diff --git a/descriptions-next/api.github.com/api.github.com.2022-11-28.json b/descriptions-next/api.github.com/api.github.com.2022-11-28.json index f69092c82..ed9197792 100644 --- a/descriptions-next/api.github.com/api.github.com.2022-11-28.json +++ b/descriptions-next/api.github.com/api.github.com.2022-11-28.json @@ -123894,7 +123894,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -123907,6 +123909,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", diff --git a/descriptions-next/api.github.com/api.github.com.2022-11-28.yaml b/descriptions-next/api.github.com/api.github.com.2022-11-28.yaml index 570a8976e..0eedb550c 100644 --- a/descriptions-next/api.github.com/api.github.com.2022-11-28.yaml +++ b/descriptions-next/api.github.com/api.github.com.2022-11-28.yaml @@ -90077,6 +90077,8 @@ components: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -90084,6 +90086,18 @@ components: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a single user + (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within the budget. + Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based products, diff --git a/descriptions-next/api.github.com/api.github.com.2026-03-10.json b/descriptions-next/api.github.com/api.github.com.2026-03-10.json index 4e8209ba4..c36fa4edc 100644 --- a/descriptions-next/api.github.com/api.github.com.2026-03-10.json +++ b/descriptions-next/api.github.com/api.github.com.2026-03-10.json @@ -123337,7 +123337,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -123350,6 +123352,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", diff --git a/descriptions-next/api.github.com/api.github.com.2026-03-10.yaml b/descriptions-next/api.github.com/api.github.com.2026-03-10.yaml index 020e4ce34..dd63a8b88 100644 --- a/descriptions-next/api.github.com/api.github.com.2026-03-10.yaml +++ b/descriptions-next/api.github.com/api.github.com.2026-03-10.yaml @@ -89664,6 +89664,8 @@ components: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -89671,6 +89673,18 @@ components: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a single user + (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within the budget. + Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based products, diff --git a/descriptions-next/api.github.com/api.github.com.json b/descriptions-next/api.github.com/api.github.com.json index 2693e61d7..d56f7d658 100644 --- a/descriptions-next/api.github.com/api.github.com.json +++ b/descriptions-next/api.github.com/api.github.com.json @@ -124634,7 +124634,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -124647,6 +124649,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", diff --git a/descriptions-next/api.github.com/api.github.com.yaml b/descriptions-next/api.github.com/api.github.com.yaml index da6f229a5..8cadf6d28 100644 --- a/descriptions-next/api.github.com/api.github.com.yaml +++ b/descriptions-next/api.github.com/api.github.com.yaml @@ -90561,6 +90561,8 @@ components: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -90568,6 +90570,18 @@ components: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a single user + (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within the budget. + Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based products, diff --git a/descriptions-next/api.github.com/dereferenced/api.github.com.2022-11-28.deref.json b/descriptions-next/api.github.com/dereferenced/api.github.com.2022-11-28.deref.json index d8fb21e3f..0086a566e 100644 --- a/descriptions-next/api.github.com/dereferenced/api.github.com.2022-11-28.deref.json +++ b/descriptions-next/api.github.com/dereferenced/api.github.com.2022-11-28.deref.json @@ -89765,7 +89765,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -89778,6 +89780,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", diff --git a/descriptions-next/api.github.com/dereferenced/api.github.com.2022-11-28.deref.yaml b/descriptions-next/api.github.com/dereferenced/api.github.com.2022-11-28.deref.yaml index 4ed66d867..24315aaf5 100644 --- a/descriptions-next/api.github.com/dereferenced/api.github.com.2022-11-28.deref.yaml +++ b/descriptions-next/api.github.com/dereferenced/api.github.com.2022-11-28.deref.yaml @@ -22641,6 +22641,8 @@ paths: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -22648,6 +22650,18 @@ paths: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a + single user (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within + the budget. Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based diff --git a/descriptions-next/api.github.com/dereferenced/api.github.com.2026-03-10.deref.json b/descriptions-next/api.github.com/dereferenced/api.github.com.2026-03-10.deref.json index b783f5010..6e5174832 100644 --- a/descriptions-next/api.github.com/dereferenced/api.github.com.2026-03-10.deref.json +++ b/descriptions-next/api.github.com/dereferenced/api.github.com.2026-03-10.deref.json @@ -85530,7 +85530,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -85543,6 +85545,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", diff --git a/descriptions-next/api.github.com/dereferenced/api.github.com.2026-03-10.deref.yaml b/descriptions-next/api.github.com/dereferenced/api.github.com.2026-03-10.deref.yaml index 62577c508..016db80af 100644 --- a/descriptions-next/api.github.com/dereferenced/api.github.com.2026-03-10.deref.yaml +++ b/descriptions-next/api.github.com/dereferenced/api.github.com.2026-03-10.deref.yaml @@ -22327,6 +22327,8 @@ paths: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -22334,6 +22336,18 @@ paths: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a + single user (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within + the budget. Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based diff --git a/descriptions-next/api.github.com/dereferenced/api.github.com.deref.json b/descriptions-next/api.github.com/dereferenced/api.github.com.deref.json index c70c81d10..824d60bcd 100644 --- a/descriptions-next/api.github.com/dereferenced/api.github.com.deref.json +++ b/descriptions-next/api.github.com/dereferenced/api.github.com.deref.json @@ -91230,7 +91230,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -91243,6 +91245,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", diff --git a/descriptions-next/api.github.com/dereferenced/api.github.com.deref.yaml b/descriptions-next/api.github.com/dereferenced/api.github.com.deref.yaml index 99a900ece..67a758afd 100644 --- a/descriptions-next/api.github.com/dereferenced/api.github.com.deref.yaml +++ b/descriptions-next/api.github.com/dereferenced/api.github.com.deref.yaml @@ -22906,6 +22906,8 @@ paths: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -22913,6 +22915,18 @@ paths: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a + single user (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within + the budget. Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based diff --git a/descriptions-next/ghec/dereferenced/ghec.2022-11-28.deref.json b/descriptions-next/ghec/dereferenced/ghec.2022-11-28.deref.json index c3d329840..17e872117 100644 --- a/descriptions-next/ghec/dereferenced/ghec.2022-11-28.deref.json +++ b/descriptions-next/ghec/dereferenced/ghec.2022-11-28.deref.json @@ -53201,6 +53201,213 @@ } } }, + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": { + "post": { + "summary": "Revoke credential authorizations for a user in an enterprise", + "description": "Revokes all credential authorizations for a single user within the enterprise.\nThis includes any credential authorizations the user has across all organizations\nin the enterprise.\n\nFor Enterprise Managed User (EMU) enterprises, you can optionally also destroy all\ncredentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting\nthe `revoke_credentials` parameter to `true`.