diff --git a/descriptions/api.github.com/api.github.com.2022-11-28.json b/descriptions/api.github.com/api.github.com.2022-11-28.json index bd9247f37..bc118998f 100644 --- a/descriptions/api.github.com/api.github.com.2022-11-28.json +++ b/descriptions/api.github.com/api.github.com.2022-11-28.json @@ -122586,7 +122586,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ] }, "budget_entity_name": { @@ -122594,6 +122596,16 @@ "description": "The name of the entity to apply the budget to", "example": "example-repository-name" }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "example": "octocat" + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "example": 42.5 + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", diff --git a/descriptions/api.github.com/api.github.com.2022-11-28.yaml b/descriptions/api.github.com/api.github.com.2022-11-28.yaml index da14ecb45..bd8a8211f 100644 --- a/descriptions/api.github.com/api.github.com.2022-11-28.yaml +++ b/descriptions/api.github.com/api.github.com.2022-11-28.yaml @@ -89682,10 +89682,22 @@ components: - organization - repository - cost_center + - multi_user_customer + - user budget_entity_name: type: string description: The name of the entity to apply the budget to example: example-repository-name + user: + type: string + description: The user login when the budget is scoped to a single user + (`user` scope). + example: octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within the budget. + Only included for `user`-scoped budgets. + example: 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based products, diff --git a/descriptions/api.github.com/api.github.com.2026-03-10.json b/descriptions/api.github.com/api.github.com.2026-03-10.json index 033473a33..afe226160 100644 --- a/descriptions/api.github.com/api.github.com.2026-03-10.json +++ b/descriptions/api.github.com/api.github.com.2026-03-10.json @@ -122095,7 +122095,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ] }, "budget_entity_name": { @@ -122103,6 +122105,16 @@ "description": "The name of the entity to apply the budget to", "example": "example-repository-name" }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "example": "octocat" + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "example": 42.5 + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", diff --git a/descriptions/api.github.com/api.github.com.2026-03-10.yaml b/descriptions/api.github.com/api.github.com.2026-03-10.yaml index 76650f322..105a648f8 100644 --- a/descriptions/api.github.com/api.github.com.2026-03-10.yaml +++ b/descriptions/api.github.com/api.github.com.2026-03-10.yaml @@ -89295,10 +89295,22 @@ components: - organization - repository - cost_center + - multi_user_customer + - user budget_entity_name: type: string description: The name of the entity to apply the budget to example: example-repository-name + user: + type: string + description: The user login when the budget is scoped to a single user + (`user` scope). + example: octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within the budget. + Only included for `user`-scoped budgets. + example: 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based products, diff --git a/descriptions/api.github.com/api.github.com.json b/descriptions/api.github.com/api.github.com.json index 0d2c51469..bac84714d 100644 --- a/descriptions/api.github.com/api.github.com.json +++ b/descriptions/api.github.com/api.github.com.json @@ -123326,7 +123326,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ] }, "budget_entity_name": { @@ -123334,6 +123336,16 @@ "description": "The name of the entity to apply the budget to", "example": "example-repository-name" }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "example": "octocat" + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "example": 42.5 + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", diff --git a/descriptions/api.github.com/api.github.com.yaml b/descriptions/api.github.com/api.github.com.yaml index 20c8bdeff..c30eac4ba 100644 --- a/descriptions/api.github.com/api.github.com.yaml +++ b/descriptions/api.github.com/api.github.com.yaml @@ -90166,10 +90166,22 @@ components: - organization - repository - cost_center + - multi_user_customer + - user budget_entity_name: type: string description: The name of the entity to apply the budget to example: example-repository-name + user: + type: string + description: The user login when the budget is scoped to a single user + (`user` scope). + example: octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within the budget. + Only included for `user`-scoped budgets. + example: 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based products, diff --git a/descriptions/api.github.com/dereferenced/api.github.com.2022-11-28.deref.json b/descriptions/api.github.com/dereferenced/api.github.com.2022-11-28.deref.json index 37716f051..f3db8d00c 100644 --- a/descriptions/api.github.com/dereferenced/api.github.com.2022-11-28.deref.json +++ b/descriptions/api.github.com/dereferenced/api.github.com.2022-11-28.deref.json @@ -77273,7 +77273,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ] }, "budget_entity_name": { @@ -77281,6 +77283,16 @@ "description": "The name of the entity to apply the budget to", "example": "example-repository-name" }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "example": "octocat" + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "example": 42.5 + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", diff --git a/descriptions/api.github.com/dereferenced/api.github.com.2022-11-28.deref.yaml b/descriptions/api.github.com/dereferenced/api.github.com.2022-11-28.deref.yaml index 932dbff6d..3019480ac 100644 --- a/descriptions/api.github.com/dereferenced/api.github.com.2022-11-28.deref.yaml +++ b/descriptions/api.github.com/dereferenced/api.github.com.2022-11-28.deref.yaml @@ -21981,10 +21981,22 @@ paths: - organization - repository - cost_center + - multi_user_customer + - user budget_entity_name: type: string description: The name of the entity to apply the budget to example: example-repository-name + user: + type: string + description: The user login when the budget is scoped to a + single user (`user` scope). + example: octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within + the budget. Only included for `user`-scoped budgets. + example: 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based diff --git a/descriptions/api.github.com/dereferenced/api.github.com.2026-03-10.deref.json b/descriptions/api.github.com/dereferenced/api.github.com.2026-03-10.deref.json index dfe47b84c..909b00b82 100644 --- a/descriptions/api.github.com/dereferenced/api.github.com.2026-03-10.deref.json +++ b/descriptions/api.github.com/dereferenced/api.github.com.2026-03-10.deref.json @@ -73911,7 +73911,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ] }, "budget_entity_name": { @@ -73919,6 +73921,16 @@ "description": "The name of the entity to apply the budget to", "example": "example-repository-name" }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "example": "octocat" + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "example": 42.5 + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", diff --git a/descriptions/api.github.com/dereferenced/api.github.com.2026-03-10.deref.yaml b/descriptions/api.github.com/dereferenced/api.github.com.2026-03-10.deref.yaml index fb14bd600..646ada90f 100644 --- a/descriptions/api.github.com/dereferenced/api.github.com.2026-03-10.deref.yaml +++ b/descriptions/api.github.com/dereferenced/api.github.com.2026-03-10.deref.yaml @@ -21675,10 +21675,22 @@ paths: - organization - repository - cost_center + - multi_user_customer + - user budget_entity_name: type: string description: The name of the entity to apply the budget to example: example-repository-name + user: + type: string + description: The user login when the budget is scoped to a + single user (`user` scope). + example: octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within + the budget. Only included for `user`-scoped budgets. + example: 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based diff --git a/descriptions/api.github.com/dereferenced/api.github.com.deref.json b/descriptions/api.github.com/dereferenced/api.github.com.deref.json index 1768a848c..fe1615920 100644 --- a/descriptions/api.github.com/dereferenced/api.github.com.deref.json +++ b/descriptions/api.github.com/dereferenced/api.github.com.deref.json @@ -78738,7 +78738,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ] }, "budget_entity_name": { @@ -78746,6 +78748,16 @@ "description": "The name of the entity to apply the budget to", "example": "example-repository-name" }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "example": "octocat" + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "example": 42.5 + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", diff --git a/descriptions/api.github.com/dereferenced/api.github.com.deref.yaml b/descriptions/api.github.com/dereferenced/api.github.com.deref.yaml index 553d52543..ed43d9631 100644 --- a/descriptions/api.github.com/dereferenced/api.github.com.deref.yaml +++ b/descriptions/api.github.com/dereferenced/api.github.com.deref.yaml @@ -22246,10 +22246,22 @@ paths: - organization - repository - cost_center + - multi_user_customer + - user budget_entity_name: type: string description: The name of the entity to apply the budget to example: example-repository-name + user: + type: string + description: The user login when the budget is scoped to a + single user (`user` scope). + example: octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within + the budget. Only included for `user`-scoped budgets. + example: 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based diff --git a/descriptions/ghec/dereferenced/ghec.2022-11-28.deref.json b/descriptions/ghec/dereferenced/ghec.2022-11-28.deref.json index 4c12f0fd9..b68b05865 100644 --- a/descriptions/ghec/dereferenced/ghec.2022-11-28.deref.json +++ b/descriptions/ghec/dereferenced/ghec.2022-11-28.deref.json @@ -48955,6 +48955,213 @@ } } }, + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": { + "post": { + "summary": "Revoke credential authorizations for a user in an enterprise", + "description": "Revokes all credential authorizations for a single user within the enterprise.