github.com/api.github.com.2022-11-28.yaml b/descriptions-next/api.github.com/api.github.com.2022-11-28.yaml index 570a8976ee..0eedb550c3 100644 --- a/descriptions-next/api.github.com/api.github.com.2022-11-28.yaml +++ b/descriptions-next/api.github.com/api.github.com.2022-11-28.yaml @@ -90077,6 +90077,8 @@ components: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -90084,6 +90086,18 @@ components: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a single user + (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within the budget. + Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based products, diff --git a/descriptions-next/api.github.com/api.github.com.2026-03-10.json b/descriptions-next/api.github.com/api.github.com.2026-03-10.json index 4e8209ba42..c36fa4edc8 100644 --- a/descriptions-next/api.github.com/api.github.com.2026-03-10.json +++ b/descriptions-next/api.github.com/api.github.com.2026-03-10.json @@ -123337,7 +123337,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -123350,6 +123352,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", diff --git a/descriptions-next/api.github.com/api.github.com.2026-03-10.yaml b/descriptions-next/api.github.com/api.github.com.2026-03-10.yaml index 020e4ce345..dd63a8b888 100644 --- a/descriptions-next/api.github.com/api.github.com.2026-03-10.yaml +++ b/descriptions-next/api.github.com/api.github.com.2026-03-10.yaml @@ -89664,6 +89664,8 @@ components: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -89671,6 +89673,18 @@ components: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a single user + (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within the budget. + Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based products, diff --git a/descriptions-next/api.github.com/api.github.com.json b/descriptions-next/api.github.com/api.github.com.json index 2693e61d71..d56f7d6583 100644 --- a/descriptions-next/api.github.com/api.github.com.json +++ b/descriptions-next/api.github.com/api.github.com.json @@ -124634,7 +124634,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -124647,6 +124649,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", diff --git a/descriptions-next/api.github.com/api.github.com.yaml b/descriptions-next/api.github.com/api.github.com.yaml index da6f229a52..8cadf6d28c 100644 --- a/descriptions-next/api.github.com/api.github.com.yaml +++ b/descriptions-next/api.github.com/api.github.com.yaml @@ -90561,6 +90561,8 @@ components: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -90568,6 +90570,18 @@ components: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a single user + (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within the budget. + Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based products, diff --git a/descriptions-next/api.github.com/dereferenced/api.github.com.2022-11-28.deref.json b/descriptions-next/api.github.com/dereferenced/api.github.com.2022-11-28.deref.json index d8fb21e3f2..0086a566e6 100644 --- a/descriptions-next/api.github.com/dereferenced/api.github.com.2022-11-28.deref.json +++ b/descriptions-next/api.github.com/dereferenced/api.github.com.2022-11-28.deref.json @@ -89765,7 +89765,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -89778,6 +89780,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", diff --git a/descriptions-next/api.github.com/dereferenced/api.github.com.2022-11-28.deref.yaml b/descriptions-next/api.github.com/dereferenced/api.github.com.2022-11-28.deref.yaml index 4ed66d8678..24315aaf55 100644 --- a/descriptions-next/api.github.com/dereferenced/api.github.com.2022-11-28.deref.yaml +++ b/descriptions-next/api.github.com/dereferenced/api.github.com.2022-11-28.deref.yaml @@ -22641,6 +22641,8 @@ paths: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -22648,6 +22650,18 @@ paths: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a + single user (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within + the budget. Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based diff --git a/descriptions-next/api.github.com/dereferenced/api.github.com.2026-03-10.deref.json b/descriptions-next/api.github.com/dereferenced/api.github.com.2026-03-10.deref.json index b783f50105..6e51748321 100644 --- a/descriptions-next/api.github.com/dereferenced/api.github.com.2026-03-10.deref.json +++ b/descriptions-next/api.github.com/dereferenced/api.github.com.2026-03-10.deref.json @@ -85530,7 +85530,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -85543,6 +85545,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", diff --git a/descriptions-next/api.github.com/dereferenced/api.github.com.2026-03-10.deref.yaml b/descriptions-next/api.github.com/dereferenced/api.github.com.2026-03-10.deref.yaml index 62577c5082..016db80aff 100644 --- a/descriptions-next/api.github.com/dereferenced/api.github.com.2026-03-10.deref.yaml +++ b/descriptions-next/api.github.com/dereferenced/api.github.com.2026-03-10.deref.yaml @@ -22327,6 +22327,8 @@ paths: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -22334,6 +22336,18 @@ paths: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a + single user (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within + the budget. Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based diff --git a/descriptions-next/api.github.com/dereferenced/api.github.com.deref.json b/descriptions-next/api.github.com/dereferenced/api.github.com.deref.json index c70c81d104..824d60bcd5 100644 --- a/descriptions-next/api.github.com/dereferenced/api.github.com.deref.json +++ b/descriptions-next/api.github.com/dereferenced/api.github.com.deref.json @@ -91230,7 +91230,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -91243,6 +91245,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", diff --git a/descriptions-next/api.github.com/dereferenced/api.github.com.deref.yaml b/descriptions-next/api.github.com/dereferenced/api.github.com.deref.yaml index 99a900eced..67a758afdb 100644 --- a/descriptions-next/api.github.com/dereferenced/api.github.com.deref.yaml +++ b/descriptions-next/api.github.com/dereferenced/api.github.com.deref.yaml @@ -22906,6 +22906,8 @@ paths: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -22913,6 +22915,18 @@ paths: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a + single user (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within + the budget. Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based diff --git a/descriptions-next/ghec/dereferenced/ghec.2022-11-28.deref.json b/descriptions-next/ghec/dereferenced/ghec.2022-11-28.deref.json index c3d3298404..17e8721179 100644 --- a/descriptions-next/ghec/dereferenced/ghec.2022-11-28.deref.json +++ b/descriptions-next/ghec/dereferenced/ghec.2022-11-28.deref.json @@ -53201,6 +53201,213 @@ } } }, + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": { + "post": { + "summary": "Revoke credential authorizations for a user in an enterprise", + "description": "Revokes all credential authorizations for a single user within the enterprise.\nThis includes any credential authorizations the user has across all organizations\nin the enterprise.\n\nFor Enterprise Managed User (EMU) enterprises, you can optionally also destroy all\ncredentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting\nthe `revoke_credentials` parameter to `true`.\n\nThis operation is performed asynchronously. A background job will be queued to process\nthe revocations.\n\n> [!WARNING]\n> If you use a personal access token to call this endpoint and target yourself, that\n> token may also be revoked or destroyed as part of this operation.\n\nThe authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint.", + "tags": [ + "enterprise-admin" + ], + "operationId": "enterprise-admin/revoke-credential-authorizations-for-user", + "externalDocs": { + "description": "API method documentation", + "url": "https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + }, + "parameters": [ + { + "name": "enterprise", + "description": "The slug version of the enterprise name.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + }, + { + "name": "username", + "description": "The handle for the GitHub user account.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + } + ], + "requestBody": { + "required": false, + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "revoke_credentials": { + "type": "boolean", + "description": "Whether to also destroy the actual credentials (PATs and SSH keys) owned by\nthe user. This option is only available for Enterprise Managed User (EMU)\nenterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned\nby the user will be destroyed in addition to the credential authorizations.", + "default": false + } + } + }, + "examples": { + "default": { + "value": { + "revoke_credentials": false + } + }, + "emu_with_credential_revocation": { + "summary": "EMU enterprise with credential revocation", + "value": { + "revoke_credentials": true + } + } + } + } + } + }, + "responses": { + "202": { + "description": "Accepted - The revocation request has been queued", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "message": { + "type": "string", + "description": "A message indicating the revocation has been queued" + }, + "warning": { + "type": "string", + "description": "A warning message if the token used for this request may be revoked" + } + } + }, + "examples": { + "default": { + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued" + } + }, + "with_authorization_revoked_warning": { + "summary": "Warning when the calling token may have its authorization revoked", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also have its authorization revoked as part of this operation" + } + }, + "with_credential_destroyed_warning": { + "summary": "Warning when the calling token may be destroyed (EMU with `revoke_credentials`)", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also be destroyed as part of this operation" + } + } + } + } + } + }, + "403": { + "description": "Forbidden", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + } + } + } + }, + "404": { + "description": "Resource not found", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + } + } + } + }, + "422": { + "description": "Validation error - The target user cannot be revoked, or `revoke_credentials` is not available for this enterprise", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + }, + "examples": { + "non_emu_enterprise": { + "summary": "`revoke_credentials` requested on a non-EMU enterprise", + "value": { + "message": "The `revoke_credentials` option is only available for Enterprise Managed User (EMU) enterprises", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + }, + "first_emu_owner": { + "summary": "Target user is the first EMU owner", + "value": { + "message": "The first EMU owner cannot be targeted for credential revocation.", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + } + } + } + } + } + }, + "x-github": { + "githubCloudOnly": true, + "enabledForGitHubApps": true, + "category": "enterprise-admin", + "subcategory": "credential-authorizations" + } + } + }, "/enterprises/{enterprise}/dependabot/alerts": { "get": { "summary": "List Dependabot alerts for an enterprise", @@ -78887,7 +79094,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -78900,6 +79109,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", @@ -196711,7 +196934,7 @@ "/orgs/{org}/credential-authorizations": { "get": { "summary": "List SAML SSO authorizations for an organization", - "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", + "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -196785,13 +197008,19 @@ "credential_type": { "type": "string", "description": "Human-readable description of the credential type.", + "enum": [ + "personal access token", + "SSH key", + "OAuth app token", + "GitHub app token" + ], "examples": [ - "SSH Key" + "SSH key" ] }, "token_last_eight": { "type": "string", - "description": "Last eight characters of the credential. Only included in responses with credential_type of personal access token.", + "description": "Last eight characters of the credential. Only included in responses with a credential_type of personal access token, OAuth app token, or GitHub app token.", "examples": [ "12345678" ] @@ -196806,7 +197035,7 @@ }, "scopes": { "type": "array", - "description": "List of oauth scopes the token has been granted.", + "description": "List of OAuth scopes the token has been granted.", "items": { "type": "string" }, @@ -196817,7 +197046,7 @@ }, "fingerprint": { "type": "string", - "description": "Unique string to distinguish the credential. Only included in responses with credential_type of SSH Key.", + "description": "Unique string to distinguish the credential. Only included in responses with a credential_type of SSH key.", "examples": [ "jklmnop12345678" ] @@ -196838,7 +197067,7 @@ "integer", "null" ], - "description": "The ID of the underlying token that was authorized by the user. This will remain unchanged across authorizations of the token.", + "description": "The ID of the underlying token or key that was authorized by the user. This will remain unchanged across authorizations of the token or key.", "examples": [ 12345678 ] @@ -196892,6 +197121,7 @@ "token_last_eight": "71c3fc11", "credential_authorized_at": "2011-01-26T19:06:43Z", "credential_accessed_at": "2011-01-26T19:06:43Z", + "authorized_credential_id": 12345678, "authorized_credential_expires_at": "2011-02-25T19:06:43Z", "scopes": [ "user", @@ -196904,11 +197134,47 @@ "credential_type": "personal access token", "token_last_eight": "Ae178B4a", "credential_authorized_at": "2019-03-29T19:06:43Z", - "credential_accessed_at": "2011-01-26T19:06:43Z", + "credential_accessed_at": "2019-04-15T19:06:43Z", + "authorized_credential_id": 