\n\nThis operation is performed asynchronously. A background job will be queued to process\nthe revocations.\n\n> [!WARNING]\n> If you use a personal access token to call this endpoint and target yourself, that\n> token may also be revoked or destroyed as part of this operation.\n\nThe authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint.", + "tags": [ + "enterprise-admin" + ], + "operationId": "enterprise-admin/revoke-credential-authorizations-for-user", + "externalDocs": { + "description": "API method documentation", + "url": "https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + }, + "parameters": [ + { + "name": "enterprise", + "description": "The slug version of the enterprise name.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + }, + { + "name": "username", + "description": "The handle for the GitHub user account.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + } + ], + "requestBody": { + "required": false, + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "revoke_credentials": { + "type": "boolean", + "description": "Whether to also destroy the actual credentials (PATs and SSH keys) owned by\nthe user. This option is only available for Enterprise Managed User (EMU)\nenterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned\nby the user will be destroyed in addition to the credential authorizations.", + "default": false + } + } + }, + "examples": { + "default": { + "value": { + "revoke_credentials": false + } + }, + "emu_with_credential_revocation": { + "summary": "EMU enterprise with credential revocation", + "value": { + "revoke_credentials": true + } + } + } + } + } + }, + "responses": { + "202": { + "description": "Accepted - The revocation request has been queued", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "message": { + "type": "string", + "description": "A message indicating the revocation has been queued" + }, + "warning": { + "type": "string", + "description": "A warning message if the token used for this request may be revoked" + } + } + }, + "examples": { + "default": { + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued" + } + }, + "with_authorization_revoked_warning": { + "summary": "Warning when the calling token may have its authorization revoked", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also have its authorization revoked as part of this operation" + } + }, + "with_credential_destroyed_warning": { + "summary": "Warning when the calling token may be destroyed (EMU with `revoke_credentials`)", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also be destroyed as part of this operation" + } + } + } + } + } + }, + "403": { + "description": "Forbidden", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + } + } + } + }, + "404": { + "description": "Resource not found", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + } + } + } + }, + "422": { + "description": "Validation error - The target user cannot be revoked, or `revoke_credentials` is not available for this enterprise", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + }, + "examples": { + "non_emu_enterprise": { + "summary": "`revoke_credentials` requested on a non-EMU enterprise", + "value": { + "message": "The `revoke_credentials` option is only available for Enterprise Managed User (EMU) enterprises", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + }, + "first_emu_owner": { + "summary": "Target user is the first EMU owner", + "value": { + "message": "The first EMU owner cannot be targeted for credential revocation.", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + } + } + } + } + } + }, + "x-github": { + "githubCloudOnly": true, + "enabledForGitHubApps": true, + "category": "enterprise-admin", + "subcategory": "credential-authorizations" + } + } + }, "/enterprises/{enterprise}/dependabot/alerts": { "get": { "summary": "List Dependabot alerts for an enterprise", @@ -78887,7 +79094,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -78900,6 +79109,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", @@ -196711,7 +196934,7 @@ "/orgs/{org}/credential-authorizations": { "get": { "summary": "List SAML SSO authorizations for an organization", - "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", + "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -196785,13 +197008,19 @@ "credential_type": { "type": "string", "description": "Human-readable description of the credential type.", + "enum": [ + "personal access token", + "SSH key", + "OAuth app token", + "GitHub app token" + ], "examples": [ - "SSH Key" + "SSH key" ] }, "token_last_eight": { "type": "string", - "description": "Last eight characters of the credential. Only included in responses with credential_type of personal access token.", + "description": "Last eight characters of the credential. Only included in responses with a credential_type of personal access token, OAuth app token, or GitHub app token.", "examples": [ "12345678" ] @@ -196806,7 +197035,7 @@ }, "scopes": { "type": "array", - "description": "List of oauth scopes the token has been granted.", + "description": "List of OAuth scopes the token has been granted.", "items": { "type": "string" }, @@ -196817,7 +197046,7 @@ }, "fingerprint": { "type": "string", - "description": "Unique string to distinguish the credential. Only included in responses with credential_type of SSH Key.", + "description": "Unique string to distinguish the credential. Only included in responses with a credential_type of SSH key.", "examples": [ "jklmnop12345678" ] @@ -196838,7 +197067,7 @@ "integer", "null" ], - "description": "The ID of the underlying token that was authorized by the user. This will remain unchanged across authorizations of the token.", + "description": "The ID of the underlying token or key that was authorized by the user. This will remain unchanged across authorizations of the token or key.", "examples": [ 12345678 ] @@ -196892,6 +197121,7 @@ "token_last_eight": "71c3fc11", "credential_authorized_at": "2011-01-26T19:06:43Z", "credential_accessed_at": "2011-01-26T19:06:43Z", + "authorized_credential_id": 12345678, "authorized_credential_expires_at": "2011-02-25T19:06:43Z", "scopes": [ "user", @@ -196904,11 +197134,47 @@ "credential_type": "personal access token", "token_last_eight": "Ae178B4a", "credential_authorized_at": "2019-03-29T19:06:43Z", - "credential_accessed_at": "2011-01-26T19:06:43Z", + "credential_accessed_at": "2019-04-15T19:06:43Z", + "authorized_credential_id": 12345679, "authorized_credential_expires_at": "2019-04-28T19:06:43Z", "scopes": [ "repo" ] + }, + { + "login": "octocat", + "credential_id": 161197, + "credential_type": "OAuth app token", + "token_last_eight": "9f2c4d1e", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345680, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [ + "repo", + "read:org" + ] + }, + { + "login": "hubot", + "credential_id": 161198, + "credential_type": "GitHub app token", + "token_last_eight": "3b7a0c52", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345681, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [] + }, + { + "login": "octocat", + "credential_id": 161199, + "credential_type": "SSH key", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345682, + "fingerprint": "jklmnop12345678", + "authorized_credential_title": "my ssh key" } ] } @@ -196928,7 +197194,7 @@ "/orgs/{org}/credential-authorizations/{credential_id}": { "delete": { "summary": "Remove a SAML SSO authorization for an organization", - "description": "Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", + "description": "Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", "tags": [ "orgs" ], diff --git a/descriptions-next/ghec/dereferenced/ghec.2022-11-28.deref.yaml b/descriptions-next/ghec/dereferenced/ghec.2022-11-28.deref.yaml