\nThis includes any credential authorizations the user has across all organizations\nin the enterprise.\n\nFor Enterprise Managed User (EMU) enterprises, you can optionally also destroy all\ncredentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting\nthe `revoke_credentials` parameter to `true`.\n\nThis operation is performed asynchronously. A background job will be queued to process\nthe revocations.\n\n> [!WARNING]\n> If you use a personal access token to call this endpoint and target yourself, that\n> token may also be revoked or destroyed as part of this operation.\n\nThe authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint.", + "tags": [ + "enterprise-admin" + ], + "operationId": "enterprise-admin/revoke-credential-authorizations-for-user", + "externalDocs": { + "description": "API method documentation", + "url": "https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + }, + "parameters": [ + { + "name": "enterprise", + "description": "The slug version of the enterprise name.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + }, + { + "name": "username", + "description": "The handle for the GitHub user account.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + } + ], + "requestBody": { + "required": false, + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "revoke_credentials": { + "type": "boolean", + "description": "Whether to also destroy the actual credentials (PATs and SSH keys) owned by\nthe user. This option is only available for Enterprise Managed User (EMU)\nenterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned\nby the user will be destroyed in addition to the credential authorizations.", + "default": false + } + } + }, + "examples": { + "default": { + "value": { + "revoke_credentials": false + } + }, + "emu_with_credential_revocation": { + "summary": "EMU enterprise with credential revocation", + "value": { + "revoke_credentials": true + } + } + } + } + } + }, + "responses": { + "202": { + "description": "Accepted - The revocation request has been queued", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "message": { + "type": "string", + "description": "A message indicating the revocation has been queued" + }, + "warning": { + "type": "string", + "description": "A warning message if the token used for this request may be revoked" + } + } + }, + "examples": { + "default": { + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued" + } + }, + "with_authorization_revoked_warning": { + "summary": "Warning when the calling token may have its authorization revoked", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also have its authorization revoked as part of this operation" + } + }, + "with_credential_destroyed_warning": { + "summary": "Warning when the calling token may be destroyed (EMU with `revoke_credentials`)", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also be destroyed as part of this operation" + } + } + } + } + } + }, + "403": { + "description": "Forbidden", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + } + } + } + }, + "404": { + "description": "Resource not found", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + } + } + } + }, + "422": { + "description": "Validation error - The target user cannot be revoked, or `revoke_credentials` is not available for this enterprise", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + }, + "examples": { + "non_emu_enterprise": { + "summary": "`revoke_credentials` requested on a non-EMU enterprise", + "value": { + "message": "The `revoke_credentials` option is only available for Enterprise Managed User (EMU) enterprises", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + }, + "first_emu_owner": { + "summary": "Target user is the first EMU owner", + "value": { + "message": "The first EMU owner cannot be targeted for credential revocation.", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + } + } + } + } + } + }, + "x-github": { + "githubCloudOnly": true, + "enabledForGitHubApps": true, + "category": "enterprise-admin", + "subcategory": "credential-authorizations" + } + } + }, "/enterprises/{enterprise}/dependabot/alerts": { "get": { "summary": "List Dependabot alerts for an enterprise", @@ -72841,7 +73048,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ] }, "budget_entity_name": { @@ -72849,6 +73058,16 @@ "description": "The name of the entity to apply the budget to", "example": "example-repository-name" }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "example": "octocat" + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "example": 42.5 + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", @@ -175153,7 +175372,7 @@ "/orgs/{org}/credential-authorizations": { "get": { "summary": "List SAML SSO authorizations for an organization", - "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", + "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -175222,13 +175441,19 @@ }, "credential_type": { "type": "string", - "example": "SSH Key", - "description": "Human-readable description of the credential type." + "example": "SSH key", + "description": "Human-readable description of the credential type.", + "enum": [ + "personal access token", + "SSH key", + "OAuth app token", + "GitHub app token" + ] }, "token_last_eight": { "type": "string", "example": "12345678", - "description": "Last eight characters of the credential. Only included in responses with credential_type of personal access token." + "description": "Last eight characters of the credential. Only included in responses with a credential_type of personal access token, OAuth app token, or GitHub app token." }, "credential_authorized_at": { "type": "string", @@ -175242,7 +175467,7 @@ "user", "repo" ], - "description": "List of oauth scopes the token has been granted.", + "description": "List of OAuth scopes the token has been granted.", "items": { "type": "string" } @@ -175250,7 +175475,7 @@ "fingerprint": { "type": "string", "example": "jklmnop12345678", - "description": "Unique string to distinguish the credential. Only included in responses with credential_type of SSH Key." + "description": "Unique string to distinguish the credential. Only included in responses with a credential_type of SSH key." }, "credential_accessed_at": { "type": "string", @@ -175263,7 +175488,7 @@ "type": "integer", "nullable": true, "example": 12345678, - "description": "The ID of the underlying token that was authorized by the user. This will remain unchanged across authorizations of the token." + "description": "The ID of the underlying token or key that was authorized by the user. This will remain unchanged across authorizations of the token or key." }, "authorized_credential_title": { "type": "string", @@ -175304,6 +175529,7 @@ "token_last_eight": "71c3fc11", "credential_authorized_at": "2011-01-26T19:06:43Z", "credential_accessed_at": "2011-01-26T19:06:43Z", + "authorized_credential_id": 12345678, "authorized_credential_expires_at": "2011-02-25T19:06:43Z", "scopes": [ "user", @@ -175316,11 +175542,47 @@ "credential_type": "personal access token", "token_last_eight": "Ae178B4a", "credential_authorized_at": "2019-03-29T19:06:43Z", - "credential_accessed_at": "2011-01-26T19:06:43Z", + "credential_accessed_at": "2019-04-15T19:06:43Z", + "authorized_credential_id": 12345679, "authorized_credential_expires_at": "2019-04-28T19:06:43Z", "scopes": [ "repo" ] + }, + { + "login": "octocat", + "credential_id": 161197, + "credential_type": "OAuth app token", + "token_last_eight": "9f2c4d1e", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345680, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [ + "repo", + "read:org" + ] + }, + { + "login": "hubot", + "credential_id": 161198, + "credential_type": "GitHub app token", + "token_last_eight": "3b7a0c52", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345681, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [] + }, + { + "login": "octocat", + "credential_id": 161199, + "credential_type": "SSH key", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345682, + "fingerprint": "jklmnop12345678", + "authorized_credential_title": "my ssh key" } ] } @@ -175340,7 +175602,7 @@ "/orgs/{org}/credential-authorizations/{credential_id}": { "delete": { "summary": "Remove a SAML SSO authorization for an organization", - "description": "Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", + "description": "Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", "tags": [ "orgs" ], diff --git a/descriptions/ghec/dereferenced/ghec.2022-11-28.deref.yaml b/descriptions/ghec/dereferenced/ghec.2022-11-28.deref.yaml index edb56944c..a79975c2f 100644 --- a/descriptions/ghec/dereferenced/ghec.2022-11-28.deref.yaml +++ b/descriptions/ghec/dereferenced/ghec.2022-11-28.deref.yaml @@ -20063,6 +20063,128 @@ paths: enabledForGitHubApps: true category: enterprise-admin subcategory: credential-authorizations + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": + post: + summary: Revoke credential authorizations for a user in an enterprise + description: |- + Revokes all credential authorizations for a single user within the enterprise. + This includes any credential authorizations the user has across all organizations + in the enterprise. + + For Enterprise Managed User (EMU) enterprises, you can optionally also destroy all + credentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting + the `revoke_credentials` parameter to `true`. + + This operation is performed asynchronously. A background job will be queued to process + the revocations. + + > [!WARNING] + > If you use a personal access token to call this endpoint and target yourself, that + > token may also be revoked or