12345679, "authorized_credential_expires_at": "2019-04-28T19:06:43Z", "scopes": [ "repo" ] + }, + { + "login": "octocat", + "credential_id": 161197, + "credential_type": "OAuth app token", + "token_last_eight": "9f2c4d1e", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345680, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [ + "repo", + "read:org" + ] + }, + { + "login": "hubot", + "credential_id": 161198, + "credential_type": "GitHub app token", + "token_last_eight": "3b7a0c52", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345681, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [] + }, + { + "login": "octocat", + "credential_id": 161199, + "credential_type": "SSH key", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345682, + "fingerprint": "jklmnop12345678", + "authorized_credential_title": "my ssh key" } ] } @@ -196928,7 +197194,7 @@ "/orgs/{org}/credential-authorizations/{credential_id}": { "delete": { "summary": "Remove a SAML SSO authorization for an organization", - "description": "Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", + "description": "Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", "tags": [ "orgs" ], diff --git a/descriptions-next/ghec/dereferenced/ghec.2022-11-28.deref.yaml b/descriptions-next/ghec/dereferenced/ghec.2022-11-28.deref.yaml index 0efb655207..c725923ea0 100644 --- a/descriptions-next/ghec/dereferenced/ghec.2022-11-28.deref.yaml +++ b/descriptions-next/ghec/dereferenced/ghec.2022-11-28.deref.yaml @@ -20620,6 +20620,128 @@ paths: enabledForGitHubApps: true category: enterprise-admin subcategory: credential-authorizations + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": + post: + summary: Revoke credential authorizations for a user in an enterprise + description: |- + Revokes all credential authorizations for a single user within the enterprise. + This includes any credential authorizations the user has across all organizations + in the enterprise. + + For Enterprise Managed User (EMU) enterprises, you can optionally also destroy all + credentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting + the `revoke_credentials` parameter to `true`. + + This operation is performed asynchronously. A background job will be queued to process + the revocations. + + > [!WARNING] + > If you use a personal access token to call this endpoint and target yourself, that + > token may also be revoked or destroyed as part of this operation. + + The authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint. + + OAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint. + tags: + - enterprise-admin + operationId: enterprise-admin/revoke-credential-authorizations-for-user + externalDocs: + description: API method documentation + url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + parameters: + - *39 + - &140 + name: username + description: The handle for the GitHub user account. + in: path + required: true + schema: + type: string + requestBody: + required: false + content: + application/json: + schema: + type: object + properties: + revoke_credentials: + type: boolean + description: |- + Whether to also destroy the actual credentials (PATs and SSH keys) owned by + the user. This option is only available for Enterprise Managed User (EMU) + enterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned + by the user will be destroyed in addition to the credential authorizations. + default: false + examples: + default: + value: + revoke_credentials: false + emu_with_credential_revocation: + summary: EMU enterprise with credential revocation + value: + revoke_credentials: true + responses: + '202': + description: Accepted - The revocation request has been queued + content: + application/json: + schema: + type: object + properties: + message: + type: string + description: A message indicating the revocation has been queued + warning: + type: string + description: A warning message if the token used for this request + may be revoked + examples: + default: + value: + message: Credential authorization revocation for user 'octocat' + has been queued + with_authorization_revoked_warning: + summary: Warning when the calling token may have its authorization + revoked + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also have its authorization + revoked as part of this operation + with_credential_destroyed_warning: + summary: Warning when the calling token may be destroyed (EMU with + `revoke_credentials`) + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also be destroyed + as part of this operation + '403': *27 + '404': *6 + '422': + description: Validation error - The target user cannot be revoked, or `revoke_credentials` + is not available for this enterprise + content: + application/json: + schema: *3 + examples: + non_emu_enterprise: + summary: "`revoke_credentials` requested on a non-EMU enterprise" + value: + message: The `revoke_credentials` option is only available for + Enterprise Managed User (EMU) enterprises + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + first_emu_owner: + summary: Target user is the first EMU owner + value: + message: The first EMU owner cannot be targeted for credential + revocation. + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + x-github: + githubCloudOnly: true + enabledForGitHubApps: true + category: enterprise-admin + subcategory: credential-authorizations "/enterprises/{enterprise}/dependabot/alerts": get: summary: List Dependabot alerts for an enterprise @@ -22272,13 +22394,7 @@ paths: url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/enterprise-roles#remove-all-enterprise-roles-from-a-user parameters: - *39 - - &140 - name: username - description: The handle for the GitHub user account. - in: path - required: true - schema: - type: string + - *140 responses: '204': description: Response @@ -27887,6 +28003,8 @@ paths: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -27894,6 +28012,18 @@ paths: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a + single user (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within + the budget. Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based @@ -51120,7 +51250,7 @@ paths: get: summary: List SAML SSO authorizations for an organization description: |- - Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). + Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). The authenticated user must be an organization owner to use this endpoint. @@ -51172,12 +51302,18 @@ paths: credential_type: type: string description: Human-readable description of the credential type. + enum: + - personal access token + - SSH key + - OAuth app token + - GitHub app token examples: - - SSH Key + - SSH key token_last_eight: type: string description: Last eight characters of the credential. Only included - in responses with credential_type of personal access token. + in responses with a credential_type of personal access token, + OAuth app token, or GitHub app token. examples: - '12345678' credential_authorized_at: @@ -51188,7 +51324,7 @@ paths: - '2011-01-26T19:06:43Z' scopes: type: array - description: List of oauth scopes the token has been granted. + description: List of OAuth scopes the token has been granted. items: type: string examples: @@ -51197,7 +51333,7 @@ paths: fingerprint: type: string description: Unique string to distinguish the credential. Only - included in responses with credential_type of SSH Key. + included in responses with a credential_type of SSH key. examples: - jklmnop12345678 credential_accessed_at: @@ -51213,9 +51349,9 @@ paths: type: - integer - 'null' - description: The ID of the underlying token that was authorized - by the user. This will remain unchanged across authorizations - of the token. + description: The ID of the underlying token or key that was + authorized by the user. This will remain unchanged across + authorizations of the token or key. examples: - 12345678 authorized_credential_title: @@ -51257,6 +51393,7 @@ paths: token_last_eight: 71c3fc11 credential_authorized_at: '2011-01-26T19:06:43Z' credential_accessed_at: '2011-01-26T19:06:43Z' + authorized_credential_id: 12345678 authorized_credential_expires_at: '2011-02-25T19:06:43Z' scopes: - user @@ -51266,10 +51403,39 @@ paths: credential_type: personal access token token_last_eight: Ae178B4a credential_authorized_at: '2019-03-29T19:06:43Z' - credential_accessed_at: '2011-01-26T19:06:43Z' + credential_accessed_at: '2019-04-15T19:06:43Z' + authorized_credential_id: 12345679 authorized_credential_expires_at: '2019-04-28T19:06:43Z' scopes: - repo + - login: octocat + credential_id: 161197 + credential_type: OAuth app token + token_last_eight: 9f2c4d1e + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345680 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: + - repo + - read:org + - login: hubot + credential_id: 161198 + credential_type: GitHub app token + token_last_eight: 3b7a0c52 + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345681 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: [] + - login: octocat + credential_id: 161199 + credential_type: SSH key + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345682 + fingerprint: jklmnop12345678 + authorized_credential_title: my ssh key x-github: githubCloudOnly: true enabledForGitHubApps: true @@ -51279,7 +51445,7 @@ paths: delete: summary: Remove a SAML SSO authorization for an organization description: |- - Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access. + Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access. The authenticated user must be an organization owner to use this endpoint. diff --git a/descriptions-next/ghec/dereferenced/ghec.2026-03-10.deref.json b/descriptions-next/ghec/dereferenced/ghec.2026-03-10.deref.json index 72d8ba3dee..586ced0f21 100644 --- a/descriptions-next/ghec/dereferenced/ghec.2026-03-10.deref.json +++ b/descriptions-next/ghec/dereferenced/ghec.2026-03-10.deref.json @@ -53068,6 +53068,213 @@ } } }, + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": { + "post": { + "summary": "Revoke credential authorizations for a user in an enterprise", + "description": "Revokes all credential authorizations for a single user within the enterprise.\nThis includes any credential authorizations the user has across all organizations\nin the enterprise.\n\nFor Enterprise Managed User (EMU) enterprises, you can optionally also destroy all\ncredentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting\nthe `revoke_credentials` parameter to `true`.\n\nThis operation is performed asynchronously. A background job will be queued to process\nthe revocations.\n\n> [!WARNING]\n> If you use a personal access token to call this endpoint and target yourself, that\n> token may also be revoked or destroyed as part of this operation.\n\nThe authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint.", + "tags": [ + "enterprise-admin" + ], + "operationId": "enterprise-admin/revoke-credential-authorizations-for-user", + "externalDocs": { + "description": "API method documentation", + "url": "https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + }, + "parameters": [ + { + "name": "enterprise", + "description": "The slug version of the enterprise name.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + }, + { + "name": "username", + "description": "The handle for the GitHub user account.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + } + ], + "requestBody": { + "required": false, + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "revoke_credentials": { + "type": "boolean", + "description": "Whether to also destroy the actual credentials (PATs and SSH keys) owned by\nthe user. This option is only available for Enterprise Managed User (EMU)\nenterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned\nby the user will be destroyed in addition to the credential authorizations.", + "default": false + } + } + }, + "examples": { + "default": { + "value": { + "revoke_credentials": false + } + }, + "emu_with_credential_revocation": { + "summary": "EMU enterprise with credential revocation", + "value": { + "revoke_credentials": true + } + } + } + } + } + }, + "responses": { + "202": { + "description": "Accepted - The revocation request has been queued", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "message": { + "type": "string", + "description": "A message indicating the revocation has been queued" + }, + "warning": { + "type": "string", + "description": "A warning message if the token used for this request may be revoked" + } + } + }, + "examples": { + "default": { + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued" + } + }, + "with_authorization_revoked_warning": { + "summary": "Warning when the calling token may have its authorization revoked", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also have its authorization revoked as part of this operation" + } + }, + "with_credential_destroyed_warning": { + "summary": "Warning when the calling token may be destroyed (EMU with `revoke_credentials`)", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also be destroyed as part of this operation" + } + } + } + } + } + }, + "403": { + "description": "Forbidden", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + } + } + } + }, + "404": { + "description": "Resource not found", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + } + } + } + }, + "422": { + "description": "Validation error - The target user cannot be revoked, or `revoke_credentials` is not available for this enterprise", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + }, + "examples": { + "non_emu_enterprise": { + "summary": "`revoke_credentials` requested on a non-EMU enterprise", + "value": { + "message": "The `revoke_credentials` option is only available for Enterprise Managed User (EMU) enterprises", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + }, + "first_emu_owner": { + "summary": "Target user is the first EMU owner", + "value": { + "message": "The first EMU owner cannot be targeted for credential revocation.", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + } + } + } + } + } + }, + "x-github": { + "githubCloudOnly": true, + "enabledForGitHubApps": true, + "category": "enterprise-admin", + "subcategory": "credential-authorizations" + } + } + }, "/enterprises/{enterprise}/dependabot/alerts": { "get": { "summary": "List Dependabot alerts for an enterprise", @@ -78726,7 +78933,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -78739,6 +78948,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", @@ -192103,7 +192326,7 @@ "/orgs/{org}/credential-authorizations": { "get": { "summary": "List SAML SSO authorizations for an organization", - "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", + "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -192177,13 +192400,19 @@ "credential_type": { "type": "string", "description": "Human-readable description of the credential type.", + "enum": [ + "personal access token", + "SSH key", + "OAuth app token", + "GitHub app token" + ], "examples": [ - "SSH Key" + "SSH key" ] }, "token_last_eight": { "type": "string", - "description": "Last eight characters of the credential. Only included in responses with credential_type of personal access token.", + "description": "Last eight characters of the credential. Only included in responses with a credential_type of personal access token, OAuth app token, or GitHub app token.", "examples": [ "12345678" ] @@ -192198,7 +192427,7 @@ }, "scopes": { "type": "array", - "description": "List of oauth scopes the token has been granted.", + "description": "List of OAuth scopes the token has been granted.", "items": { "type": "string" }, @@ -192209,7 +192438,7 @@ }, "fingerprint": { "type": "string", - "description": "Unique string to distinguish the credential. Only included in responses with credential_type of SSH Key.", + "description": "Unique string to distinguish the credential. Only included in responses with a credential_type of SSH key.", "examples": [ "jklmnop12345678" ] @@ -192230,7 +192459,7 @@ "integer", "null" ], - "description": "The ID of the underlying token that was authorized by the user. This will remain unchanged across authorizations of the token.", + "description": "The ID of the underlying token or key that was authorized by the user. This will remain unchanged across authorizations of the token or key.", "examples": [ 12345678 ] @@ -192284,6 +192513,7 @@ "token_last_eight": "71c3fc11", "credential_authorized_at": "2011-01-26T19:06:43Z", "credential_accessed_at": "2011-01-26T19:06:43Z", + "authorized_credential_id": 12345678, "authorized_credential_expires_at": "2011-02-25T19:06:43Z", "scopes": [ "user", @@ -192296,11 +192526,47 @@ "credential_type": "personal access token", "token_last_eight": "Ae178B4a", "credential_authorized_at": "2019-03-29T19:06:43Z", - "credential_accessed_at": "2011-01-26T19:06:43Z", + "credential_accessed_at": "2019-04-15T19:06:43Z", + "authorized_credential_id": 12345679, "authorized_credential_expires_at": "2019-04-28T19:06:43Z", "scopes": [ "repo" ] + }, + { + "login": "octocat", + "credential_id": 161197, + "credential_type": "OAuth app token", + "token_last_eight": "9f2c4d1e", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345680, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [ + "repo", + "read:org" + ] + }, + { + "login": "hubot", + "credential_id": 161198, + "credential_type": "GitHub app token", + "token_last_eight": "3b7a0c52", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345681, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [] + }, + { + "login": "octocat", + "credential_id": 161199, + "credential_type": "SSH key", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345682, + "fingerprint": "jklmnop12345678", + "authorized_credential_title": "my ssh key" } ] } @@ -192320,7 +192586,7 @@ "/orgs/{org}/credential-authorizations/{credential_id}": { "delete": { "summary": "Remove a SAML SSO authorization for an organization", - "description": "Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", + "description": "Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", "tags": [ "orgs" ], diff --git a/descriptions-next/ghec/dereferenced/ghec.2026-03-10.deref.yaml b/descriptions-next/ghec/dereferenced/ghec.2026-03-10.deref.yaml index 97cb664875..3acc3141b4 100644 --- a/descriptions-next/ghec/dereferenced/ghec.2026-03-10.deref.yaml +++ b/descriptions-next/ghec/dereferenced/ghec.2026-03-10.deref.yaml @@ -20568,6 +20568,128 @@ paths: enabledForGitHubApps: true category: enterprise-admin subcategory: credential-authorizations + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": + post: + summary: Revoke credential authorizations for a user in an enterprise + description: |- + Revokes all credential authorizations for a single user within the enterprise. + This includes any credential authorizations the user has across all organizations + in the enterprise. + + For Enterprise Managed User (EMU) enterprises, you can optionally also destroy all + credentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting + the `revoke_credentials` parameter to `true`. + + This operation is performed asynchronously. A background job will be queued to process + the revocations. + + > [!WARNING] + > If you use a personal access token to call this endpoint and target yourself, that + > token may also be revoked or destroyed as part of this operation. + + The authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint. + + OAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint. + tags: + - enterprise-admin + operationId: enterprise-admin/revoke-credential-authorizations-for-user + externalDocs: + description: API method documentation + url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + parameters: + - *39 + - &140 + name: username + description: The handle for the GitHub user account. + in: path + required: true + schema: + type: string + requestBody: + required: false + content: + application/json: + schema: + type: object + properties: + revoke_credentials: + type: boolean + description: |- + Whether to also destroy the actual credentials (PATs and SSH keys) owned by + the user. This option is only available for Enterprise Managed User (EMU) + enterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned + by the user will be destroyed in addition to the credential authorizations. + default: false + examples: + default: + value: + revoke_credentials: false + emu_with_credential_revocation: + summary: EMU enterprise with credential revocation + value: + revoke_credentials: true + responses: + '202': + description: Accepted - The revocation request has been queued + content: + application/json: + schema: + type: object + properties: + message: + type: string + description: A message indicating the revocation has been queued + warning: + type: string + description: A warning message if the token used for this request + may be revoked + examples: + default: + value: + message: Credential authorization revocation for user 'octocat' + has been queued + with_authorization_revoked_warning: + summary: Warning when the calling token may have its authorization + revoked + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also have its authorization + revoked as part of this operation + with_credential_destroyed_warning: + summary: Warning when the calling token may be destroyed (EMU with + `revoke_credentials`) + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also be destroyed + as part of this operation + '403': *27 + '404': *6 + '422': + description: Validation error - The target user cannot be revoked, or `revoke_credentials` + is not available for this enterprise + content: + application/json: + schema: *3 + examples: + non_emu_enterprise: + summary: "`revoke_credentials` requested on a non-EMU enterprise" + value: + message: The `revoke_credentials` option is only available for + Enterprise Managed User (EMU) enterprises + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + first_emu_owner: + summary: Target user is the first EMU owner + value: + message: The first EMU owner cannot be targeted for credential + revocation. + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + x-github: + githubCloudOnly: true + enabledForGitHubApps: true + category: enterprise-admin + subcategory: credential-authorizations "/enterprises/{enterprise}/dependabot/alerts": get: summary: List Dependabot alerts for an enterprise @@ -22197,13 +22319,7 @@ paths: url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/enterprise-roles#remove-all-enterprise-roles-from-a-user parameters: - *39 - - &140 - name: username - description: The handle for the GitHub user account. - in: path - required: true - schema: - type: string + - *140 responses: '204': description: Response @@ -27812,6 +27928,8 @@ paths: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -27819,6 +27937,18 @@ paths: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a + single user (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within + the budget. Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based @@ -50682,7 +50812,7 @@ paths: get: summary: List SAML SSO authorizations for an organization description: |- - Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). + Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). The authenticated user must be an organization owner to use this endpoint. @@ -50734,12 +50864,18 @@ paths: credential_type: type: string description: Human-readable description of the credential type. + enum: + - personal access token + - SSH key + - OAuth app token + - GitHub app token examples: - - SSH Key + - SSH key token_last_eight: type: string description: Last eight characters of the credential. Only included - in responses with credential_type of personal access token. + in responses with a credential_type of personal access token, + OAuth app token, or GitHub app token. examples: - '12345678' credential_authorized_at: @@ -50750,7 +50886,7 @@ paths: - '2011-01-26T19:06:43Z' scopes: type: array - description: List of oauth scopes the token has been granted. + description: List of OAuth scopes the token has been granted. items: type: string examples: @@ -50759,7 +50895,7 @@ paths: fingerprint: type: string description: Unique string to distinguish the credential. Only - included in responses with credential_type of SSH Key. + included in responses with a credential_type of SSH key. examples: - jklmnop12345678 credential_accessed_at: @@ -50775,9 +50911,9 @@ paths: type: - integer - 'null' - description: The ID of the underlying token that was authorized - by the user. This will remain unchanged across authorizations - of the token. + description: The ID of the underlying token or key that was + authorized by the user. This will remain unchanged across + authorizations of the token or key. examples: - 12345678 authorized_credential_title: @@ -50819,6 +50955,7 @@ paths: token_last_eight: 71c3fc11 credential_authorized_at: '2011-01-26T19:06:43Z' credential_accessed_at: '2011-01-26T19:06:43Z' + authorized_credential_id: 12345678 authorized_credential_expires_at: '2011-02-25T19:06:43Z' scopes: - user @@ -50828,10 +50965,39 @@ paths: credential_type: personal access token token_last_eight: Ae178B4a credential_authorized_at: '2019-03-29T19:06:43Z' - credential_accessed_at: '2011-01-26T19:06:43Z' + credential_accessed_at: '2019-04-15T19:06:43Z' + authorized_credential_id: 12345679 authorized_credential_expires_at: '2019-04-28T19:06:43Z' scopes: - repo + - login: octocat + credential_id: 161197 + credential_type: OAuth app token + token_last_eight: 9f2c4d1e + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345680 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: + - repo + - read:org + - login: hubot + credential_id: 161198 + credential_type: GitHub app token + token_last_eight: 3b7a0c52 + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345681 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: [] + - login: octocat + credential_id: 161199 + credential_type: SSH key + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345682 + fingerprint: jklmnop12345678 + authorized_credential_title: my ssh key x-github: githubCloudOnly: true enabledForGitHubApps: true @@ -50841,7 +51007,7 @@ paths: delete: summary: Remove a SAML SSO authorization for an organization description: |- - Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access. + Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access. The authenticated user must be an organization owner to use this endpoint. diff --git a/descriptions-next/ghec/dereferenced/ghec.deref.json b/descriptions-next/ghec/dereferenced/ghec.deref.json index 8c815ea837..11dfcd848d 100644 --- a/descriptions-next/ghec/dereferenced/ghec.deref.json +++ b/descriptions-next/ghec/dereferenced/ghec.deref.json @@ -53648,6 +53648,213 @@ } } }, + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": { + "post": { + "summary": "Revoke credential authorizations for a user in an enterprise", + "description": "Revokes all credential authorizations for a single user within the enterprise.\nThis includes any credential authorizations the user has across all organizations\nin the enterprise.\n\nFor Enterprise Managed User (EMU) enterprises, you can optionally also destroy all\ncredentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting\nthe `revoke_credentials` parameter to `true`.