index 0efb65520..c725923ea 100644 --- a/descriptions-next/ghec/dereferenced/ghec.2022-11-28.deref.yaml +++ b/descriptions-next/ghec/dereferenced/ghec.2022-11-28.deref.yaml @@ -20620,6 +20620,128 @@ paths: enabledForGitHubApps: true category: enterprise-admin subcategory: credential-authorizations + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": + post: + summary: Revoke credential authorizations for a user in an enterprise + description: |- + Revokes all credential authorizations for a single user within the enterprise. + This includes any credential authorizations the user has across all organizations + in the enterprise. + + For Enterprise Managed User (EMU) enterprises, you can optionally also destroy all + credentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting + the `revoke_credentials` parameter to `true`. + + This operation is performed asynchronously. A background job will be queued to process + the revocations. + + > [!WARNING] + > If you use a personal access token to call this endpoint and target yourself, that + > token may also be revoked or destroyed as part of this operation. + + The authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint. + + OAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint. + tags: + - enterprise-admin + operationId: enterprise-admin/revoke-credential-authorizations-for-user + externalDocs: + description: API method documentation + url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + parameters: + - *39 + - &140 + name: username + description: The handle for the GitHub user account. + in: path + required: true + schema: + type: string + requestBody: + required: false + content: + application/json: + schema: + type: object + properties: + revoke_credentials: + type: boolean + description: |- + Whether to also destroy the actual credentials (PATs and SSH keys) owned by + the user. This option is only available for Enterprise Managed User (EMU) + enterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned + by the user will be destroyed in addition to the credential authorizations. + default: false + examples: + default: + value: + revoke_credentials: false + emu_with_credential_revocation: + summary: EMU enterprise with credential revocation + value: + revoke_credentials: true + responses: + '202': + description: Accepted - The revocation request has been queued + content: + application/json: + schema: + type: object + properties: + message: + type: string + description: A message indicating the revocation has been queued + warning: + type: string + description: A warning message if the token used for this request + may be revoked + examples: + default: + value: + message: Credential authorization revocation for user 'octocat' + has been queued + with_authorization_revoked_warning: + summary: Warning when the calling token may have its authorization + revoked + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also have its authorization + revoked as part of this operation + with_credential_destroyed_warning: + summary: Warning when the calling token may be destroyed (EMU with + `revoke_credentials`) + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also be destroyed + as part of this operation + '403': *27 + '404': *6 + '422': + description: Validation error - The target user cannot be revoked, or `revoke_credentials` + is not available for this enterprise + content: + application/json: + schema: *3 + examples: + non_emu_enterprise: + summary: "`revoke_credentials` requested on a non-EMU enterprise" + value: + message: The `revoke_credentials` option is only available for + Enterprise Managed User (EMU) enterprises + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + first_emu_owner: + summary: Target user is the first EMU owner + value: + message: The first EMU owner cannot be targeted for credential + revocation. + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + x-github: + githubCloudOnly: true + enabledForGitHubApps: true + category: enterprise-admin + subcategory: credential-authorizations "/enterprises/{enterprise}/dependabot/alerts": get: summary: List Dependabot alerts for an enterprise @@ -22272,13 +22394,7 @@ paths: url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/enterprise-roles#remove-all-enterprise-roles-from-a-user parameters: - *39 - - &140 - name: username - description: The handle for the GitHub user account. - in: path - required: true - schema: - type: string + - *140 responses: '204': description: Response @@ -27887,6 +28003,8 @@ paths: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -27894,6 +28012,18 @@ paths: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a + single user (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within + the budget. Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based @@ -51120,7 +51250,7 @@ paths: get: summary: List SAML SSO authorizations for an organization description: |- - Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). + Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). The authenticated user must be an organization owner to use this endpoint. @@ -51172,12 +51302,18 @@ paths: credential_type: type: string description: Human-readable description of the credential type. + enum: + - personal access token + - SSH key + - OAuth app token + - GitHub app token examples: - - SSH Key + - SSH key token_last_eight: type: string description: Last eight characters of the credential. Only included - in responses with credential_type of personal access token. + in responses with a credential_type of personal access token, + OAuth app token, or GitHub app token. examples: - '12345678' credential_authorized_at: @@ -51188,7 +51324,7 @@ paths: - '2011-01-26T19:06:43Z' scopes: type: array - description: List of oauth scopes the token has been granted. + description: List of OAuth scopes the token has been granted. items: type: string examples: @@ -51197,7 +51333,7 @@ paths: fingerprint: type: string description: Unique string to distinguish the credential. Only - included in responses with credential_type of SSH Key. + included in responses with a credential_type of SSH key. examples: - jklmnop12345678 credential_accessed_at: @@ -51213,9 +51349,9 @@ paths: type: - integer - 'null' - description: The ID of the underlying token that was authorized - by the user. This will remain unchanged across authorizations - of the token. + description: The ID of the underlying token or key that was + authorized by the user. This will remain unchanged across + authorizations of the token or key. examples: - 12345678 authorized_credential_title: @@ -51257,6 +51393,7 @@ paths: token_last_eight: 71c3fc11 credential_authorized_at: '2011-01-26T19:06:43Z' credential_accessed_at: '2011-01-26T19:06:43Z' + authorized_credential_id: 12345678 authorized_credential_expires_at: '2011-02-25T19:06:43Z' scopes: - user @@ -51266,10 +51403,39 @@ paths: credential_type: personal access token token_last_eight: Ae178B4a credential_authorized_at: '2019-03-29T19:06:43Z' - credential_accessed_at: '2011-01-26T19:06:43Z' + credential_accessed_at: '2019-04-15T19:06:43Z' + authorized_credential_id: 12345679 authorized_credential_expires_at: '2019-04-28T19:06:43Z' scopes: - repo + - login: octocat + credential_id: 161197 + credential_type: OAuth app token + token_last_eight: 9f2c4d1e + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345680 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: + - repo + - read:org + - login: hubot + credential_id: 161198 + credential_type: GitHub app token + token_last_eight: 3b7a0c52 + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345681 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: [] + - login: octocat + credential_id: 161199 + credential_type: SSH key + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345682 + fingerprint: jklmnop12345678 + authorized_credential_title: my ssh key x-github: githubCloudOnly: true enabledForGitHubApps: true @@ -51279,7 +51445,7 @@ paths: delete: summary: Remove a SAML SSO authorization for an organization description: |- - Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access. + Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access. The authenticated user must be an organization owner to use this endpoint. diff --git a/descriptions-next/ghec/dereferenced/ghec.2026-03-10.deref.json b/descriptions-next/ghec/dereferenced/ghec.2026-03-10.deref.json index 72d8ba3de..586ced0f2 100644 --- a/descriptions-next/ghec/dereferenced/ghec.2026-03-10.deref.json +++ b/descriptions-next/ghec/dereferenced/ghec.2026-03-10.deref.json @@ -53068,6 +53068,213 @@ } } }, + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": { + "post": { + "summary": "Revoke credential authorizations for a user in an enterprise", + "description": "Revokes all credential authorizations for a single user within the enterprise.