destroyed as part of this operation. + + The authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint. + + OAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint. + tags: + - enterprise-admin + operationId: enterprise-admin/revoke-credential-authorizations-for-user + externalDocs: + description: API method documentation + url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + parameters: + - *41 + - &148 + name: username + description: The handle for the GitHub user account. + in: path + required: true + schema: + type: string + requestBody: + required: false + content: + application/json: + schema: + type: object + properties: + revoke_credentials: + type: boolean + description: |- + Whether to also destroy the actual credentials (PATs and SSH keys) owned by + the user. This option is only available for Enterprise Managed User (EMU) + enterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned + by the user will be destroyed in addition to the credential authorizations. + default: false + examples: + default: + value: + revoke_credentials: false + emu_with_credential_revocation: + summary: EMU enterprise with credential revocation + value: + revoke_credentials: true + responses: + '202': + description: Accepted - The revocation request has been queued + content: + application/json: + schema: + type: object + properties: + message: + type: string + description: A message indicating the revocation has been queued + warning: + type: string + description: A warning message if the token used for this request + may be revoked + examples: + default: + value: + message: Credential authorization revocation for user 'octocat' + has been queued + with_authorization_revoked_warning: + summary: Warning when the calling token may have its authorization + revoked + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also have its authorization + revoked as part of this operation + with_credential_destroyed_warning: + summary: Warning when the calling token may be destroyed (EMU with + `revoke_credentials`) + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also be destroyed + as part of this operation + '403': *29 + '404': *6 + '422': + description: Validation error - The target user cannot be revoked, or `revoke_credentials` + is not available for this enterprise + content: + application/json: + schema: *3 + examples: + non_emu_enterprise: + summary: "`revoke_credentials` requested on a non-EMU enterprise" + value: + message: The `revoke_credentials` option is only available for + Enterprise Managed User (EMU) enterprises + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + first_emu_owner: + summary: Target user is the first EMU owner + value: + message: The first EMU owner cannot be targeted for credential + revocation. + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + x-github: + githubCloudOnly: true + enabledForGitHubApps: true + category: enterprise-admin + subcategory: credential-authorizations "/enterprises/{enterprise}/dependabot/alerts": get: summary: List Dependabot alerts for an enterprise @@ -21698,13 +21820,7 @@ paths: url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/enterprise-roles#remove-all-enterprise-roles-from-a-user parameters: - *41 - - &148 - name: username - description: The handle for the GitHub user account. - in: path - required: true - schema: - type: string + - *148 responses: '204': description: Response @@ -27189,10 +27305,22 @@ paths: - organization - repository - cost_center + - multi_user_customer + - user budget_entity_name: type: string description: The name of the entity to apply the budget to example: example-repository-name + user: + type: string + description: The user login when the budget is scoped to a + single user (`user` scope). + example: octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within + the budget. Only included for `user`-scoped budgets. + example: 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based @@ -49974,7 +50102,7 @@ paths: get: summary: List SAML SSO authorizations for an organization description: |- - Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). + Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). The authenticated user must be an organization owner to use this endpoint. @@ -50023,13 +50151,19 @@ paths: token or key. credential_type: type: string - example: SSH Key + example: SSH key description: Human-readable description of the credential type. + enum: + - personal access token + - SSH key + - OAuth app token + - GitHub app token token_last_eight: type: string example: '12345678' description: Last eight characters of the credential. Only included - in responses with credential_type of personal access token. + in responses with a credential_type of personal access token, + OAuth app token, or GitHub app token. credential_authorized_at: type: string format: date-time @@ -50040,14 +50174,14 @@ paths: example: - user - repo - description: List of oauth scopes the token has been granted. + description: List of OAuth scopes the token has been granted. items: type: string fingerprint: type: string example: jklmnop12345678 description: Unique string to distinguish the credential. Only - included in responses with credential_type of SSH Key. + included in responses with a credential_type of SSH key. credential_accessed_at: type: string format: date-time @@ -50059,9 +50193,9 @@ paths: type: integer nullable: true example: 12345678 - description: The ID of the underlying token that was authorized - by the user. This will remain unchanged across authorizations - of the token. + description: The ID of the underlying token or key that was + authorized by the user. This will remain unchanged across + authorizations of the token or key. authorized_credential_title: type: string nullable: true @@ -50096,6 +50230,7 @@ paths: token_last_eight: 71c3fc11 credential_authorized_at: '2011-01-26T19:06:43Z' credential_accessed_at: '2011-01-26T19:06:43Z' + authorized_credential_id: 12345678 authorized_credential_expires_at: '2011-02-25T19:06:43Z' scopes: - user @@ -50105,10 +50240,39 @@ paths: credential_type: personal access token token_last_eight: Ae178B4a credential_authorized_at: '2019-03-29T19:06:43Z' - credential_accessed_at: '2011-01-26T19:06:43Z' + credential_accessed_at: '2019-04-15T19:06:43Z' + authorized_credential_id: 12345679 authorized_credential_expires_at: '2019-04-28T19:06:43Z' scopes: - repo + - login: octocat + credential_id: 161197 + credential_type: OAuth app token + token_last_eight: 9f2c4d1e + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345680 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: + - repo + - read:org + - login: hubot + credential_id: 161198 + credential_type: GitHub app token + token_last_eight: 3b7a0c52 + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345681 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: [] + - login: octocat + credential_id: 161199 + credential_type: SSH key + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345682 + fingerprint: jklmnop12345678 + authorized_credential_title: my ssh key x-github: githubCloudOnly: true enabledForGitHubApps: true @@ -50118,7 +50282,7 @@ paths: delete: summary: Remove a SAML SSO authorization for an organization description: |- - Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access. + Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access. The authenticated user must be an organization owner to use this endpoint. diff --git a/descriptions/ghec/dereferenced/ghec.2026-03-10.deref.json b/descriptions/ghec/dereferenced/ghec.2026-03-10.deref.json index 90d55cb82..69fe03330 100644 --- a/descriptions/ghec/dereferenced/ghec.2026-03-10.deref.json +++ b/descriptions/ghec/dereferenced/ghec.2026-03-10.deref.json @@ -48840,6 +48840,213 @@ } } }, + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": { + "post": { + "summary": "Revoke credential authorizations for a user in an enterprise", + "description": "Revokes all credential authorizations for a single user within the enterprise.\nThis includes any credential authorizations the user has across all organizations\nin the enterprise.\n\nFor Enterprise Managed User (EMU) enterprises, you can optionally also destroy all\ncredentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting\nthe `revoke_credentials` parameter to `true`.\n\nThis operation is performed asynchronously. A background job will be queued to process\nthe revocations.\n\n> [!WARNING]\n> If you use a personal access token to call this endpoint and target yourself, that\n> token may also be revoked or destroyed as part of this operation.\n\nThe authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint.", + "tags": [ + "enterprise-admin" + ], + "operationId": "enterprise-admin/revoke-credential-authorizations-for-user", + "externalDocs": { + "description": "API method documentation", + "url": "https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + }, + "parameters": [ + { + "name": "enterprise", + "description": "The slug version of the enterprise name.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + }, + { + "name": "username", + "description": "The handle for the GitHub user account.