\n\nThis operation is performed asynchronously. A background job will be queued to process\nthe revocations.\n\n> [!WARNING]\n> If you use a personal access token to call this endpoint and target yourself, that\n> token may also be revoked or destroyed as part of this operation.\n\nThe authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint.", + "tags": [ + "enterprise-admin" + ], + "operationId": "enterprise-admin/revoke-credential-authorizations-for-user", + "externalDocs": { + "description": "API method documentation", + "url": "https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + }, + "parameters": [ + { + "name": "enterprise", + "description": "The slug version of the enterprise name.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + }, + { + "name": "username", + "description": "The handle for the GitHub user account.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + } + ], + "requestBody": { + "required": false, + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "revoke_credentials": { + "type": "boolean", + "description": "Whether to also destroy the actual credentials (PATs and SSH keys) owned by\nthe user. This option is only available for Enterprise Managed User (EMU)\nenterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned\nby the user will be destroyed in addition to the credential authorizations.", + "default": false + } + } + }, + "examples": { + "default": { + "value": { + "revoke_credentials": false + } + }, + "emu_with_credential_revocation": { + "summary": "EMU enterprise with credential revocation", + "value": { + "revoke_credentials": true + } + } + } + } + } + }, + "responses": { + "202": { + "description": "Accepted - The revocation request has been queued", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "message": { + "type": "string", + "description": "A message indicating the revocation has been queued" + }, + "warning": { + "type": "string", + "description": "A warning message if the token used for this request may be revoked" + } + } + }, + "examples": { + "default": { + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued" + } + }, + "with_authorization_revoked_warning": { + "summary": "Warning when the calling token may have its authorization revoked", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also have its authorization revoked as part of this operation" + } + }, + "with_credential_destroyed_warning": { + "summary": "Warning when the calling token may be destroyed (EMU with `revoke_credentials`)", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also be destroyed as part of this operation" + } + } + } + } + } + }, + "403": { + "description": "Forbidden", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + } + } + } + }, + "404": { + "description": "Resource not found", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + } + } + } + }, + "422": { + "description": "Validation error - The target user cannot be revoked, or `revoke_credentials` is not available for this enterprise", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + }, + "examples": { + "non_emu_enterprise": { + "summary": "`revoke_credentials` requested on a non-EMU enterprise", + "value": { + "message": "The `revoke_credentials` option is only available for Enterprise Managed User (EMU) enterprises", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + }, + "first_emu_owner": { + "summary": "Target user is the first EMU owner", + "value": { + "message": "The first EMU owner cannot be targeted for credential revocation.", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + } + } + } + } + } + }, + "x-github": { + "githubCloudOnly": true, + "enabledForGitHubApps": true, + "category": "enterprise-admin", + "subcategory": "credential-authorizations" + } + } + }, "/enterprises/{enterprise}/dependabot/alerts": { "get": { "summary": "List Dependabot alerts for an enterprise", @@ -79359,7 +79566,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -79372,6 +79581,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", @@ -199132,7 +199355,7 @@ "/orgs/{org}/credential-authorizations": { "get": { "summary": "List SAML SSO authorizations for an organization", - "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", + "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -199206,13 +199429,19 @@ "credential_type": { "type": "string", "description": "Human-readable description of the credential type.", + "enum": [ + "personal access token", + "SSH key", + "OAuth app token", + "GitHub app token" + ], "examples": [ - "SSH Key" + "SSH key" ] }, "token_last_eight": { "type": "string", - "description": "Last eight characters of the credential. Only included in responses with credential_type of personal access token.", + "description": "Last eight characters of the credential. Only included in responses with a credential_type of personal access token, OAuth app token, or GitHub app token.", "examples": [ "12345678" ] @@ -199227,7 +199456,7 @@ }, "scopes": { "type": "array", - "description": "List of oauth scopes the token has been granted.", + "description": "List of OAuth scopes the token has been granted.", "items": { "type": "string" }, @@ -199238,7 +199467,7 @@ }, "fingerprint": { "type": "string", - "description": "Unique string to distinguish the credential. Only included in responses with credential_type of SSH Key.", + "description": "Unique string to distinguish the credential. Only included in responses with a credential_type of SSH key.", "examples": [ "jklmnop12345678" ] @@ -199259,7 +199488,7 @@ "integer", "null" ], - "description": "The ID of the underlying token that was authorized by the user. This will remain unchanged across authorizations of the token.", + "description": "The ID of the underlying token or key that was authorized by the user. This will remain unchanged across authorizations of the token or key.", "examples": [ 12345678 ] @@ -199313,6 +199542,7 @@ "token_last_eight": "71c3fc11", "credential_authorized_at": "2011-01-26T19:06:43Z", "credential_accessed_at": "2011-01-26T19:06:43Z", + "authorized_credential_id": 12345678, "authorized_credential_expires_at": "2011-02-25T19:06:43Z", "scopes": [ "user", @@ -199325,11 +199555,47 @@ "credential_type": "personal access token", "token_last_eight": "Ae178B4a", "credential_authorized_at": "2019-03-29T19:06:43Z", - "credential_accessed_at": "2011-01-26T19:06:43Z", + "credential_accessed_at": "2019-04-15T19:06:43Z", + "authorized_credential_id": 12345679, "authorized_credential_expires_at": "2019-04-28T19:06:43Z", "scopes": [ "repo" ] + }, + { + "login": "octocat", + "credential_id": 161197, + "credential_type": "OAuth app token", + "token_last_eight": "9f2c4d1e", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345680, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [ + "repo", + "read:org" + ] + }, + { + "login": "hubot", + "credential_id": 161198, + "credential_type": "GitHub app token", + "token_last_eight": "3b7a0c52", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345681, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [] + }, + { + "login": "octocat", + "credential_id": 161199, + "credential_type": "SSH key", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345682, + "fingerprint": "jklmnop12345678", + "authorized_credential_title": "my ssh key" } ] } @@ -199349,7 +199615,7 @@ "/orgs/{org}/credential-authorizations/{credential_id}": { "delete": { "summary": "Remove a SAML SSO authorization for an organization", - "description": "Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", + "description": "Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", "tags": [ "orgs" ], diff --git a/descriptions-next/ghec/dereferenced/ghec.deref.yaml b/descriptions-next/ghec/dereferenced/ghec.deref.yaml index 75b01fad84..bcb346e2dc 100644 --- a/descriptions-next/ghec/dereferenced/ghec.deref.yaml +++ b/descriptions-next/ghec/dereferenced/ghec.deref.yaml @@ -20774,6 +20774,128 @@ paths: enabledForGitHubApps: true category: enterprise-admin subcategory: credential-authorizations + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": + post: + summary: Revoke credential authorizations for a user in an enterprise + description: |- + Revokes all credential authorizations for a single user within the enterprise. + This includes any credential authorizations the user has across all organizations + in the enterprise. + + For Enterprise Managed User (EMU) enterprises, you can optionally also destroy all + credentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting + the `revoke_credentials` parameter to `true`. + + This operation is performed asynchronously. A background job will be queued to process + the revocations. + + > [!WARNING] + > If you use a personal access token to call this endpoint and target yourself, that + > token may also be revoked or destroyed as part of this operation. + + The authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint. + + OAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint. + tags: + - enterprise-admin + operationId: enterprise-admin/revoke-credential-authorizations-for-user + externalDocs: + description: API method documentation + url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + parameters: + - *39 + - &140 + name: username + description: The handle for the GitHub user account. + in: path + required: true + schema: + type: string + requestBody: + required: false + content: + application/json: + schema: + type: object + properties: + revoke_credentials: + type: boolean + description: |- + Whether to also destroy the actual credentials (PATs and SSH keys) owned by + the user. This option is only available for Enterprise Managed User (EMU) + enterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned + by the user will be destroyed in addition to the credential authorizations. + default: false + examples: + default: + value: + revoke_credentials: false + emu_with_credential_revocation: + summary: EMU enterprise with credential revocation + value: + revoke_credentials: true + responses: + '202': + description: Accepted - The revocation request has been queued + content: + application/json: + schema: + type: object + properties: + message: + type: string + description: A message indicating the revocation has been queued + warning: + type: string + description: A warning message if the token used for this request + may be revoked + examples: + default: + value: + message: Credential authorization revocation for user 'octocat' + has been queued + with_authorization_revoked_warning: + summary: Warning when the calling token may have its authorization + revoked + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also have its authorization + revoked as part of this operation + with_credential_destroyed_warning: + summary: Warning when the calling token may be destroyed (EMU with + `revoke_credentials`) + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also be destroyed + as part of this operation + '403': *27 + '404': *6 + '422': + description: Validation error - The target user cannot be revoked, or `revoke_credentials` + is not available for this enterprise + content: + application/json: + schema: *3 + examples: + non_emu_enterprise: + summary: "`revoke_credentials` requested on a non-EMU enterprise" + value: + message: The `revoke_credentials` option is only available for + Enterprise Managed User (EMU) enterprises + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + first_emu_owner: + summary: Target user is the first EMU owner + value: + message: The first EMU owner cannot be targeted for credential + revocation. + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + x-github: + githubCloudOnly: true + enabledForGitHubApps: true + category: enterprise-admin + subcategory: credential-authorizations "/enterprises/{enterprise}/dependabot/alerts": get: summary: List Dependabot alerts for an enterprise @@ -22445,13 +22567,7 @@ paths: url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/enterprise-roles#remove-all-enterprise-roles-from-a-user parameters: - *39 - - &140 - name: username - description: The handle for the GitHub user account. - in: path - required: true - schema: - type: string + - *140 responses: '204': description: Response @@ -28060,6 +28176,8 @@ paths: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -28067,6 +28185,18 @@ paths: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a + single user (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within + the budget. Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based @@ -51455,7 +51585,7 @@ paths: get: summary: List SAML SSO authorizations for an organization description: |- - Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). + Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). The authenticated user must be an organization owner to use this endpoint. @@ -51507,12 +51637,18 @@ paths: credential_type: type: string description: Human-readable description of the credential type. + enum: + - personal access token + - SSH key + - OAuth app token + - GitHub app token examples: - - SSH Key + - SSH key token_last_eight: type: string description: Last eight characters of the credential. Only included - in responses with credential_type of personal access token. + in responses with a credential_type of personal access token, + OAuth app token, or GitHub app token. examples: - '12345678' credential_authorized_at: @@ -51523,7 +51659,7 @@ paths: - '2011-01-26T19:06:43Z' scopes: type: array - description: List of oauth scopes the token has been granted. + description: List of OAuth scopes the token has been granted. items: type: string examples: @@ -51532,7 +51668,7 @@ paths: fingerprint: type: string description: Unique string to distinguish the credential. Only - included in responses with credential_type of SSH Key. + included in responses with a credential_type of SSH key. examples: - jklmnop12345678 credential_accessed_at: @@ -51548,9 +51684,9 @@ paths: type: - integer - 'null' - description: The ID of the underlying token that was authorized - by the user. This will remain unchanged across authorizations - of the token. + description: The ID of the underlying token or key that was + authorized by the user. This will remain unchanged across + authorizations of the token or key. examples: - 12345678 authorized_credential_title: @@ -51592,6 +51728,7 @@ paths: token_last_eight: 71c3fc11 credential_authorized_at: '2011-01-26T19:06:43Z' credential_accessed_at: '2011-01-26T19:06:43Z' + authorized_credential_id: 12345678 authorized_credential_expires_at: '2011-02-25T19:06:43Z' scopes: - user @@ -51601,10 +51738,39 @@ paths: credential_type: personal access token token_last_eight: Ae178B4a credential_authorized_at: '2019-03-29T19:06:43Z' - credential_accessed_at: '2011-01-26T19:06:43Z' + credential_accessed_at: '2019-04-15T19:06:43Z' + authorized_credential_id: 12345679 authorized_credential_expires_at: '2019-04-28T19:06:43Z' scopes: - repo + - login: octocat + credential_id: 161197 + credential_type: OAuth app token + token_last_eight: 9f2c4d1e + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345680 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: + - repo + - read:org + - login: hubot + credential_id: 161198 + credential_type: GitHub app token + token_last_eight: 3b7a0c52 + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345681 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: [] + - login: octocat + credential_id: 161199 + credential_type: SSH key + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345682 + fingerprint: jklmnop12345678 + authorized_credential_title: my ssh key x-github: githubCloudOnly: true enabledForGitHubApps: true @@ -51614,7 +51780,7 @@ paths: delete: summary: Remove a SAML SSO authorization for an organization description: |- - Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access. + Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access. The authenticated user must be an organization owner to use this endpoint. diff --git a/descriptions-next/ghec/ghec.2022-11-28.json b/descriptions-next/ghec/ghec.2022-11-28.json index 124480068f..e9a6d2573e 100644 --- a/descriptions-next/ghec/ghec.2022-11-28.json +++ b/descriptions-next/ghec/ghec.2022-11-28.json @@ -13831,6 +13831,139 @@ } } }, + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": { + "post": { + "summary": "Revoke credential authorizations for a user in an enterprise", + "description": "Revokes all credential authorizations for a single user within the enterprise.\nThis includes any credential authorizations the user has across all organizations\nin the enterprise.\n\nFor Enterprise Managed User (EMU) enterprises, you can optionally also destroy all\ncredentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting\nthe `revoke_credentials` parameter to `true`.\n\nThis operation is performed asynchronously. A background job will be queued to process\nthe revocations.\n\n> [!WARNING]\n> If you use a personal access token to call this endpoint and target yourself, that\n> token may also be revoked or destroyed as part of this operation.\n\nThe authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint.", + "tags": [ + "enterprise-admin" + ], + "operationId": "enterprise-admin/revoke-credential-authorizations-for-user", + "externalDocs": { + "description": "API method documentation", + "url": "https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + }, + "parameters": [ + { + "$ref": "#/components/parameters/enterprise" + }, + { + "$ref": "#/components/parameters/username" + } + ], + "requestBody": { + "required": false, + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "revoke_credentials": { + "type": "boolean", + "description": "Whether to also destroy the actual credentials (PATs and SSH keys) owned by\nthe user. This option is only available for Enterprise Managed User (EMU)\nenterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned\nby the user will be destroyed in addition to the credential authorizations.", + "default": false + } + } + }, + "examples": { + "default": { + "value": { + "revoke_credentials": false + } + }, + "emu_with_credential_revocation": { + "summary": "EMU enterprise with credential revocation", + "value": { + "revoke_credentials": true + } + } + } + } + } + }, + "responses": { + "202": { + "description": "Accepted - The revocation request has been queued", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "message": { + "type": "string", + "description": "A message indicating the revocation has been queued" + }, + "warning": { + "type": "string", + "description": "A warning message if the token used for this request may be revoked" + } + } + }, + "examples": { + "default": { + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued" + } + }, + "with_authorization_revoked_warning": { + "summary": "Warning when the calling token may have its authorization revoked", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also have its authorization revoked as part of this operation" + } + }, + "with_credential_destroyed_warning": { + "summary": "Warning when the calling token may be destroyed (EMU with `revoke_credentials`)", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also be destroyed as part of this operation" + } + } + } + } + } + }, + "403": { + "$ref": "#/components/responses/forbidden" + }, + "404": { + "$ref": "#/components/responses/not_found" + }, + "422": { + "description": "Validation error - The target user cannot be revoked, or `revoke_credentials` is not available for this enterprise", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/basic-error" + }, + "examples": { + "non_emu_enterprise": { + "summary": "`revoke_credentials` requested on a non-EMU enterprise", + "value": { + "message": "The `revoke_credentials` option is only available for Enterprise Managed User (EMU) enterprises", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + }, + "first_emu_owner": { + "summary": "Target user is the first EMU owner", + "value": { + "message": "The first EMU owner cannot be targeted for credential revocation.", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + } + } + } + } + } + }, + "x-github": { + "githubCloudOnly": true, + "enabledForGitHubApps": true, + "category": "enterprise-admin", + "subcategory": "credential-authorizations" + } + } + }, "/enterprises/{enterprise}/dependabot/alerts": { "get": { "summary": "List Dependabot alerts for an enterprise", @@ -37141,7 +37274,7 @@ "/orgs/{org}/credential-authorizations": { "get": { "summary": "List SAML SSO authorizations for an organization", - "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", + "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -37205,7 +37338,7 @@ "/orgs/{org}/credential-authorizations/{credential_id}": { "delete": { "summary": "Remove a SAML SSO authorization for an organization", - "description": "Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", + "description": "Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -143879,7 +144012,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -143892,6 +144027,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", @@ -151267,13 +151416,19 @@ "credential_type": { "type": "string", "description": "Human-readable description of the credential type.", + "enum": [ + "personal access token", + "SSH key", + "OAuth app token", + "GitHub app token" + ], "examples": [ - "SSH Key" + "SSH key" ] }, "token_last_eight": { "type": "string", - "description": "Last eight characters of the credential. Only included in responses with credential_type of personal access token.", + "description": "Last eight characters of the credential. Only included in responses with a credential_type of personal access token, OAuth app token, or GitHub app token.", "examples": [ "12345678" ] @@ -151288,7 +151443,7 @@ }, "scopes": { "type": "array", - "description": "List of oauth scopes the token has been granted.", + "description": "List of OAuth scopes the token has been granted.", "items": { "type": "string" }, @@ -151299,7 +151454,7 @@ }, "fingerprint": { "type": "string", - "description": "Unique string to distinguish the credential. Only included in responses with credential_type of SSH Key.", + "description": "Unique string to distinguish the credential. Only included in responses with a credential_type of SSH key.", "examples": [ "jklmnop12345678" ] @@ -151320,7 +151475,7 @@ "integer", "null" ], - "description": "The ID of the underlying token that was authorized by the user. This will remain unchanged across authorizations of the token.", + "description": "The ID of the underlying token or key that was authorized by the user. This will remain unchanged across authorizations of the token or key.", "examples": [ 12345678 ] @@ -338772,6 +338927,7 @@ "token_last_eight": "71c3fc11", "credential_authorized_at": "2011-01-26T19:06:43Z", "credential_accessed_at": "2011-01-26T19:06:43Z", + "authorized_credential_id": 12345678, "authorized_credential_expires_at": "2011-02-25T19:06:43Z", "scopes": [ "user", @@ -338784,11 +338940,47 @@ "credential_type": "personal access token", "token_last_eight": "Ae178B4a", "credential_authorized_at": "2019-03-29T19:06:43Z", - "credential_accessed_at": "2011-01-26T19:06:43Z", + "credential_accessed_at": "2019-04-15T19:06:43Z", + "authorized_credential_id": 12345679, "authorized_credential_expires_at": "2019-04-28T19:06:43Z", "scopes": [ "repo" ] + }, + { + "login": "octocat", + "credential_id": 161197, + "credential_type": "OAuth app token", + "token_last_eight": "9f2c4d1e", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345680, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [ + "repo", + "read:org" + ] + }, + { + "login": "hubot", + "credential_id": 161198, + "credential_type": "GitHub app token", + "token_last_eight": "3b7a0c52", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345681, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [] + }, + { + "login": "octocat", + "credential_id": 161199, + "credential_type": "SSH key", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345682, + "fingerprint": "jklmnop12345678", + "authorized_credential_title": "my ssh key" } ] }, @@ -364939,6 +365131,15 @@ ] } }, + "username": { + "name": "username", + "description": "The handle for the GitHub user account.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + }, "dependabot-alert-comma-separated-classifications": { "name": "classification", "in": "query", @@ -365079,15 +365280,6 @@ "type": "integer" } }, - "username": { - "name": "username", - "description": "The handle for the GitHub user account.", - "in": "path", - "required": true, - "schema": { - "type": "string" - } - }, "network-configuration-id": { "name": "network_configuration_id", "description": "Unique identifier of the hosted compute network configuration.", diff --git a/descriptions-next/ghec/ghec.2022-11-28.yaml b/descriptions-next/ghec/ghec.2022-11-28.yaml index 1a85469fb5..e69e985092 100644 --- a/descriptions-next/ghec/ghec.2022-11-28.yaml +++ b/descriptions-next/ghec/ghec.2022-11-28.yaml @@ -10227,6 +10227,125 @@ paths: enabledForGitHubApps: true category: enterprise-admin subcategory: credential-authorizations + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": + post: + summary: Revoke credential authorizations for a user in an enterprise + description: |- + Revokes all credential authorizations for a single user within the enterprise. + This includes any credential authorizations the user has across all organizations + in the enterprise. + + For Enterprise Managed User (EMU) enterprises, you can optionally also destroy all + credentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting + the `revoke_credentials` parameter to `true`. + + This operation is performed asynchronously. A background job will be queued to process + the revocations. + + > [!WARNING] + > If you use a personal access token to call this endpoint and target yourself, that + > token may also be revoked or destroyed as part of this operation. + + The authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint. + + OAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint. + tags: + - enterprise-admin + operationId: enterprise-admin/revoke-credential-authorizations-for-user + externalDocs: + description: API method documentation + url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + parameters: + - "$ref": "#/components/parameters/enterprise" + - "$ref": "#/components/parameters/username" + requestBody: + required: false + content: + application/json: + schema: + type: object + properties: + revoke_credentials: + type: boolean + description: |- + Whether to also destroy the actual credentials (PATs and SSH keys) owned by + the user. This option is only available for Enterprise Managed User (EMU) + enterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned + by the user will be destroyed in addition to the credential authorizations. + default: false + examples: + default: + value: + revoke_credentials: false + emu_with_credential_revocation: + summary: EMU enterprise with credential revocation + value: + revoke_credentials: true + responses: + '202': + description: Accepted - The revocation request has been queued + content: + application/json: + schema: + type: object + properties: + message: + type: string + description: A message indicating the revocation has been queued + warning: + type: string + description: A warning message if the token used for this request + may