\nThis includes any credential authorizations the user has across all organizations\nin the enterprise.\n\nFor Enterprise Managed User (EMU) enterprises, you can optionally also destroy all\ncredentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting\nthe `revoke_credentials` parameter to `true`.\n\nThis operation is performed asynchronously. A background job will be queued to process\nthe revocations.\n\n> [!WARNING]\n> If you use a personal access token to call this endpoint and target yourself, that\n> token may also be revoked or destroyed as part of this operation.\n\nThe authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint.", + "tags": [ + "enterprise-admin" + ], + "operationId": "enterprise-admin/revoke-credential-authorizations-for-user", + "externalDocs": { + "description": "API method documentation", + "url": "https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + }, + "parameters": [ + { + "name": "enterprise", + "description": "The slug version of the enterprise name.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + }, + { + "name": "username", + "description": "The handle for the GitHub user account.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + } + ], + "requestBody": { + "required": false, + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "revoke_credentials": { + "type": "boolean", + "description": "Whether to also destroy the actual credentials (PATs and SSH keys) owned by\nthe user. This option is only available for Enterprise Managed User (EMU)\nenterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned\nby the user will be destroyed in addition to the credential authorizations.", + "default": false + } + } + }, + "examples": { + "default": { + "value": { + "revoke_credentials": false + } + }, + "emu_with_credential_revocation": { + "summary": "EMU enterprise with credential revocation", + "value": { + "revoke_credentials": true + } + } + } + } + } + }, + "responses": { + "202": { + "description": "Accepted - The revocation request has been queued", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "message": { + "type": "string", + "description": "A message indicating the revocation has been queued" + }, + "warning": { + "type": "string", + "description": "A warning message if the token used for this request may be revoked" + } + } + }, + "examples": { + "default": { + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued" + } + }, + "with_authorization_revoked_warning": { + "summary": "Warning when the calling token may have its authorization revoked", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also have its authorization revoked as part of this operation" + } + }, + "with_credential_destroyed_warning": { + "summary": "Warning when the calling token may be destroyed (EMU with `revoke_credentials`)", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also be destroyed as part of this operation" + } + } + } + } + } + }, + "403": { + "description": "Forbidden", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + } + } + } + }, + "404": { + "description": "Resource not found", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + } + } + } + }, + "422": { + "description": "Validation error - The target user cannot be revoked, or `revoke_credentials` is not available for this enterprise", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + }, + "examples": { + "non_emu_enterprise": { + "summary": "`revoke_credentials` requested on a non-EMU enterprise", + "value": { + "message": "The `revoke_credentials` option is only available for Enterprise Managed User (EMU) enterprises", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + }, + "first_emu_owner": { + "summary": "Target user is the first EMU owner", + "value": { + "message": "The first EMU owner cannot be targeted for credential revocation.", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + } + } + } + } + } + }, + "x-github": { + "githubCloudOnly": true, + "enabledForGitHubApps": true, + "category": "enterprise-admin", + "subcategory": "credential-authorizations" + } + } + }, "/enterprises/{enterprise}/dependabot/alerts": { "get": { "summary": "List Dependabot alerts for an enterprise", @@ -78726,7 +78933,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -78739,6 +78948,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", @@ -192103,7 +192326,7 @@ "/orgs/{org}/credential-authorizations": { "get": { "summary": "List SAML SSO authorizations for an organization", - "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", + "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -192177,13 +192400,19 @@ "credential_type": { "type": "string", "description": "Human-readable description of the credential type.", + "enum": [ + "personal access token", + "SSH key", + "OAuth app token", + "GitHub app token" + ], "examples": [ - "SSH Key" + "SSH key" ] }, "token_last_eight": { "type": "string", - "description": "Last eight characters of the credential. Only included in responses with credential_type of personal access token.", + "description": "Last eight characters of the credential. Only included in responses with a credential_type of personal access token, OAuth app token, or GitHub app token.", "examples": [ "12345678" ] @@ -192198,7 +192427,7 @@ }, "scopes": { "type": "array", - "description": "List of oauth scopes the token has been granted.", + "description": "List of OAuth scopes the token has been granted.", "items": { "type": "string" }, @@ -192209,7 +192438,7 @@ }, "fingerprint": { "type": "string", - "description": "Unique string to distinguish the credential. Only included in responses with credential_type of SSH Key.", + "description": "Unique string to distinguish the credential. Only included in responses with a credential_type of SSH key.", "examples": [ "jklmnop12345678" ] @@ -192230,7 +192459,7 @@ "integer", "null" ], - "description": "The ID of the underlying token that was authorized by the user. This will remain unchanged across authorizations of the token.", + "description": "The ID of the underlying token or key that was authorized by the user. This will remain unchanged across authorizations of the token or key.", "examples": [ 12345678 ] @@ -192284,6 +192513,7 @@ "token_last_eight": "71c3fc11", "credential_authorized_at": "2011-01-26T19:06:43Z", "credential_accessed_at": "2011-01-26T19:06:43Z", + "authorized_credential_id": 12345678, "authorized_credential_expires_at": "2011-02-25T19:06:43Z", "scopes": [ "user", @@ -192296,11 +192526,47 @@ "credential_type": "personal access token", "token_last_eight": "Ae178B4a", "credential_authorized_at": "2019-03-29T19:06:43Z", - "credential_accessed_at": "2011-01-26T19:06:43Z", + "credential_accessed_at": "2019-04-15T19:06:43Z", + "authorized_credential_id": 