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + } + ], + "requestBody": { + "required": false, + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "revoke_credentials": { + "type": "boolean", + "description": "Whether to also destroy the actual credentials (PATs and SSH keys) owned by\nthe user. This option is only available for Enterprise Managed User (EMU)\nenterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned\nby the user will be destroyed in addition to the credential authorizations.", + "default": false + } + } + }, + "examples": { + "default": { + "value": { + "revoke_credentials": false + } + }, + "emu_with_credential_revocation": { + "summary": "EMU enterprise with credential revocation", + "value": { + "revoke_credentials": true + } + } + } + } + } + }, + "responses": { + "202": { + "description": "Accepted - The revocation request has been queued", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "message": { + "type": "string", + "description": "A message indicating the revocation has been queued" + }, + "warning": { + "type": "string", + "description": "A warning message if the token used for this request may be revoked" + } + } + }, + "examples": { + "default": { + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued" + } + }, + "with_authorization_revoked_warning": { + "summary": "Warning when the calling token may have its authorization revoked", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also have its authorization revoked as part of this operation" + } + }, + "with_credential_destroyed_warning": { + "summary": "Warning when the calling token may be destroyed (EMU with `revoke_credentials`)", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also be destroyed as part of this operation" + } + } + } + } + } + }, + "403": { + "description": "Forbidden", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + } + } + } + }, + "404": { + "description": "Resource not found", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + } + } + } + }, + "422": { + "description": "Validation error - The target user cannot be revoked, or `revoke_credentials` is not available for this enterprise", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + }, + "examples": { + "non_emu_enterprise": { + "summary": "`revoke_credentials` requested on a non-EMU enterprise", + "value": { + "message": "The `revoke_credentials` option is only available for Enterprise Managed User (EMU) enterprises", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + }, + "first_emu_owner": { + "summary": "Target user is the first EMU owner", + "value": { + "message": "The first EMU owner cannot be targeted for credential revocation.", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + } + } + } + } + } + }, + "x-github": { + "githubCloudOnly": true, + "enabledForGitHubApps": true, + "category": "enterprise-admin", + "subcategory": "credential-authorizations" + } + } + }, "/enterprises/{enterprise}/dependabot/alerts": { "get": { "summary": "List Dependabot alerts for an enterprise", @@ -72700,7 +72907,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ] }, "budget_entity_name": { @@ -72708,6 +72917,16 @@ "description": "The name of the entity to apply the budget to", "example": "example-repository-name" }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "example": "octocat" + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "example": 42.5 + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", @@ -171478,7 +171697,7 @@ "/orgs/{org}/credential-authorizations": { "get": { "summary": "List SAML SSO authorizations for an organization", - "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", + "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -171547,13 +171766,19 @@ }, "credential_type": { "type": "string", - "example": "SSH Key", - "description": "Human-readable description of the credential type." + "example": "SSH key", + "description": "Human-readable description of the credential type.", + "enum": [ + "personal access token", + "SSH key", + "OAuth app token", + "GitHub app token" + ] }, "token_last_eight": { "type": "string", "example": "12345678", - "description": "Last eight characters of the credential. Only included in responses with credential_type of personal access token." + "description": "Last eight characters of the credential. Only included in responses with a credential_type of personal access token, OAuth app token, or GitHub app token." }, "credential_authorized_at": { "type": "string", @@ -171567,7 +171792,7 @@ "user", "repo" ], - "description": "List of oauth scopes the token has been granted.", + "description": "List of OAuth scopes the token has been granted.", "items": { "type": "string" } @@ -171575,7 +171800,7 @@ "fingerprint": { "type": "string", "example": "jklmnop12345678", - "description": "Unique string to distinguish the credential. Only included in responses with credential_type of SSH Key." + "description": "Unique string to distinguish the credential. Only included in responses with a credential_type of SSH key." }, "credential_accessed_at": { "type": "string", @@ -171588,7 +171813,7 @@ "type": "integer", "nullable": true, "example": 12345678, - "description": "The ID of the underlying token that was authorized by the user. This will remain unchanged across authorizations of the token." + "description": "The ID of the underlying token or key that was authorized by the user. This will remain unchanged across authorizations of the token or key." }, "authorized_credential_title": { "type": "string", @@ -171629,6 +171854,7 @@ "token_last_eight": "71c3fc11", "credential_authorized_at": "2011-01-26T19:06:43Z", "credential_accessed_at": "2011-01-26T19:06:43Z", + "authorized_credential_id": 12345678, "authorized_credential_expires_at": "2011-02-25T19:06:43Z", "scopes": [ "user", @@ -171641,11 +171867,47 @@ "credential_type": "personal access token", "token_last_eight": "Ae178B4a", "credential_authorized_at": "2019-03-29T19:06:43Z", - "credential_accessed_at": "2011-01-26T19:06:43Z", + "credential_accessed_at": "2019-04-15T19:06:43Z", + "authorized_credential_id": 12345679, "authorized_credential_expires_at": "2019-04-28T19:06:43Z", "scopes": [ "repo" ] + }, + { + "login": "octocat", + "credential_id": 161197, + "credential_type": "OAuth app token", + "token_last_eight": "9f2c4d1e", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345680, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [ + "repo", + "read:org" + ] + }, + { + "login": "hubot", + "credential_id": 161198, + "credential_type": "GitHub app token", + "token_last_eight": "3b7a0c52", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345681, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [] + }, + { + "login": "octocat", + "credential_id": 161199, + "credential_type": "SSH key", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345682, + "fingerprint": "jklmnop12345678", + "authorized_credential_title": "my ssh key" } ] } @@ -171665,7 +171927,7 @@ "/orgs/{org}/credential-authorizations/{credential_id}": { "delete": { "summary": "Remove a SAML SSO authorization for an organization", - "description": "Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", + "description": "Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", "tags": [ "orgs" ], diff --git a/descriptions/ghec/dereferenced/ghec.2026-03-10.deref.yaml b/descriptions/ghec/dereferenced/ghec.2026-03-10.deref.yaml index f4e549ba1..6678bafe1 100644 --- a/descriptions/ghec/dereferenced/ghec.2026-03-10.deref.yaml +++ b/descriptions/ghec/dereferenced/ghec.2026-03-10.deref.yaml @@ -20015,6 +20015,128 @@ paths: enabledForGitHubApps: true category: enterprise-admin subcategory: credential-authorizations + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": + post: + summary: Revoke credential authorizations for a user in an enterprise + description: |- + Revokes all credential authorizations for a single user within the enterprise. + This includes any credential authorizations the user has across all organizations + in the enterprise. + + For Enterprise Managed User (EMU) enterprises, you can optionally also destroy all + credentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting + the `revoke_credentials` parameter to `true`. + + This operation is performed asynchronously. A background job will be queued to process + the revocations. + + > [!WARNING] + > If you use a personal access token to call this endpoint and target yourself, that + > token may also be revoked or destroyed as part of this operation. + + The authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint. + + OAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint. + tags: + - enterprise-admin + operationId: enterprise-admin/revoke-credential-authorizations-for-user + externalDocs: + description: API method documentation + url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + parameters: + - *41 + - &148 + name: username + description: The handle for the GitHub user account. + in: path + required: true + schema: + type: string + requestBody: + required: false + content: + application/json: + schema: + type: object + properties: + revoke_credentials: + type: boolean + description: |- + Whether to also destroy the actual credentials (PATs and SSH keys) owned by + the user. This option is only available for Enterprise Managed User (EMU) + enterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned + by the user will be destroyed in addition to the credential authorizations. + default: false + examples: + default: + value: + revoke_credentials: false + emu_with_credential_revocation: + summary: EMU enterprise with credential revocation + value: + revoke_credentials: true + responses: + '202': + description: Accepted - The revocation request has been queued + content: + application/json: + schema: + type: object + properties: + message: + type: string + description: A message indicating the revocation has been queued + warning: + type: string + description: A warning message if the token used for this request + may be revoked + examples: + default: + value: + message: Credential authorization revocation for user 'octocat' + has been queued + with_authorization_revoked_warning: + summary: Warning when the calling token may have its authorization + revoked + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also have its authorization + revoked as part of this operation + with_credential_destroyed_warning: + summary: Warning when the calling token may be destroyed (EMU with + `revoke_credentials`) + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also be destroyed + as part of this operation + '403': *29 + '404': *6 + '422': + description: Validation error - The target user cannot be revoked, or `revoke_credentials` + is not available