be revoked + examples: + default: + value: + message: Credential authorization revocation for user 'octocat' + has been queued + with_authorization_revoked_warning: + summary: Warning when the calling token may have its authorization + revoked + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also have its authorization + revoked as part of this operation + with_credential_destroyed_warning: + summary: Warning when the calling token may be destroyed (EMU with + `revoke_credentials`) + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also be destroyed + as part of this operation + '403': + "$ref": "#/components/responses/forbidden" + '404': + "$ref": "#/components/responses/not_found" + '422': + description: Validation error - The target user cannot be revoked, or `revoke_credentials` + is not available for this enterprise + content: + application/json: + schema: + "$ref": "#/components/schemas/basic-error" + examples: + non_emu_enterprise: + summary: "`revoke_credentials` requested on a non-EMU enterprise" + value: + message: The `revoke_credentials` option is only available for + Enterprise Managed User (EMU) enterprises + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + first_emu_owner: + summary: Target user is the first EMU owner + value: + message: The first EMU owner cannot be targeted for credential + revocation. + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + x-github: + githubCloudOnly: true + enabledForGitHubApps: true + category: enterprise-admin + subcategory: credential-authorizations "/enterprises/{enterprise}/dependabot/alerts": get: summary: List Dependabot alerts for an enterprise @@ -27319,7 +27438,7 @@ paths: get: summary: List SAML SSO authorizations for an organization description: |- - Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). + Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). The authenticated user must be an organization owner to use this endpoint. @@ -27365,7 +27484,7 @@ paths: delete: summary: Remove a SAML SSO authorization for an organization description: |- - Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access. + Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access. The authenticated user must be an organization owner to use this endpoint. @@ -104585,6 +104704,8 @@ components: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -104592,6 +104713,18 @@ components: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a single user + (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within the budget. + Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based products, @@ -110021,12 +110154,18 @@ components: credential_type: type: string description: Human-readable description of the credential type. + enum: + - personal access token + - SSH key + - OAuth app token + - GitHub app token examples: - - SSH Key + - SSH key token_last_eight: type: string description: Last eight characters of the credential. Only included in responses - with credential_type of personal access token. + with a credential_type of personal access token, OAuth app token, or GitHub + app token. examples: - '12345678' credential_authorized_at: @@ -110037,7 +110176,7 @@ components: - '2011-01-26T19:06:43Z' scopes: type: array - description: List of oauth scopes the token has been granted. + description: List of OAuth scopes the token has been granted. items: type: string examples: @@ -110046,7 +110185,7 @@ components: fingerprint: type: string description: Unique string to distinguish the credential. Only included - in responses with credential_type of SSH Key. + in responses with a credential_type of SSH key. examples: - jklmnop12345678 credential_accessed_at: @@ -110062,8 +110201,9 @@ components: type: - integer - 'null' - description: The ID of the underlying token that was authorized by the user. - This will remain unchanged across authorizations of the token. + description: The ID of the underlying token or key that was authorized by + the user. This will remain unchanged across authorizations of the token + or key. examples: - 12345678 authorized_credential_title: @@ -249899,6 +250039,7 @@ components: token_last_eight: 71c3fc11 credential_authorized_at: '2011-01-26T19:06:43Z' credential_accessed_at: '2011-01-26T19:06:43Z' + authorized_credential_id: 12345678 authorized_credential_expires_at: '2011-02-25T19:06:43Z' scopes: - user @@ -249908,10 +250049,39 @@ components: credential_type: personal access token token_last_eight: Ae178B4a credential_authorized_at: '2019-03-29T19:06:43Z' - credential_accessed_at: '2011-01-26T19:06:43Z' + credential_accessed_at: '2019-04-15T19:06:43Z' + authorized_credential_id: 12345679 authorized_credential_expires_at: '2019-04-28T19:06:43Z' scopes: - repo + - login: octocat + credential_id: 161197 + credential_type: OAuth app token + token_last_eight: 9f2c4d1e + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345680 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: + - repo + - read:org + - login: hubot + credential_id: 161198 + credential_type: GitHub app token + token_last_eight: 3b7a0c52 + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345681 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: [] + - login: octocat + credential_id: 161199 + credential_type: SSH key + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345682 + fingerprint: jklmnop12345678 + authorized_credential_title: my ssh key organization-custom-repository-role-list-example: value: total_count: 2 @@ -272316,6 +272486,13 @@ components: format: date examples: - '2025-10-13' + username: + name: username + description: The handle for the GitHub user account. + in: path + required: true + schema: + type: string dependabot-alert-comma-separated-classifications: name: classification in: query @@ -272450,13 +272627,6 @@ components: required: true schema: type: integer - username: - name: username - description: The handle for the GitHub user account. - in: path - required: true - schema: - type: string network-configuration-id: name: network_configuration_id description: Unique identifier of the hosted compute network configuration. diff --git a/descriptions-next/ghec/ghec.2026-03-10.json b/descriptions-next/ghec/ghec.2026-03-10.json index 2ad2c4c42c..2dcd3844dd 100644 --- a/descriptions-next/ghec/ghec.2026-03-10.json +++ b/descriptions-next/ghec/ghec.2026-03-10.json @@ -13831,6 +13831,139 @@ } } }, + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": { + "post": { + "summary": "Revoke credential authorizations for a user in an enterprise", + "description": "Revokes all credential authorizations for a single user within the enterprise.\nThis includes any credential authorizations the user has across all organizations\nin the enterprise.\n\nFor Enterprise Managed User (EMU) enterprises, you can optionally also destroy all\ncredentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting\nthe `revoke_credentials` parameter to `true`.\n\nThis operation is performed asynchronously. A background job will be queued to process\nthe revocations.\n\n> [!WARNING]\n> If you use a personal access token to call this endpoint and target yourself, that\n> token may also be revoked or destroyed as part of this operation.\n\nThe authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint.", + "tags": [ + "enterprise-admin" + ], + "operationId": "enterprise-admin/revoke-credential-authorizations-for-user", + "externalDocs": { + "description": "API method documentation", + "url": "https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + }, + "parameters": [ + { + "$ref": "#/components/parameters/enterprise" + }, + { + "$ref": "#/components/parameters/username" + } + ], + "requestBody": { + "required": false, + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "revoke_credentials": { + "type": "boolean", + "description": "Whether to also destroy the actual credentials (PATs and SSH keys) owned by\nthe user. This option is only available for Enterprise Managed User (EMU)\nenterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned\nby the user will be destroyed in addition to the credential authorizations.", + "default": false + } + } + }, + "examples": { + "default": { + "value": { + "revoke_credentials": false + } + }, + "emu_with_credential_revocation": { + "summary": "EMU enterprise with credential revocation", + "value": { + "revoke_credentials": true + } + } + } + } + } + }, + "responses": { + "202": { + "description": "Accepted - The revocation request has been queued", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "message": { + "type": "string", + "description": "A message indicating the revocation has been queued" + }, + "warning": { + "type": "string", + "description": "A warning message if the token used for this request may be revoked" + } + } + }, + "examples": { + "default": { + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued" + } + }, + "with_authorization_revoked_warning": { + "summary": "Warning when the calling token may have its authorization revoked", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also have its authorization revoked as part of this operation" + } + }, + "with_credential_destroyed_warning": { + "summary": "Warning when the calling token may be destroyed (EMU with `revoke_credentials`)", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also be destroyed as part of this operation" + } + } + } + } + } + }, + "403": { + "$ref": "#/components/responses/forbidden" + }, + "404": { + "$ref": "#/components/responses/not_found" + }, + "422": { + "description": "Validation error - The target user cannot be revoked, or `revoke_credentials` is not available for this enterprise", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/basic-error" + }, + "examples": { + "non_emu_enterprise": { + "summary": "`revoke_credentials` requested on a non-EMU enterprise", + "value": { + "message": "The `revoke_credentials` option is only available for Enterprise Managed User (EMU) enterprises", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + }, + "first_emu_owner": { + "summary": "Target user is the first EMU owner", + "value": { + "message": "The first EMU owner cannot be targeted for credential revocation.", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + } + } + } + } + } + }, + "x-github": { + "githubCloudOnly": true, + "enabledForGitHubApps": true, + "category": "enterprise-admin", + "subcategory": "credential-authorizations" + } + } + }, "/enterprises/{enterprise}/dependabot/alerts": { "get": { "summary": "List Dependabot alerts for an enterprise", @@ -37079,7 +37212,7 @@ "/orgs/{org}/credential-authorizations": { "get": { "summary": "List SAML SSO authorizations for an organization", - "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", + "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -37143,7 +37276,7 @@ "/orgs/{org}/credential-authorizations/{credential_id}": { "delete": { "summary": "Remove a SAML SSO authorization for an organization", - "description": "Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", + "description": "Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -143651,7 +143784,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -143664,6 +143799,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", @@ -150624,13 +150773,19 @@ "credential_type": { "type": "string", "description": "Human-readable description of the credential type.", + "enum": [ + "personal access token", + "SSH key", + "OAuth app token", + "GitHub app token" + ], "examples": [ - "SSH Key" + "SSH key" ] }, "token_last_eight": { "type": "string", - "description": "Last eight characters of the credential. Only included in responses with credential_type of personal access token.", + "description": "Last eight characters of the credential. Only included in responses with a credential_type of personal access token, OAuth app token, or GitHub app token.", "examples": [ "12345678" ] @@ -150645,7 +150800,7 @@ }, "scopes": { "type": "array", - "description": "List of oauth scopes the token has been granted.", + "description": "List of OAuth scopes the token has been granted.", "items": { "type": "string" }, @@ -150656,7 +150811,7 @@ }, "fingerprint": { "type": "string", - "description": "Unique string to distinguish the credential. Only included in responses with credential_type of SSH Key.", + "description": "Unique string to distinguish the credential. Only included in responses with a credential_type of SSH key.", "examples": [ "jklmnop12345678" ] @@ -150677,7 +150832,7 @@ "integer", "null" ], - "description": "The ID of the underlying token that was authorized by the user. This will remain unchanged across authorizations of the token.", + "description": "The ID of the underlying token or key that was authorized by the user. This will remain unchanged across authorizations of the token or key.", "examples": [ 12345678 ] @@ -337884,6 +338039,7 @@ "token_last_eight": "71c3fc11", "credential_authorized_at": "2011-01-26T19:06:43Z", "credential_accessed_at": "2011-01-26T19:06:43Z", + "authorized_credential_id": 12345678, "authorized_credential_expires_at": "2011-02-25T19:06:43Z", "scopes": [ "user", @@ -337896,11 +338052,47 @@ "credential_type": "personal access token", "token_last_eight": "Ae178B4a", "credential_authorized_at": "2019-03-29T19:06:43Z", - "credential_accessed_at": "2011-01-26T19:06:43Z", + "credential_accessed_at": "2019-04-15T19:06:43Z", + "authorized_credential_id": 12345679, "authorized_credential_expires_at": "2019-04-28T19:06:43Z", "scopes": [ "repo" ] + }, + { + "login": "octocat", + "credential_id": 161197, + "credential_type": "OAuth app token", + "token_last_eight": "9f2c4d1e", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345680, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [ + "repo", + "read:org" + ] + }, + { + "login": "hubot", + "credential_id": 161198, + "credential_type": "GitHub app token", + "token_last_eight": "3b7a0c52", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345681, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [] + }, + { + "login": "octocat", + "credential_id": 161199, + "credential_type": "SSH key", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345682, + "fingerprint": "jklmnop12345678", + "authorized_credential_title": "my ssh key" } ] }, @@ -363979,6 +364171,15 @@ ] } }, + "username": { + "name": "username", + "description": "The handle for the GitHub user account.