12345679, "authorized_credential_expires_at": "2019-04-28T19:06:43Z", "scopes": [ "repo" ] + }, + { + "login": "octocat", + "credential_id": 161197, + "credential_type": "OAuth app token", + "token_last_eight": "9f2c4d1e", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345680, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [ + "repo", + "read:org" + ] + }, + { + "login": "hubot", + "credential_id": 161198, + "credential_type": "GitHub app token", + "token_last_eight": "3b7a0c52", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345681, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [] + }, + { + "login": "octocat", + "credential_id": 161199, + "credential_type": "SSH key", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345682, + "fingerprint": "jklmnop12345678", + "authorized_credential_title": "my ssh key" } ] } @@ -192320,7 +192586,7 @@ "/orgs/{org}/credential-authorizations/{credential_id}": { "delete": { "summary": "Remove a SAML SSO authorization for an organization", - "description": "Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", + "description": "Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", "tags": [ "orgs" ], diff --git a/descriptions-next/ghec/dereferenced/ghec.2026-03-10.deref.yaml b/descriptions-next/ghec/dereferenced/ghec.2026-03-10.deref.yaml index 97cb66487..3acc3141b 100644 --- a/descriptions-next/ghec/dereferenced/ghec.2026-03-10.deref.yaml +++ b/descriptions-next/ghec/dereferenced/ghec.2026-03-10.deref.yaml @@ -20568,6 +20568,128 @@ paths: enabledForGitHubApps: true category: enterprise-admin subcategory: credential-authorizations + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": + post: + summary: Revoke credential authorizations for a user in an enterprise + description: |- + Revokes all credential authorizations for a single user within the enterprise. + This includes any credential authorizations the user has across all organizations + in the enterprise. + + For Enterprise Managed User (EMU) enterprises, you can optionally also destroy all + credentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting + the `revoke_credentials` parameter to `true`. + + This operation is performed asynchronously. A background job will be queued to process + the revocations. + + > [!WARNING] + > If you use a personal access token to call this endpoint and target yourself, that + > token may also be revoked or destroyed as part of this operation. + + The authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint. + + OAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint. + tags: + - enterprise-admin + operationId: enterprise-admin/revoke-credential-authorizations-for-user + externalDocs: + description: API method documentation + url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + parameters: + - *39 + - &140 + name: username + description: The handle for the GitHub user account. + in: path + required: true + schema: + type: string + requestBody: + required: false + content: + application/json: + schema: + type: object + properties: + revoke_credentials: + type: boolean + description: |- + Whether to also destroy the actual credentials (PATs and SSH keys) owned by + the user. This option is only available for Enterprise Managed User (EMU) + enterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned + by the user will be destroyed in addition to the credential authorizations. + default: false + examples: + default: + value: + revoke_credentials: false + emu_with_credential_revocation: + summary: EMU enterprise with credential revocation + value: + revoke_credentials: true + responses: + '202': + description: Accepted - The revocation request has been queued + content: + application/json: + schema: + type: object + properties: + message: + type: string + description: A message indicating the revocation has been queued + warning: + type: string + description: A warning message if the token used for this request + may be revoked + examples: + default: + value: + message: Credential authorization revocation for user 'octocat' + has been queued + with_authorization_revoked_warning: + summary: Warning when the calling token may have its authorization + revoked + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also have its authorization + revoked as part of this operation + with_credential_destroyed_warning: + summary: Warning when the calling token may be destroyed (EMU with + `revoke_credentials`) + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also be destroyed + as part of this operation + '403': *27 + '404': *6 + '422': + description: Validation error - The target user cannot be revoked, or `revoke_credentials` + is not available for this enterprise + content: + application/json: + schema: *3 + examples: + non_emu_enterprise: + summary: "`revoke_credentials` requested on a non-EMU enterprise" + value: + message: The `revoke_credentials` option is only available for + Enterprise Managed User (EMU) enterprises + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + first_emu_owner: + summary: Target user is the first EMU owner + value: + message: The first EMU owner cannot be targeted for credential + revocation. + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + x-github: + githubCloudOnly: true + enabledForGitHubApps: true + category: enterprise-admin + subcategory: credential-authorizations "/enterprises/{enterprise}/dependabot/alerts": get: summary: List Dependabot alerts for an enterprise @@ -22197,13 +22319,7 @@ paths: url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/enterprise-roles#remove-all-enterprise-roles-from-a-user parameters: - *39 - - &140 - name: username - description: The handle for the GitHub user account. - in: path - required: true - schema: - type: string + - *140 responses: '204': description: Response @@ -27812,6 +27928,8 @@ paths: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -27819,6 +27937,18 @@ paths: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a + single user (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within + the budget. Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based @@ -50682,7 +50812,7 @@ paths: get: summary: List SAML SSO authorizations for an organization description: |- - Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). + Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). The authenticated user must be an organization owner to use this endpoint. @@ -50734,12 +50864,18 @@ paths: credential_type: type: string description: Human-readable description of the credential type. + enum: + - personal access token + - SSH key + - OAuth app token + - GitHub app token examples: - - SSH Key + - SSH key token_last_eight: type: string description: Last eight characters of the credential. Only included - in responses with credential_type of personal access token. + in responses with a credential_type of personal access token, + OAuth app token, or GitHub app token. examples: - '12345678' credential_authorized_at: @@ -50750,7 +50886,7 @@ paths: - '2011-01-26T19:06:43Z' scopes: type: array - description: List of oauth scopes the token has been granted. + description: List of OAuth scopes the token has been granted. items: type: string examples: @@ -50759,7 +50895,7 @@ paths: fingerprint: type: string description: Unique string to distinguish the credential. Only - included in responses with credential_type of SSH Key. + included in responses with a credential_type of SSH key. examples: - jklmnop12345678 credential_accessed_at: @@ -50775,9 +50911,9 @@ paths: type: - integer - 'null' - description: The ID of the underlying token that was authorized - by the user. This will remain unchanged across authorizations - of the token. + description: The ID of the underlying token or key that was + authorized by the user. This will remain unchanged across + authorizations of the token or key. examples: - 12345678 authorized_credential_title: @@ -50819,6 +50955,7 @@ paths: token_last_eight: 71c3fc11 credential_authorized_at: '2011-01-26T19:06:43Z' credential_accessed_at: '2011-01-26T19:06:43Z' + authorized_credential_id: 12345678 authorized_credential_expires_at: '2011-02-25T19:06:43Z' scopes: - user @@ -50828,10 +50965,39 @@ paths: credential_type: personal access token token_last_eight: Ae178B4a credential_authorized_at: '2019-03-29T19:06:43Z' - credential_accessed_at: '2011-01-26T19:06:43Z' + credential_accessed_at: '2019-04-15T19:06:43Z' + authorized_credential_id: 12345679 authorized_credential_expires_at: '2019-04-28T19:06:43Z' scopes: - repo + - login: octocat + credential_id: 161197 + credential_type: OAuth app token + token_last_eight: 9f2c4d1e + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345680 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: + - repo + - read:org + - login: hubot + credential_id: 161198 + credential_type: GitHub app token + token_last_eight: 3b7a0c52 + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345681 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: [] + - login: octocat + credential_id: 161199 + credential_type: SSH key + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345682 + fingerprint: jklmnop12345678 + authorized_credential_title: my ssh key x-github: githubCloudOnly: true enabledForGitHubApps: true @@ -50841,7 +51007,7 @@ paths: delete: summary: Remove a SAML SSO authorization for an organization description: |- - Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access. + Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access. The authenticated user must be an organization owner to use this endpoint. diff --git a/descriptions-next/ghec/dereferenced/ghec.deref.json b/descriptions-next/ghec/dereferenced/ghec.deref.json index 8c815ea83..11dfcd848 100644 --- a/descriptions-next/ghec/dereferenced/ghec.deref.json +++ b/descriptions-next/ghec/dereferenced/ghec.deref.json @@ -53648,6 +53648,213 @@ } } }, + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": { + "post": { + "summary": "Revoke credential authorizations for a user in an enterprise", + "description": "Revokes all credential authorizations for a single user within the enterprise.\nThis includes any credential authorizations the user has across all organizations\nin the enterprise.\n\nFor Enterprise Managed User (EMU) enterprises, you can optionally also destroy all\ncredentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting\nthe `revoke_credentials` parameter to `true`.\n\nThis operation is performed asynchronously. A background job will be queued to process\nthe revocations.\n\n> [!WARNING]\n> If you use a personal access token to call this endpoint and target yourself, that\n> token may also be revoked or destroyed as part of this operation.\n\nThe authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint.", + "tags": [ + "enterprise-admin" + ], + "operationId": "enterprise-admin/revoke-credential-authorizations-for-user", + "externalDocs": { + "description": "API method documentation", + "url": "https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + }, + "parameters": [ + { + "name": "enterprise", + "description": "The slug version of the enterprise name.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + }, + { + "name": "username", + "description": "The handle for the GitHub user account.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + } + ], + "requestBody": { + "required": false, + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "revoke_credentials": { + "type": "boolean", + "description": "Whether to also destroy the actual credentials (PATs and SSH keys) owned by\nthe user. This option is only available for Enterprise Managed User (EMU)\nenterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned\nby the user will be destroyed in addition to the credential authorizations.", + "default": false + } + } + }, + "examples": { + "default": { + "value": { + "revoke_credentials": false + } + }, + "emu_with_credential_revocation": { + "summary": "EMU enterprise with credential revocation", + "value": { + "revoke_credentials": true + } + } + } + } + } + }, + "responses": { + "202": { + "description": "Accepted - The revocation request has been queued", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "message": { + "type": "string", + "description": "A message indicating the revocation has been queued" + }, + "warning": { + "type": "string", + "description": "A warning message if the token used for this request may be revoked" + } + } + }, + "examples": { + "default": { + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued" + } + }, + "with_authorization_revoked_warning": { + "summary": "Warning when the calling token may have its authorization revoked", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also have its authorization revoked as part of this operation" + } + }, + "with_credential_destroyed_warning": { + "summary": "Warning when the calling token may be destroyed (EMU with `revoke_credentials`)", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also be destroyed as part of this operation" + } + } + } + } + } + }, + "403": { + "description": "Forbidden", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + } + } + } + }, + "404": { + "description": "Resource not found", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + } + } + } + }, + "422": { + "description": "Validation error - The target user cannot be revoked, or `revoke_credentials` is not available for this enterprise", + "content": { + "application/json": { + "schema": { + "title": "Basic Error", + "description": "Basic Error", + "type": "object", + "properties": { + "message": { + "type": "string" + }, + "documentation_url": { + "type": "string" + }, + "url": { + "type": "string" + }, + "status": { + "type": "string" + } + } + }, + "examples": { + "non_emu_enterprise": { + "summary": "`revoke_credentials` requested on a non-EMU enterprise", + "value": { + "message": "The `revoke_credentials` option is only available for Enterprise Managed User (EMU) enterprises", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + }, + "first_emu_owner": { + "summary": "Target user is the first EMU owner", + "value": { + "message": "The first EMU owner cannot be targeted for credential revocation.", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + } + } + } + } + } + }, + "x-github": { + "githubCloudOnly": true, + "enabledForGitHubApps": true, + "category": "enterprise-admin", + "subcategory": "credential-authorizations" + } + } + }, "/enterprises/{enterprise}/dependabot/alerts": { "get": { "summary": "List Dependabot alerts for an enterprise", @@ -79359,7 +79566,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -79372,6 +79581,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", @@ -199132,7 +199355,7 @@ "/orgs/{org}/credential-authorizations": { "get": { "summary": "List SAML SSO authorizations for an organization", - "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", + "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -199206,13 +199429,19 @@ "credential_type": { "type": "string", "description": "Human-readable description of the credential type.", + "enum": [ + "personal access token", + "SSH key", + "OAuth app token", + "GitHub app token" + ], "examples": [ - "SSH Key" + "SSH key" ] }, "token_last_eight": { "type": "string", - "description": "Last eight characters of the credential. Only included in responses with credential_type of personal access token.", + "description": "Last eight characters