for this enterprise + content: + application/json: + schema: *3 + examples: + non_emu_enterprise: + summary: "`revoke_credentials` requested on a non-EMU enterprise" + value: + message: The `revoke_credentials` option is only available for + Enterprise Managed User (EMU) enterprises + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + first_emu_owner: + summary: Target user is the first EMU owner + value: + message: The first EMU owner cannot be targeted for credential + revocation. + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + x-github: + githubCloudOnly: true + enabledForGitHubApps: true + category: enterprise-admin + subcategory: credential-authorizations "/enterprises/{enterprise}/dependabot/alerts": get: summary: List Dependabot alerts for an enterprise @@ -21628,13 +21750,7 @@ paths: url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/enterprise-roles#remove-all-enterprise-roles-from-a-user parameters: - *41 - - &148 - name: username - description: The handle for the GitHub user account. - in: path - required: true - schema: - type: string + - *148 responses: '204': description: Response @@ -27119,10 +27235,22 @@ paths: - organization - repository - cost_center + - multi_user_customer + - user budget_entity_name: type: string description: The name of the entity to apply the budget to example: example-repository-name + user: + type: string + description: The user login when the budget is scoped to a + single user (`user` scope). + example: octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within + the budget. Only included for `user`-scoped budgets. + example: 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based @@ -49548,7 +49676,7 @@ paths: get: summary: List SAML SSO authorizations for an organization description: |- - Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). + Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). The authenticated user must be an organization owner to use this endpoint. @@ -49597,13 +49725,19 @@ paths: token or key. credential_type: type: string - example: SSH Key + example: SSH key description: Human-readable description of the credential type. + enum: + - personal access token + - SSH key + - OAuth app token + - GitHub app token token_last_eight: type: string example: '12345678' description: Last eight characters of the credential. Only included - in responses with credential_type of personal access token. + in responses with a credential_type of personal access token, + OAuth app token, or GitHub app token. credential_authorized_at: type: string format: date-time @@ -49614,14 +49748,14 @@ paths: example: - user - repo - description: List of oauth scopes the token has been granted. + description: List of OAuth scopes the token has been granted. items: type: string fingerprint: type: string example: jklmnop12345678 description: Unique string to distinguish the credential. Only - included in responses with credential_type of SSH Key. + included in responses with a credential_type of SSH key. credential_accessed_at: type: string format: date-time @@ -49633,9 +49767,9 @@ paths: type: integer nullable: true example: 12345678 - description: The ID of the underlying token that was authorized - by the user. This will remain unchanged across authorizations - of the token. + description: The ID of the underlying token or key that was + authorized by the user. This will remain unchanged across + authorizations of the token or key. authorized_credential_title: type: string nullable: true @@ -49670,6 +49804,7 @@ paths: token_last_eight: 71c3fc11 credential_authorized_at: '2011-01-26T19:06:43Z' credential_accessed_at: '2011-01-26T19:06:43Z' + authorized_credential_id: 12345678 authorized_credential_expires_at: '2011-02-25T19:06:43Z' scopes: - user @@ -49679,10 +49814,39 @@ paths: credential_type: personal access token token_last_eight: Ae178B4a credential_authorized_at: '2019-03-29T19:06:43Z' - credential_accessed_at: '2011-01-26T19:06:43Z' + credential_accessed_at: '2019-04-15T19:06:43Z' + authorized_credential_id: 12345679 authorized_credential_expires_at: '2019-04-28T19:06:43Z' scopes: - repo + - login: octocat + credential_id: 161197 + credential_type: OAuth app token + token_last_eight: 9f2c4d1e + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345680 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: + - repo + - read:org + - login: hubot + credential_id: 161198 + credential_type: GitHub app token + token_last_eight: 3b7a0c52 + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345681 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: [] + - login: octocat + credential_id: 161199 + credential_type: SSH key + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345682 + fingerprint: jklmnop12345678 + authorized_credential_title: my ssh key x-github: githubCloudOnly: true enabledForGitHubApps: true @@ -49692,7 +49856,7 @@ paths: delete: summary: Remove a SAML SSO authorization for an organization description: |- - Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access. + Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access. The authenticated user must be an organization owner to use this endpoint. diff --git a/descriptions/ghec/dereferenced/ghec.deref.json b/descriptions/ghec/dereferenced/ghec.deref.json index 568bb6a97..786a940c0 100644 --- a/descriptions/ghec/dereferenced/ghec.deref.json +++ b/descriptions/ghec/dereferenced/ghec.deref.json @@ -49402,6 +49402,213 @@ } } }, + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": { + "post": { + "summary": "Revoke credential authorizations for a user in an enterprise", + "description": "Revokes all credential authorizations for a single user within the enterprise.\nThis includes any credential authorizations the user has across all organizations\nin the enterprise.\n\nFor Enterprise Managed User (EMU) enterprises, you can optionally also destroy all\ncredentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting\nthe `revoke_credentials` parameter to `true`.\n\nThis operation is performed asynchronously. A background job will be queued to process\nthe revocations.\n\n> [!WARNING]\n> If you use a personal access token to call this endpoint and target yourself, that\n> token may also be revoked or destroyed as part of this operation.\n\nThe authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint.", + "tags": [ + "enterprise-admin" + ], + "operationId": "enterprise-admin/revoke-credential-authorizations-for-user", + "externalDocs": { + "description": "API method documentation", + "url": "https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + }, + "parameters": [ + { + "name": "enterprise", + "description": "The slug version of the enterprise name.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + }, + { + "name": "username", + "description": "The handle for the GitHub user account.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + } + ], + "requestBody": { + "required": false, + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "revoke_credentials": { + "type": "boolean", + "description": "Whether to also destroy the actual credentials (PATs and SSH keys) owned by\nthe user. This option is only available for Enterprise Managed User (EMU)\nenterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned\nby the user will be destroyed in addition to the credential authorizations.", + "default": false + } + } + }, + "examples": { + "default": { + "value": { + "revoke_credentials": false + } + }, + "emu_with_credential_revocation": { + "summary": "EMU enterprise with credential revocation", + "value": { + "revoke_credentials": true + } + } + } + } + } + }, + "responses": { + "202": { + "description": "Accepted - The revocation request has been queued", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "message": { + "type": "string", + "description": "A message indicating the revocation has been queued" + }, + "warning": { + "type": "string", + "description": "A warning message if the token used for this request may be revoked" + } + } + }, + "examples": { + "default": { + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued" + } + }, + "with_authorization_revoked_warning": { + "summary": "Warning when the calling token may have its authorization revoked", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also have its authorization revoked as part of this operation" + } + }, + "with_credential_destroyed_warning": { + "summary": "Warning when the calling token may be destroyed (EMU with `revoke_credentials`)", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also be destroyed as part of this operation" + } + } + } + } + } + }, + "403": { + "description": "Forbidden", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + } + } + } + }, + "404": { + "description": "Resource not found", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + } + } + } + }, + "422": { + "description": "Validation error - The target user cannot be revoked, or `revoke_credentials` is not available for this enterprise", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + }, + "examples": { + "non_emu_enterprise": { + "summary": "`revoke_credentials` requested on a non-EMU enterprise", + "value": { + "message": "The `revoke_credentials` option is only available for Enterprise Managed User (EMU) enterprises", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + }, + "first_emu_owner": { + "summary": "Target user is the first EMU owner", + "value": { + "message": "The first EMU owner cannot be targeted for credential revocation.", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + } + } + } + } + } + }, + "x-github": { + "githubCloudOnly": true, + "enabledForGitHubApps": true, + "category": "enterprise-admin", + "subcategory": "credential-authorizations" + } + } + }, "/enterprises/{enterprise}/dependabot/alerts": { "get": { "summary": "List Dependabot alerts for an enterprise", @@ -73313,7 +73520,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ] }, "budget_entity_name": { @@ -73321,6 +73530,16 @@ "description": "The name of the entity to apply the budget to", "example": "example-repository-name" }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "example": "octocat" + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "example": 42.5 + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", @@ -177568,7 +177787,7 @@ "/orgs/{org}/credential-authorizations": { "get": { "summary": "List SAML SSO authorizations for an organization", - "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", + "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -177637,13 +177856,19 @@ }, "credential_type": { "type": "string", - "example": "SSH Key", - "description": "Human-readable description of the credential type." + "example": "SSH key", + "description": "Human-readable description of the credential type.", + "enum": [ + "personal access token", + "SSH key", + "OAuth app token", + "GitHub app token" + ] }, "token_last_eight": { "type": "string", "example": "12345678", - "description": "Last eight characters of the credential. Only included in responses with credential_type of personal access token." + "description": "Last eight characters of the credential. Only included in responses with a credential_type of personal access token, OAuth app token, or GitHub app token." }, "credential_authorized_at": { "type": "string", @@ -177657,7 +177882,7 @@ "user", "repo" ], - "description": "List of oauth scopes the token has been granted.", + "description": "List of OAuth scopes the token has been granted.", "items": { "type": "string" } @@ -177665,7 +177890,7 @@ "fingerprint": { "type": "string", "example": "jklmnop12345678", - "description": "Unique string to distinguish the credential. Only included in responses with credential_type of SSH Key." + "description": "Unique string to distinguish the credential. Only included in responses with a credential_type of SSH key." }, "credential_accessed_at": { "type": "string", @@ -177678,7 +177903,7 @@ "type": "integer", "nullable": true, "example": 12345678, - "description": "The ID of the underlying token that was authorized by the user. This will remain unchanged across authorizations of the token." + "description": "The ID of the underlying token or key that was authorized by the user. This will remain unchanged across authorizations of the token or key." }, "authorized_credential_title": { "type": "string", @@ -177719,6 +177944,7 @@ "token_last_eight": "71c3fc11", "credential_authorized_at": "2011-01-26T19:06:43Z", "credential_accessed_at": "2011-01-26T19:06:43Z", + "authorized_credential_id": 12345678, "authorized_credential_expires_at": "2011-02-25T19:06:43Z", "scopes": [ "user", @@ -177731,11 +177957,47 @@ "credential_type": "personal access token", "token_last_eight": "Ae178B4a", "credential_authorized_at": "2019-03-29T19:06:43Z", - "credential_accessed_at": "2011-01-26T19:06:43Z", + "credential_accessed_at": "2019-04-15T19:06:43Z", + "authorized_credential_id": 12345679, "authorized_credential_expires_at": "2019-04-28T19:06:43Z", "scopes": [ "repo" ] + }, + { + "login": "octocat", + "credential_id": 161197, + "credential_type": "OAuth app token", + "token_last_eight": "9f2c4d1e", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345680, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [ + "repo", + "read:org" + ] + }, + { + "login": "hubot", + "credential_id": 161198, + "credential_type": "GitHub app token", + "token_last_eight": "3b7a0c52", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345681, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [] + }, + { + "login": "octocat", + "credential_id": 161199, + "credential_type": "SSH key", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345682, + "fingerprint": "jklmnop12345678", + "authorized_credential_title": "my ssh key" } ] } @@ -177755,7 +178017,7 @@ "/orgs/{org}/credential-authorizations/{credential_id}": { "delete": { "summary": "Remove a SAML SSO authorization for an organization", - "description": "Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", + "description": "Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", "tags": [ "orgs" ], diff --git a/descriptions/ghec/dereferenced/ghec.deref.yaml b/descriptions/ghec/dereferenced/ghec.deref.yaml index 0d832170a..2dc6a22a3 100644 --- a/descriptions/ghec/dereferenced/ghec.deref.yaml +++ b/descriptions/ghec/dereferenced/ghec.deref.yaml @@ -20217,6 +20217,128 @@ paths: enabledForGitHubApps: true category: enterprise-admin subcategory: credential-authorizations + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": + post: + summary: Revoke credential authorizations for a user in an enterprise + description: |- + Revokes all credential authorizations for a single user within the enterprise. + This includes any credential authorizations the user has across all organizations + in the enterprise. + + For Enterprise Managed User (EMU) enterprises, you can optionally also destroy all + credentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting + the `revoke_credentials` parameter to `true`. + + This operation is performed asynchronously. A background job will be queued to process + the revocations. + + > [!WARNING] + > If you use a personal access token to call this endpoint and target yourself, that + > token may also be revoked or destroyed as part of this operation. + + The authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint. + + OAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint. + tags: + - enterprise-admin + operationId: enterprise-admin/revoke-credential-authorizations-for-user + externalDocs: + description: API method documentation + url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + parameters: + - *41 + - &148 + name: username + description: The handle for the GitHub user account. + in: path + required: true + schema: + type: string + requestBody: + required: false + content: + application/json: + schema: + type: object + properties: + revoke_credentials: + type: boolean + description: |- + Whether to also destroy the actual credentials (PATs and SSH keys) owned by + the user. This option is only available for Enterprise Managed User (EMU) + enterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned + by the user will be destroyed in addition to the credential authorizations. + default: false + examples: + default: + value: + revoke_credentials: false + emu_with_credential_revocation: + summary: EMU enterprise with credential revocation + value: + revoke_credentials: true + responses: + '202': + description: Accepted - The revocation request has been queued + content: + application/json: + schema: + type: object + properties: + message: + type: string + description: A message indicating the revocation has been queued + warning: + type: string + description: A warning message if the token used for this request + may be revoked + examples: + default: + value: + message: Credential authorization revocation for user 'octocat' + has been queued + with_authorization_revoked_warning: + summary: Warning when the calling token may have its authorization + revoked + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also have its authorization + revoked as part of this operation + with_credential_destroyed_warning: + summary: Warning when the calling token may be destroyed (EMU with + `revoke_credentials`) + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also be destroyed + as part of this operation + '403': *29 + '404': *6 + '422': + description: Validation error - The target user cannot be revoked, or `revoke_credentials` + is not available for this enterprise + content: + application/json: + schema: *3 + examples: + non_emu_enterprise: + summary: "`revoke_credentials` requested on a non-EMU enterprise" + value: + message: The `revoke_credentials` option is only available for + Enterprise Managed User (EMU) enterprises + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + first_emu_owner: + summary: Target user is the first EMU owner + value: + message: The first EMU owner cannot be targeted for credential + revocation. + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + x-github: + githubCloudOnly: true + enabledForGitHubApps: true + category: enterprise-admin + subcategory: credential-authorizations "/enterprises/{enterprise}/dependabot/alerts": get: summary: List Dependabot alerts for an enterprise @@ -21871,13 +21993,7 @@ paths: url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/enterprise-roles#remove-all-enterprise-roles-from-a-user parameters: - *41 - - &148 - name: username - description: The handle for the GitHub user account. - in: path - required: true - schema: - type: string + - *148 responses: '204': description: Response @@ -27362,10 +27478,22 @@ paths: - organization - repository - cost_center + - multi_user_customer + - user budget_entity_name: type: string description: The name of the entity to apply the budget to example: example-repository-name + user: + type: string + description: The user login when the budget is scoped to a + single user (`user` scope). + example: octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within + the budget. Only included for `user`-scoped budgets. + example: 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based @@ -50309,7 +50437,7 @@ paths: get: summary: List SAML SSO authorizations for an organization description: |- - Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). + Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). The authenticated user must be an organization owner to use this endpoint. @@ -50358,13 +50486,19 @@ paths: token or key. credential_type: type: string - example: SSH Key + example: SSH key description: Human-readable description of the credential type. + enum: + - personal access token + - SSH key + - OAuth app token + - GitHub app token token_last_eight: type: string example: '12345678' description: Last eight characters of the credential. Only included - in responses