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + }, "dependabot-alert-comma-separated-classifications": { "name": "classification", "in": "query", @@ -364119,15 +364320,6 @@ "type": "integer" } }, - "username": { - "name": "username", - "description": "The handle for the GitHub user account.", - "in": "path", - "required": true, - "schema": { - "type": "string" - } - }, "network-configuration-id": { "name": "network_configuration_id", "description": "Unique identifier of the hosted compute network configuration.", diff --git a/descriptions-next/ghec/ghec.2026-03-10.yaml b/descriptions-next/ghec/ghec.2026-03-10.yaml index b367be8c8a..9c74db3004 100644 --- a/descriptions-next/ghec/ghec.2026-03-10.yaml +++ b/descriptions-next/ghec/ghec.2026-03-10.yaml @@ -10227,6 +10227,125 @@ paths: enabledForGitHubApps: true category: enterprise-admin subcategory: credential-authorizations + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": + post: + summary: Revoke credential authorizations for a user in an enterprise + description: |- + Revokes all credential authorizations for a single user within the enterprise. + This includes any credential authorizations the user has across all organizations + in the enterprise. + + For Enterprise Managed User (EMU) enterprises, you can optionally also destroy all + credentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting + the `revoke_credentials` parameter to `true`. + + This operation is performed asynchronously. A background job will be queued to process + the revocations. + + > [!WARNING] + > If you use a personal access token to call this endpoint and target yourself, that + > token may also be revoked or destroyed as part of this operation. + + The authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint. + + OAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint. + tags: + - enterprise-admin + operationId: enterprise-admin/revoke-credential-authorizations-for-user + externalDocs: + description: API method documentation + url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + parameters: + - "$ref": "#/components/parameters/enterprise" + - "$ref": "#/components/parameters/username" + requestBody: + required: false + content: + application/json: + schema: + type: object + properties: + revoke_credentials: + type: boolean + description: |- + Whether to also destroy the actual credentials (PATs and SSH keys) owned by + the user. This option is only available for Enterprise Managed User (EMU) + enterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned + by the user will be destroyed in addition to the credential authorizations. + default: false + examples: + default: + value: + revoke_credentials: false + emu_with_credential_revocation: + summary: EMU enterprise with credential revocation + value: + revoke_credentials: true + responses: + '202': + description: Accepted - The revocation request has been queued + content: + application/json: + schema: + type: object + properties: + message: + type: string + description: A message indicating the revocation has been queued + warning: + type: string + description: A warning message if the token used for this request + may be revoked + examples: + default: + value: + message: Credential authorization revocation for user 'octocat' + has been queued + with_authorization_revoked_warning: + summary: Warning when the calling token may have its authorization + revoked + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also have its authorization + revoked as part of this operation + with_credential_destroyed_warning: + summary: Warning when the calling token may be destroyed (EMU with + `revoke_credentials`) + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also be destroyed + as part of this operation + '403': + "$ref": "#/components/responses/forbidden" + '404': + "$ref": "#/components/responses/not_found" + '422': + description: Validation error - The target user cannot be revoked, or `revoke_credentials` + is not available for this enterprise + content: + application/json: + schema: + "$ref": "#/components/schemas/basic-error" + examples: + non_emu_enterprise: + summary: "`revoke_credentials` requested on a non-EMU enterprise" + value: + message: The `revoke_credentials` option is only available for + Enterprise Managed User (EMU) enterprises + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + first_emu_owner: + summary: Target user is the first EMU owner + value: + message: The first EMU owner cannot be targeted for credential + revocation. + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + x-github: + githubCloudOnly: true + enabledForGitHubApps: true + category: enterprise-admin + subcategory: credential-authorizations "/enterprises/{enterprise}/dependabot/alerts": get: summary: List Dependabot alerts for an enterprise @@ -27272,7 +27391,7 @@ paths: get: summary: List SAML SSO authorizations for an organization description: |- - Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). + Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). The authenticated user must be an organization owner to use this endpoint. @@ -27318,7 +27437,7 @@ paths: delete: summary: Remove a SAML SSO authorization for an organization description: |- - Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access. + Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access. The authenticated user must be an organization owner to use this endpoint. @@ -104401,6 +104520,8 @@ components: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -104408,6 +104529,18 @@ components: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a single user + (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within the budget. + Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based products, @@ -109543,12 +109676,18 @@ components: credential_type: type: string description: Human-readable description of the credential type. + enum: + - personal access token + - SSH key + - OAuth app token + - GitHub app token examples: - - SSH Key + - SSH key token_last_eight: type: string description: Last eight characters of the credential. Only included in responses - with credential_type of personal access token. + with a credential_type of personal access token, OAuth app token, or GitHub + app token. examples: - '12345678' credential_authorized_at: @@ -109559,7 +109698,7 @@ components: - '2011-01-26T19:06:43Z' scopes: type: array - description: List of oauth scopes the token has been granted. + description: List of OAuth scopes the token has been granted. items: type: string examples: @@ -109568,7 +109707,7 @@ components: fingerprint: type: string description: Unique string to distinguish the credential. Only included - in responses with credential_type of SSH Key. + in responses with a credential_type of SSH key. examples: - jklmnop12345678 credential_accessed_at: @@ -109584,8 +109723,9 @@ components: type: - integer - 'null' - description: The ID of the underlying token that was authorized by the user. - This will remain unchanged across authorizations of the token. + description: The ID of the underlying token or key that was authorized by + the user. This will remain unchanged across authorizations of the token + or key. examples: - 12345678 authorized_credential_title: @@ -249168,6 +249308,7 @@ components: token_last_eight: 71c3fc11 credential_authorized_at: '2011-01-26T19:06:43Z' credential_accessed_at: '2011-01-26T19:06:43Z' + authorized_credential_id: 12345678 authorized_credential_expires_at: '2011-02-25T19:06:43Z' scopes: - user @@ -249177,10 +249318,39 @@ components: credential_type: personal access token token_last_eight: Ae178B4a credential_authorized_at: '2019-03-29T19:06:43Z' - credential_accessed_at: '2011-01-26T19:06:43Z' + credential_accessed_at: '2019-04-15T19:06:43Z' + authorized_credential_id: 12345679 authorized_credential_expires_at: '2019-04-28T19:06:43Z' scopes: - repo + - login: octocat + credential_id: 161197 + credential_type: OAuth app token + token_last_eight: 9f2c4d1e + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345680 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: + - repo + - read:org + - login: hubot + credential_id: 161198 + credential_type: GitHub app token + token_last_eight: 3b7a0c52 + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345681 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: [] + - login: octocat + credential_id: 161199 + credential_type: SSH key + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345682 + fingerprint: jklmnop12345678 + authorized_credential_title: my ssh key organization-custom-repository-role-list-example: value: total_count: 2 @@ -271515,6 +271685,13 @@ components: format: date examples: - '2025-10-13' + username: + name: username + description: The handle for the GitHub user account. + in: path + required: true + schema: + type: string dependabot-alert-comma-separated-classifications: name: classification in: query @@ -271649,13 +271826,6 @@ components: required: true schema: type: integer - username: - name: username - description: The handle for the GitHub user account. - in: path - required: true - schema: - type: string network-configuration-id: name: network_configuration_id description: Unique identifier of the hosted compute network configuration. diff --git a/descriptions-next/ghec/ghec.json b/descriptions-next/ghec/ghec.json index 460529e3ac..520c388c16 100644 --- a/descriptions-next/ghec/ghec.json +++ b/descriptions-next/ghec/ghec.json @@ -13845,6 +13845,139 @@ } } }, + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": { + "post": { + "summary": "Revoke credential authorizations for a user in an enterprise", + "description": "Revokes all credential authorizations for a single user within the enterprise.\nThis includes any credential authorizations the user has across all organizations\nin the enterprise.\n\nFor Enterprise Managed User (EMU) enterprises, you can optionally also destroy all\ncredentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting\nthe `revoke_credentials` parameter to `true`.\n\nThis operation is performed asynchronously. A background job will be queued to process\nthe revocations.\n\n> [!WARNING]\n> If you use a personal access token to call this endpoint and target yourself, that\n> token may also be revoked or destroyed as part of this operation.\n\nThe authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint.", + "tags": [ + "enterprise-admin" + ], + "operationId": "enterprise-admin/revoke-credential-authorizations-for-user", + "externalDocs": { + "description": "API method documentation", + "url": "https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + }, + "parameters": [ + { + "$ref": "#/components/parameters/enterprise" + }, + { + "$ref": "#/components/parameters/username" + } + ], + "requestBody": { + "required": false, + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "revoke_credentials": { + "type": "boolean", + "description": "Whether to also destroy the actual credentials (PATs and SSH keys) owned by\nthe user. This option is only available for Enterprise Managed User (EMU)\nenterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned\nby the user will be destroyed in addition to the credential authorizations.", + "default": false + } + } + }, + "examples": { + "default": { + "value": { + "revoke_credentials": false + } + }, + "emu_with_credential_revocation": { + "summary": "EMU enterprise with credential revocation", + "value": { + "revoke_credentials": true + } + } + } + } + } + }, + "responses": { + "202": { + "description": "Accepted - The revocation request has been queued", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "message": { + "type": "string", + "description": "A message indicating the revocation has been queued" + }, + "warning": { + "type": "string", + "description": "A warning message if the token used for this request may be revoked" + } + } + }, + "examples": { + "default": { + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued" + } + }, + "with_authorization_revoked_warning": { + "summary": "Warning when the calling token may have its authorization revoked", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also have its authorization revoked as part of this operation" + } + }, + "with_credential_destroyed_warning": { + "summary": "Warning when the calling token may be destroyed (EMU with `revoke_credentials`)", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also be destroyed as part of this operation" + } + } + } + } + } + }, + "403": { + "$ref": "#/components/responses/forbidden" + }, + "404": { + "$ref": "#/components/responses/not_found" + }, + "422": { + "description": "Validation error - The target user cannot be revoked, or `revoke_credentials` is not available for this enterprise", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/basic-error" + }, + "examples": { + "non_emu_enterprise": { + "summary": "`revoke_credentials` requested on a non-EMU enterprise", + "value": { + "message": "The `revoke_credentials` option is only available for Enterprise Managed User (EMU) enterprises", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + }, + "first_emu_owner": { + "summary": "Target user is the first EMU owner", + "value": { + "message": "The first EMU owner cannot be targeted for credential revocation.", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + } + } + } + } + } + }, + "x-github": { + "githubCloudOnly": true, + "enabledForGitHubApps": true, + "category": "enterprise-admin", + "subcategory": "credential-authorizations" + } + } + }, "/enterprises/{enterprise}/dependabot/alerts": { "get": { "summary": "List Dependabot alerts for an enterprise", @@ -37269,7 +37402,7 @@ "/orgs/{org}/credential-authorizations": { "get": { "summary": "List SAML SSO authorizations for an organization", - "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", + "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -37333,7 +37466,7 @@ "/orgs/{org}/credential-authorizations/{credential_id}": { "delete": { "summary": "Remove a SAML SSO authorization for an organization", - "description": "Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", + "description": "Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -144516,7 +144649,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -144529,6 +144664,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", @@ -152045,13 +152194,19 @@ "credential_type": { "type": "string", "description": "Human-readable description of the credential type.", + "enum": [ + "personal access token", + "SSH key", + "OAuth app token", + "GitHub app token" + ], "examples": [ - "SSH Key" + "SSH key" ] }, "token_last_eight": { "type": "string", - "description": "Last eight characters of the credential. Only included in responses with credential_type of personal access token.", + "description": "Last eight characters of the credential. Only included in responses with a credential_type of personal access token, OAuth app token, or GitHub app token.", "examples": [ "12345678" ] @@ -152066,7 +152221,7 @@ }, "scopes": { "type": "array", - "description": "List of oauth scopes the token has been granted.", + "description": "List of OAuth scopes the token has been granted.", "items": { "type": "string" }, @@ -152077,7 +152232,7 @@ }, "fingerprint": { "type": "string", - "description": "Unique string to distinguish the credential. Only included in responses with credential_type of SSH Key.", + "description": "Unique string to distinguish the credential. Only included in responses with a credential_type of SSH key.", "examples": [ "jklmnop12345678" ] @@ -152098,7 +152253,7 @@ "integer", "null" ], - "description": "The ID of the underlying token that was authorized by the user. This will remain unchanged across authorizations of the token.", + "description": "The ID of the underlying token or key that was authorized by the user. This will remain unchanged across authorizations of the token or key.", "examples": [ 12345678 ] @@ -340734,6 +340889,7 @@ "token_last_eight": "71c3fc11", "credential_authorized_at": "2011-01-26T19:06:43Z", "credential_accessed_at": "2011-01-26T19:06:43Z", + "authorized_credential_id": 12345678, "authorized_credential_expires_at": "2011-02-25T19:06:43Z", "scopes": [ "user", @@ -340746,11 +340902,47 @@ "credential_type": "personal access token", "token_last_eight": "Ae178B4a", "credential_authorized_at": "2019-03-29T19:06:43Z", - "credential_accessed_at": "2011-01-26T19:06:43Z", + "credential_accessed_at": "2019-04-15T19:06:43Z", + "authorized_credential_id": 12345679, "authorized_credential_expires_at": "2019-04-28T19:06:43Z", "scopes": [ "repo" ] + }, + { + "login": "octocat", + "credential_id": 161197, + "credential_type": "OAuth app token", + "token_last_eight": "9f2c4d1e", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345680, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [ + "repo", + "read:org" + ] + }, + { + "login": "hubot", + "credential_id": 161198, + "credential_type": "GitHub app token", + "token_last_eight": "3b7a0c52", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345681, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [] + }, + { + "login": "octocat", + "credential_id": 161199, + "credential_type": "SSH key", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345682, + "fingerprint": "jklmnop12345678", + "authorized_credential_title": "my ssh key" } ] }, @@ -367077,6 +367269,15 @@ ] } }, + "username": { + "name": "username", + "description": "The handle for the GitHub user account.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + }, "dependabot-alert-comma-separated-classifications": { "name": "classification", "in": "query", @@ -367217,15 +367418,6 @@ "type": "integer" } }, - "username": { - "name": "username", - "description": "The handle for the GitHub user account.", - "in": "path", - "required": true, - "schema": { - "type": "string" - } - }, "network-configuration-id": { "name": "network_configuration_id", "description": "Unique identifier of the hosted compute network configuration.", diff --git a/descriptions-next/ghec/ghec.yaml b/descriptions-next/ghec/ghec.yaml index 5cdd8949d2..a7e1ca875b 100644 --- a/descriptions-next/ghec/ghec.yaml +++ b/descriptions-next/ghec/ghec.yaml @@ -10235,6 +10235,125 @@ paths: enabledForGitHubApps: true category: enterprise-admin subcategory: credential-authorizations + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": + post: + summary: Revoke credential authorizations for a user in an enterprise + description: |- + Revokes all credential authorizations for a single user within the enterprise. + This includes any credential authorizations the user has across all organizations + in the enterprise. + + For Enterprise Managed User (EMU) enterprises, you can optionally also destroy all + credentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting + the `revoke_credentials` parameter to `true`. + + This operation is performed asynchronously. A background job will be queued to process + the revocations. + + > [!WARNING] + > If you use a personal access token to call this endpoint and target yourself, that + > token may also be revoked or destroyed as part of this operation. + + The authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint. + + OAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint. + tags: + - enterprise-admin + operationId: enterprise-admin/revoke-credential-authorizations-for-user + externalDocs: + description: API method documentation + url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + parameters: + - "$ref": "#/components/parameters/enterprise" + - "$ref": "#/components/parameters/username" + requestBody: + required: false + content: + application/json: + schema: + type: object + properties: + revoke_credentials: + type: boolean + description: |- + Whether to also destroy the actual credentials (PATs and SSH keys) owned by + the user. This option is only available for Enterprise Managed User (EMU) + enterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned + by the user will be destroyed in addition to the credential authorizations. + default: false + examples: + default: + value: + revoke_credentials: false + emu_with_credential_revocation: + summary: EMU enterprise with credential revocation + value: + revoke_credentials: true + responses: + '202': + description: Accepted - The revocation request has been queued + content: + application/json: + schema: + type: object + properties: + message: + type: string + description: A message indicating the revocation has been queued + warning: + type: string + description: A warning message if the token used for this request + may be revoked + examples: + default: + value: + message: Credential authorization revocation for user 'octocat' + has been queued + with_authorization_revoked_warning: + summary: Warning when the calling token may have its authorization + revoked + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also have its authorization + revoked as part of this operation + with_credential_destroyed_warning: + summary: Warning when the calling token may be destroyed (EMU with + `revoke_credentials`) + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also be destroyed + as part of this operation + '403': + "$ref": "#/components/responses/forbidden" + '404': + "$ref": "#/components/responses/not_found" + '422': + description: Validation error - The target user cannot be revoked, or `revoke_credentials` + is not available for this enterprise + content: + application/json: + schema: + "$ref": "#/components/schemas/basic-error" + examples: + non_emu_enterprise: + summary: "`revoke_credentials` requested on a non-EMU enterprise" + value: + message: The `revoke_credentials` option is only available for + Enterprise Managed User (EMU) enterprises + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + first_emu_owner: + summary: Target user is the first EMU owner + value: + message: The first EMU owner cannot be targeted for credential + revocation. + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + x-github: + githubCloudOnly: true + enabledForGitHubApps: true + category: enterprise-admin + subcategory: credential-authorizations "/enterprises/{enterprise}/dependabot/alerts": get: summary: List Dependabot alerts for an enterprise @@ -27387,7 +27506,7 @@ paths: get: summary: List SAML SSO authorizations for an organization description: |- - Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). + Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). The authenticated user must be an organization owner to use this endpoint. @@ -27433,7 +27552,7 @@ paths: delete: summary: Remove a SAML SSO authorization for an organization description: |- - Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access. + Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access. The authenticated user must be an organization owner to use this endpoint. @@ -104997,6 +105116,8 @@ components: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -105004,6 +105125,18 @@ components: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a single user + (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within the budget. + Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based products, @@ -110525,12 +110658,18 @@ components: credential_type: type: string description: Human-readable description of the credential type. + enum: + - personal access token + - SSH key + - OAuth app token + - GitHub app token examples: - - SSH Key + - SSH key token_last_eight: type: string description: Last eight characters of the credential. Only included in responses - with credential_type of personal access token. + with a credential_type of personal access token, OAuth app token, or GitHub + app token. examples: - '12345678' credential_authorized_at: @@ -110541,7 +110680,7 @@ components: - '2011-01-26T19:06:43Z' scopes: type: array - description: List of oauth scopes the token has been granted. + description: List of OAuth scopes the token has been granted. items: type: string examples: @@ -110550,7 +110689,7 @@ components: fingerprint: type: string description: Unique string to distinguish the credential. Only included - in responses with credential_type of SSH Key. + in responses with a credential_type of SSH key. examples: - jklmnop12345678 credential_accessed_at: @@ -110566,8 +110705,9 @@ components: type: - integer - 'null' - description: The ID of the underlying token that was authorized by the user. - This will remain unchanged across authorizations of the token. + description: The ID of the underlying token or key that was authorized by + the user. This will remain unchanged across authorizations of the token + or key. examples: - 12345678 authorized_credential_title: @@ -251163,6 +251303,7 @@ components: token_last_eight: 71c3fc11 credential_authorized_at: '2011-01-26T19:06:43Z' credential_accessed_at: '2011-01-26T19:06:43Z' + authorized_credential_id: 12345678 authorized_credential_expires_at: '2011-02-25T19:06:43Z' scopes: - user @@ -251172,10 +251313,39 @@ components: credential_type: personal access token token_last_eight: Ae178B4a credential_authorized_at: '2019-03-29T19:06:43Z' - credential_accessed_at: '2011-01-26T19:06:43Z' + credential_accessed_at: '2019-04-15T19:06:43Z' + authorized_credential_id: 12345679 authorized_credential_expires_at: '2019-04-28T19:06:43Z' scopes: - repo + - login: octocat + credential_id: 161197 + credential_type: OAuth app token + token_last_eight: 9f2c4d1e + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345680 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: + - repo + - read:org + - login: hubot + credential_id: 161198 + credential_type: GitHub app token + token_last_eight: 3b7a0c52 + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345681 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: [] + - login: octocat + credential_id: 161199 + credential_type: SSH key + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345682 + fingerprint: jklmnop12345678 + authorized_credential_title: my ssh key organization-custom-repository-role-list-example: value: total_count: 2 @@ -273668,6 +273838,13 @@ components: format: date examples: - '2025-10-13' + username: + name: username + description: The handle for the GitHub user account. + in: path + required: true + schema: + type: string dependabot-alert-comma-separated-classifications: name: classification in: query @@ -273802,13 +273979,6 @@ components: required: true schema: type: integer - username: - name: username - description: The handle for the GitHub user account. - in: path - required: true - schema: - type: string network-configuration-id: name: network_configuration_id description: Unique identifier of the hosted compute network configuration.