with credential_type of personal access token. + in responses with a credential_type of personal access token, + OAuth app token, or GitHub app token. credential_authorized_at: type: string format: date-time @@ -50375,14 +50509,14 @@ paths: example: - user - repo - description: List of oauth scopes the token has been granted. + description: List of OAuth scopes the token has been granted. items: type: string fingerprint: type: string example: jklmnop12345678 description: Unique string to distinguish the credential. Only - included in responses with credential_type of SSH Key. + included in responses with a credential_type of SSH key. credential_accessed_at: type: string format: date-time @@ -50394,9 +50528,9 @@ paths: type: integer nullable: true example: 12345678 - description: The ID of the underlying token that was authorized - by the user. This will remain unchanged across authorizations - of the token. + description: The ID of the underlying token or key that was + authorized by the user. This will remain unchanged across + authorizations of the token or key. authorized_credential_title: type: string nullable: true @@ -50431,6 +50565,7 @@ paths: token_last_eight: 71c3fc11 credential_authorized_at: '2011-01-26T19:06:43Z' credential_accessed_at: '2011-01-26T19:06:43Z' + authorized_credential_id: 12345678 authorized_credential_expires_at: '2011-02-25T19:06:43Z' scopes: - user @@ -50440,10 +50575,39 @@ paths: credential_type: personal access token token_last_eight: Ae178B4a credential_authorized_at: '2019-03-29T19:06:43Z' - credential_accessed_at: '2011-01-26T19:06:43Z' + credential_accessed_at: '2019-04-15T19:06:43Z' + authorized_credential_id: 12345679 authorized_credential_expires_at: '2019-04-28T19:06:43Z' scopes: - repo + - login: octocat + credential_id: 161197 + credential_type: OAuth app token + token_last_eight: 9f2c4d1e + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345680 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: + - repo + - read:org + - login: hubot + credential_id: 161198 + credential_type: GitHub app token + token_last_eight: 3b7a0c52 + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345681 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: [] + - login: octocat + credential_id: 161199 + credential_type: SSH key + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345682 + fingerprint: jklmnop12345678 + authorized_credential_title: my ssh key x-github: githubCloudOnly: true enabledForGitHubApps: true @@ -50453,7 +50617,7 @@ paths: delete: summary: Remove a SAML SSO authorization for an organization description: |- - Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access. + Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access. The authenticated user must be an organization owner to use this endpoint. diff --git a/descriptions/ghec/ghec.2022-11-28.json b/descriptions/ghec/ghec.2022-11-28.json index 81af5bdf9..0f26b618c 100644 --- a/descriptions/ghec/ghec.2022-11-28.json +++ b/descriptions/ghec/ghec.2022-11-28.json @@ -13789,6 +13789,139 @@ } } }, + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": { + "post": { + "summary": "Revoke credential authorizations for a user in an enterprise", + "description": "Revokes all credential authorizations for a single user within the enterprise.\nThis includes any credential authorizations the user has across all organizations\nin the enterprise.\n\nFor Enterprise Managed User (EMU) enterprises, you can optionally also destroy all\ncredentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting\nthe `revoke_credentials` parameter to `true`.\n\nThis operation is performed asynchronously. A background job will be queued to process\nthe revocations.\n\n> [!WARNING]\n> If you use a personal access token to call this endpoint and target yourself, that\n> token may also be revoked or destroyed as part of this operation.\n\nThe authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint.", + "tags": [ + "enterprise-admin" + ], + "operationId": "enterprise-admin/revoke-credential-authorizations-for-user", + "externalDocs": { + "description": "API method documentation", + "url": "https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + }, + "parameters": [ + { + "$ref": "#/components/parameters/enterprise" + }, + { + "$ref": "#/components/parameters/username" + } + ], + "requestBody": { + "required": false, + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "revoke_credentials": { + "type": "boolean", + "description": "Whether to also destroy the actual credentials (PATs and SSH keys) owned by\nthe user. This option is only available for Enterprise Managed User (EMU)\nenterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned\nby the user will be destroyed in addition to the credential authorizations.", + "default": false + } + } + }, + "examples": { + "default": { + "value": { + "revoke_credentials": false + } + }, + "emu_with_credential_revocation": { + "summary": "EMU enterprise with credential revocation", + "value": { + "revoke_credentials": true + } + } + } + } + } + }, + "responses": { + "202": { + "description": "Accepted - The revocation request has been queued", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "message": { + "type": "string", + "description": "A message indicating the revocation has been queued" + }, + "warning": { + "type": "string", + "description": "A warning message if the token used for this request may be revoked" + } + } + }, + "examples": { + "default": { + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued" + } + }, + "with_authorization_revoked_warning": { + "summary": "Warning when the calling token may have its authorization revoked", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also have its authorization revoked as part of this operation" + } + }, + "with_credential_destroyed_warning": { + "summary": "Warning when the calling token may be destroyed (EMU with `revoke_credentials`)", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also be destroyed as part of this operation" + } + } + } + } + } + }, + "403": { + "$ref": "#/components/responses/forbidden" + }, + "404": { + "$ref": "#/components/responses/not_found" + }, + "422": { + "description": "Validation error - The target user cannot be revoked, or `revoke_credentials` is not available for this enterprise", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/basic-error" + }, + "examples": { + "non_emu_enterprise": { + "summary": "`revoke_credentials` requested on a non-EMU enterprise", + "value": { + "message": "The `revoke_credentials` option is only available for Enterprise Managed User (EMU) enterprises", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + }, + "first_emu_owner": { + "summary": "Target user is the first EMU owner", + "value": { + "message": "The first EMU owner cannot be targeted for credential revocation.", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + } + } + } + } + } + }, + "x-github": { + "githubCloudOnly": true, + "enabledForGitHubApps": true, + "category": "enterprise-admin", + "subcategory": "credential-authorizations" + } + } + }, "/enterprises/{enterprise}/dependabot/alerts": { "get": { "summary": "List Dependabot alerts for an enterprise", @@ -36985,7 +37118,7 @@ "/orgs/{org}/credential-authorizations": { "get": { "summary": "List SAML SSO authorizations for an organization", - "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", + "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -37049,7 +37182,7 @@ "/orgs/{org}/credential-authorizations/{credential_id}": { "delete": { "summary": "Remove a SAML SSO authorization for an organization", - "description": "Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", + "description": "Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -142428,7 +142561,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ] }, "budget_entity_name": { @@ -142436,6 +142571,16 @@ "description": "The name of the entity to apply the budget to", "example": "example-repository-name" }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "example": "octocat" + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "example": 42.5 + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", @@ -149061,13 +149206,19 @@ }, "credential_type": { "type": "string", - "example": "SSH Key", - "description": "Human-readable description of the credential type." + "example": "SSH key", + "description": "Human-readable description of the credential type.", + "enum": [ + "personal access token", + "SSH key", + "OAuth app token", + "GitHub app token" + ] }, "token_last_eight": { "type": "string", "example": "12345678", - "description": "Last eight characters of the credential. Only included in responses with credential_type of personal access token." + "description": "Last eight characters of the credential. Only included in responses with a credential_type of personal access token, OAuth app token, or GitHub app token." }, "credential_authorized_at": { "type": "string", @@ -149081,7 +149232,7 @@ "user", "repo" ], - "description": "List of oauth scopes the token has been granted.", + "description": "List of OAuth scopes the token has been granted.", "items": { "type": "string" } @@ -149089,7 +149240,7 @@ "fingerprint": { "type": "string", "example": "jklmnop12345678", - "description": "Unique string to distinguish the credential. Only included in responses with credential_type of SSH Key." + "description": "Unique string to distinguish the credential. Only included in responses with a credential_type of SSH key." }, "credential_accessed_at": { "type": "string", @@ -149102,7 +149253,7 @@ "type": "integer", "nullable": true, "example": 12345678, - "description": "The ID of the underlying token that was authorized by the user. This will remain unchanged across authorizations of the token." + "description": "The ID of the underlying token or key that was authorized by the user. This will remain unchanged across authorizations of the token or key." }, "authorized_credential_title": { "type": "string", @@ -329032,6 +329183,7 @@ "token_last_eight": "71c3fc11", "credential_authorized_at": "2011-01-26T19:06:43Z", "credential_accessed_at": "2011-01-26T19:06:43Z", + "authorized_credential_id": 12345678, "authorized_credential_expires_at": "2011-02-25T19:06:43Z", "scopes": [ "user", @@ -329044,11 +329196,47 @@ "credential_type": "personal access token", "token_last_eight": "Ae178B4a", "credential_authorized_at": "2019-03-29T19:06:43Z", - "credential_accessed_at": "2011-01-26T19:06:43Z", + "credential_accessed_at": "2019-04-15T19:06:43Z", + "authorized_credential_id": 12345679, "authorized_credential_expires_at": "2019-04-28T19:06:43Z", "scopes": [ "repo" ] + }, + { + "login": "octocat", + "credential_id": 161197, + "credential_type": "OAuth app token", + "token_last_eight": "9f2c4d1e", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345680, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [ + "repo", + "read:org" + ] + }, + { + "login": "hubot", + "credential_id": 161198, + "credential_type": "GitHub app token", + "token_last_eight": "3b7a0c52", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345681, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [] + }, + { + "login": "octocat", + "credential_id": 161199, + "credential_type": "SSH key", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345682, + "fingerprint": "jklmnop12345678", + "authorized_credential_title": "my ssh key" } ] }, @@ -355197,6 +355385,15 @@ "example": "2025-10-13" } }, + "username": { + "name": "username", + "description": "The handle for the GitHub user account.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + }, "dependabot-alert-comma-separated-classifications": { "name": "classification", "in": "query", @@ -355337,15 +355534,6 @@ "type": "integer" } }, - "username": { - "name": "username", - "description": "The handle for the GitHub user account.", - "in": "path", - "required": true, - "schema": { - "type": "string" - } - }, "network-configuration-id": { "name": "network_configuration_id", "description": "Unique identifier of the hosted compute network configuration.", diff --git a/descriptions/ghec/ghec.2022-11-28.yaml b/descriptions/ghec/ghec.2022-11-28.yaml index 8b1fb49b9..589099f77 100644 --- a/descriptions/ghec/ghec.2022-11-28.yaml +++ b/descriptions/ghec/ghec.2022-11-28.yaml @@ -10206,6 +10206,125 @@ paths: enabledForGitHubApps: true category: enterprise-admin subcategory: credential-authorizations + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": + post: + summary: Revoke credential authorizations for a user in an enterprise + description: |- + Revokes all credential authorizations for a single user within the enterprise. + This includes any credential authorizations the user has across all organizations + in the enterprise. + + For Enterprise Managed User (EMU) enterprises, you can optionally also destroy all + credentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting + the `revoke_credentials` parameter to `true`. + + This operation is performed asynchronously. A background job will be queued to process + the revocations. + + > [!WARNING] + > If you use a personal access token to call this endpoint and target yourself, that + > token may also be revoked or destroyed as part of this operation. + + The authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint. + + OAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint. + tags: + - enterprise-admin + operationId: enterprise-admin/revoke-credential-authorizations-for-user + externalDocs: + description: API method documentation + url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + parameters: + - "$ref": "#/components/parameters/enterprise" + - "$ref": "#/components/parameters/username" + requestBody: + required: false + content: + application/json: + schema: + type: object + properties: + revoke_credentials: + type: boolean + description: |- + Whether to also destroy the actual credentials (PATs and SSH keys) owned by + the user. This option is only available for Enterprise Managed User (EMU) + enterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned + by the user will be destroyed in addition to the credential authorizations. + default: false + examples: + default: + value: + revoke_credentials: false + emu_with_credential_revocation: + summary: EMU enterprise with credential revocation + value: + revoke_credentials: true + responses: + '202': + description: Accepted - The revocation request has been queued + content: + application/json: + schema: + type: object + properties: + message: + type: string + description: A message indicating the revocation has been queued + warning: + type: string + description: A warning message if the token used for this request + may be revoked + examples: + default: + value: + message: Credential authorization revocation for user 'octocat' + has been queued + with_authorization_revoked_warning: + summary: Warning when the calling token may have its authorization + revoked + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also have its authorization + revoked as part of this operation + with_credential_destroyed_warning: + summary: Warning when the calling token may be destroyed (EMU with + `revoke_credentials`) + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also be destroyed + as part of this operation + '403': + "$ref": "#/components/responses/forbidden" + '404': + "$ref": "#/components/responses/not_found" + '422': + description: Validation error - The target user cannot be revoked, or `revoke_credentials` + is not available for this enterprise + content: + application/json: + schema: + "$ref": "#/components/schemas/basic-error" + examples: + non_emu_enterprise: + summary: "`revoke_credentials` requested on a non-EMU enterprise" + value: + message: The `revoke_credentials` option is only available for + Enterprise Managed User (EMU) enterprises + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + first_emu_owner: + summary: Target user is the first EMU owner + value: + message: The first EMU owner cannot be targeted for credential + revocation. + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + x-github: + githubCloudOnly: true + enabledForGitHubApps: true + category: enterprise-admin + subcategory: credential-authorizations "/enterprises/{enterprise}/dependabot/alerts": get: summary: List Dependabot alerts for an enterprise @@ -27243,7 +27362,7 @@ paths: get: summary: List SAML SSO authorizations for an organization description: |- - Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). + Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). The authenticated user must be an organization owner to use this endpoint. @@ -27289,7 +27408,7 @@ paths: delete: summary: Remove a SAML SSO authorization for an organization description: |- - Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access. + Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access. The authenticated user must be an organization owner to use this endpoint. @@ -104081,10 +104200,22 @@ components: - organization - repository - cost_center + - multi_user_customer + - user budget_entity_name: type: string description: The name of the entity to apply the budget to example: example-repository-name + user: + type: string + description: The user login when the budget is scoped to a single user + (`user` scope). + example: octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within the budget. + Only included for `user`-scoped budgets. + example: 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based products, @@ -109235,13 +109366,19 @@ components: Use this to revoke authorization of the underlying token or key. credential_type: type: string - example: SSH Key + example: SSH key description: Human-readable description of the credential type. + enum: + - personal access token + - SSH key + - OAuth app token + - GitHub app token token_last_eight: type: string example: '12345678' description: Last eight characters of the credential. Only included in responses - with credential_type of personal access token. + with a credential_type of personal access token, OAuth app token, or GitHub + app token. credential_authorized_at: type: string format: date-time @@ -109252,14 +109389,14 @@ components: example: - user - repo - description: List of oauth scopes the token has been granted. + description: List of OAuth scopes the token has been granted. items: type: string fingerprint: type: string example: jklmnop12345678 description: Unique string to distinguish the credential. Only included - in responses with credential_type of SSH Key. + in responses with a credential_type of SSH key. credential_accessed_at: type: string format: date-time @@ -109271,8 +109408,9 @@ components: type: integer nullable: true example: 12345678 - description: The ID of the underlying token that was authorized by the user. - This will remain unchanged across authorizations of the token. + description: The ID of the underlying token or key that was authorized by + the user. This will remain unchanged across authorizations of the token + or key. authorized_credential_title: type: string nullable: true @@ -246363,6 +246501,7 @@ components: token_last_eight: 71c3fc11 credential_authorized_at: '2011-01-26T19:06:43Z' credential_accessed_at: '2011-01-26T19:06:43Z' + authorized_credential_id: 12345678 authorized_credential_expires_at: '2011-02-25T19:06:43Z' scopes: - user @@ -246372,10 +246511,39 @@ components: credential_type: personal access token token_last_eight: Ae178B4a credential_authorized_at: '2019-03-29T19:06:43Z' - credential_accessed_at: '2011-01-26T19:06:43Z' + credential_accessed_at: '2019-04-15T19:06:43Z' + authorized_credential_id: 12345679 authorized_credential_expires_at: '2019-04-28T19:06:43Z' scopes: - repo + - login: octocat + credential_id: 161197 + credential_type: OAuth app token + token_last_eight: 9f2c4d1e + creden{"code":"deadline_exceeded","msg":"operation timed out"}