of the credential. Only included in responses with a credential_type of personal access token, OAuth app token, or GitHub app token.", "examples": [ "12345678" ] @@ -199227,7 +199456,7 @@ }, "scopes": { "type": "array", - "description": "List of oauth scopes the token has been granted.", + "description": "List of OAuth scopes the token has been granted.", "items": { "type": "string" }, @@ -199238,7 +199467,7 @@ }, "fingerprint": { "type": "string", - "description": "Unique string to distinguish the credential. Only included in responses with credential_type of SSH Key.", + "description": "Unique string to distinguish the credential. Only included in responses with a credential_type of SSH key.", "examples": [ "jklmnop12345678" ] @@ -199259,7 +199488,7 @@ "integer", "null" ], - "description": "The ID of the underlying token that was authorized by the user. This will remain unchanged across authorizations of the token.", + "description": "The ID of the underlying token or key that was authorized by the user. This will remain unchanged across authorizations of the token or key.", "examples": [ 12345678 ] @@ -199313,6 +199542,7 @@ "token_last_eight": "71c3fc11", "credential_authorized_at": "2011-01-26T19:06:43Z", "credential_accessed_at": "2011-01-26T19:06:43Z", + "authorized_credential_id": 12345678, "authorized_credential_expires_at": "2011-02-25T19:06:43Z", "scopes": [ "user", @@ -199325,11 +199555,47 @@ "credential_type": "personal access token", "token_last_eight": "Ae178B4a", "credential_authorized_at": "2019-03-29T19:06:43Z", - "credential_accessed_at": "2011-01-26T19:06:43Z", + "credential_accessed_at": "2019-04-15T19:06:43Z", + "authorized_credential_id": 12345679, "authorized_credential_expires_at": "2019-04-28T19:06:43Z", "scopes": [ "repo" ] + }, + { + "login": "octocat", + "credential_id": 161197, + "credential_type": "OAuth app token", + "token_last_eight": "9f2c4d1e", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345680, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [ + "repo", + "read:org" + ] + }, + { + "login": "hubot", + "credential_id": 161198, + "credential_type": "GitHub app token", + "token_last_eight": "3b7a0c52", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345681, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [] + }, + { + "login": "octocat", + "credential_id": 161199, + "credential_type": "SSH key", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345682, + "fingerprint": "jklmnop12345678", + "authorized_credential_title": "my ssh key" } ] } @@ -199349,7 +199615,7 @@ "/orgs/{org}/credential-authorizations/{credential_id}": { "delete": { "summary": "Remove a SAML SSO authorization for an organization", - "description": "Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", + "description": "Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", "tags": [ "orgs" ], diff --git a/descriptions-next/ghec/dereferenced/ghec.deref.yaml b/descriptions-next/ghec/dereferenced/ghec.deref.yaml index 75b01fad8..bcb346e2d 100644 --- a/descriptions-next/ghec/dereferenced/ghec.deref.yaml +++ b/descriptions-next/ghec/dereferenced/ghec.deref.yaml @@ -20774,6 +20774,128 @@ paths: enabledForGitHubApps: true category: enterprise-admin subcategory: credential-authorizations + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": + post: + summary: Revoke credential authorizations for a user in an enterprise + description: |- + Revokes all credential authorizations for a single user within the enterprise. + This includes any credential authorizations the user has across all organizations + in the enterprise. + + For Enterprise Managed User (EMU) enterprises, you can optionally also destroy all + credentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting + the `revoke_credentials` parameter to `true`. + + This operation is performed asynchronously. A background job will be queued to process + the revocations. + + > [!WARNING] + > If you use a personal access token to call this endpoint and target yourself, that + > token may also be revoked or destroyed as part of this operation. + + The authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint. + + OAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint. + tags: + - enterprise-admin + operationId: enterprise-admin/revoke-credential-authorizations-for-user + externalDocs: + description: API method documentation + url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + parameters: + - *39 + - &140 + name: username + description: The handle for the GitHub user account. + in: path + required: true + schema: + type: string + requestBody: + required: false + content: + application/json: + schema: + type: object + properties: + revoke_credentials: + type: boolean + description: |- + Whether to also destroy the actual credentials (PATs and SSH keys) owned by + the user. This option is only available for Enterprise Managed User (EMU) + enterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned + by the user will be destroyed in addition to the credential authorizations. + default: false + examples: + default: + value: + revoke_credentials: false + emu_with_credential_revocation: + summary: EMU enterprise with credential revocation + value: + revoke_credentials: true + responses: + '202': + description: Accepted - The revocation request has been queued + content: + application/json: + schema: + type: object + properties: + message: + type: string + description: A message indicating the revocation has been queued + warning: + type: string + description: A warning message if the token used for this request + may be revoked + examples: + default: + value: + message: Credential authorization revocation for user 'octocat' + has been queued + with_authorization_revoked_warning: + summary: Warning when the calling token may have its authorization + revoked + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also have its authorization + revoked as part of this operation + with_credential_destroyed_warning: + summary: Warning when the calling token may be destroyed (EMU with + `revoke_credentials`) + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also be destroyed + as part of this operation + '403': *27 + '404': *6 + '422': + description: Validation error - The target user cannot be revoked, or `revoke_credentials` + is not available for this enterprise + content: + application/json: + schema: *3 + examples: + non_emu_enterprise: + summary: "`revoke_credentials` requested on a non-EMU enterprise" + value: + message: The `revoke_credentials` option is only available for + Enterprise Managed User (EMU) enterprises + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + first_emu_owner: + summary: Target user is the first EMU owner + value: + message: The first EMU owner cannot be targeted for credential + revocation. + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + x-github: + githubCloudOnly: true + enabledForGitHubApps: true + category: enterprise-admin + subcategory: credential-authorizations "/enterprises/{enterprise}/dependabot/alerts": get: summary: List Dependabot alerts for an enterprise @@ -22445,13 +22567,7 @@ paths: url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/enterprise-roles#remove-all-enterprise-roles-from-a-user parameters: - *39 - - &140 - name: username - description: The handle for the GitHub user account. - in: path - required: true - schema: - type: string + - *140 responses: '204': description: Response @@ -28060,6 +28176,8 @@ paths: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -28067,6 +28185,18 @@ paths: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a + single user (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within + the budget. Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based @@ -51455,7 +51585,7 @@ paths: get: summary: List SAML SSO authorizations for an organization description: |- - Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). + Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). The authenticated user must be an organization owner to use this endpoint. @@ -51507,12 +51637,18 @@ paths: credential_type: type: string description: Human-readable description of the credential type. + enum: + - personal access token + - SSH key + - OAuth app token + - GitHub app token examples: - - SSH Key + - SSH key token_last_eight: type: string description: Last eight characters of the credential. Only included - in responses with credential_type of personal access token. + in responses with a credential_type of personal access token, + OAuth app token, or GitHub app token. examples: - '12345678' credential_authorized_at: @@ -51523,7 +51659,7 @@ paths: - '2011-01-26T19:06:43Z' scopes: type: array - description: List of oauth scopes the token has been granted. + description: List of OAuth scopes the token has been granted. items: type: string examples: @@ -51532,7 +51668,7 @@ paths: fingerprint: type: string description: Unique string to distinguish the credential. Only - included in responses with credential_type of SSH Key. + included in responses with a credential_type of SSH key. examples: - jklmnop12345678 credential_accessed_at: @@ -51548,9 +51684,9 @@ paths: type: - integer - 'null' - description: The ID of the underlying token that was authorized - by the user. This will remain unchanged across authorizations - of the token. + description: The ID of the underlying token or key that was + authorized by the user. This will remain unchanged across + authorizations of the token or key. examples: - 12345678 authorized_credential_title: @@ -51592,6 +51728,7 @@ paths: token_last_eight: 71c3fc11 credential_authorized_at: '2011-01-26T19:06:43Z' credential_accessed_at: '2011-01-26T19:06:43Z' + authorized_credential_id: 12345678 authorized_credential_expires_at: '2011-02-25T19:06:43Z' scopes: - user @@ -51601,10 +51738,39 @@ paths: credential_type: personal access token token_last_eight: Ae178B4a credential_authorized_at: '2019-03-29T19:06:43Z' - credential_accessed_at: '2011-01-26T19:06:43Z' + credential_accessed_at: '2019-04-15T19:06:43Z' + authorized_credential_id: 12345679 authorized_credential_expires_at: '2019-04-28T19:06:43Z' scopes: - repo + - login: octocat + credential_id: 161197 + credential_type: OAuth app token + token_last_eight: 9f2c4d1e + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345680 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: + - repo + - read:org + - login: hubot + credential_id: 161198 + credential_type: GitHub app token + token_last_eight: 3b7a0c52 + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345681 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: [] + - login: octocat + credential_id: 161199 + credential_type: SSH key + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345682 + fingerprint: jklmnop12345678 + authorized_credential_title: my ssh key x-github: githubCloudOnly: true enabledForGitHubApps: true @@ -51614,7 +51780,7 @@ paths: delete: summary: Remove a SAML SSO authorization for an organization description: |- - Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access. + Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access. The authenticated user must be an organization owner to use this endpoint. diff --git a/descriptions-next/ghec/ghec.2022-11-28.json b/descriptions-next/ghec/ghec.2022-11-28.json index 124480068..e9a6d2573 100644 --- a/descriptions-next/ghec/ghec.2022-11-28.json +++ b/descriptions-next/ghec/ghec.2022-11-28.json @@ -13831,6 +13831,139 @@ } } }, + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": { + "post": { + "summary": "Revoke credential authorizations for a user in an enterprise", + "description": "Revokes all credential authorizations for a single user within the enterprise.\nThis includes any credential authorizations the user has across all organizations\nin the enterprise.\n\nFor Enterprise Managed User (EMU) enterprises, you can optionally also destroy all\ncredentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting\nthe `revoke_credentials` parameter to `true`.\n\nThis operation is performed asynchronously. A background job will be queued to process\nthe revocations.\n\n> [!WARNING]\n> If you use a personal access token to call this endpoint and target yourself, that\n> token may also be revoked or destroyed as part of this operation.\n\nThe authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint.", + "tags": [ + "enterprise-admin" + ], + "operationId": "enterprise-admin/revoke-credential-authorizations-for-user", + "externalDocs": { + "description": "API method documentation", + "url": "https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + }, + "parameters": [ + { + "$ref": "#/components/parameters/enterprise" + }, + { + "$ref": "#/components/parameters/username" + } + ], + "requestBody": { + "required": false, + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "revoke_credentials": { + "type": "boolean", + "description": "Whether to also destroy the actual credentials (PATs and SSH keys) owned by\nthe user. This option is only available for Enterprise Managed User (EMU)\nenterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned\nby the user will be destroyed in addition to the credential authorizations.", + "default": false + } + } + }, + "examples": { + "default": { + "value": { + "revoke_credentials": false + } + }, + "emu_with_credential_revocation": { + "summary": "EMU enterprise with credential revocation", + "value": { + "revoke_credentials": true + } + } + } + } + } + }, + "responses": { + "202": { + "description": "Accepted - The revocation request has been queued", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "message": { + "type": "string", + "description": "A message indicating the revocation has been queued" + }, + "warning": { + "type": "string", + "description": "A warning message if the token used for this request may be revoked" + } + } + }, + "examples": { + "default": { + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued" + } + }, + "with_authorization_revoked_warning": { + "summary": "Warning when the calling token may have its authorization revoked", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also have its authorization revoked as part of this operation" + } + }, + "with_credential_destroyed_warning": { + "summary": "Warning when the calling token may be destroyed (EMU with `revoke_credentials`)", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also be destroyed as part of this operation" + } + } + } + } + } + }, + "403": { + "$ref": "#/components/responses/forbidden" + }, + "404": { + "$ref": "#/components/responses/not_found" + }, + "422": { + "description": "Validation error - The target user cannot be revoked, or `revoke_credentials` is not available for this enterprise", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/basic-error" + }, + "examples": { + "non_emu_enterprise": { + "summary": "`revoke_credentials` requested on a non-EMU enterprise", + "value": { + "message": "The `revoke_credentials` option is only available for Enterprise Managed User (EMU) enterprises", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + }, + "first_emu_owner": { + "summary": "Target user is the first EMU owner", + "value": { + "message": "The first EMU owner cannot be targeted for credential revocation.", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + } + } + } + } + } + }, + "x-github": { + "githubCloudOnly": true, + "enabledForGitHubApps": true, + "category": "enterprise-admin", + "subcategory": "credential-authorizations" + } + } + }, "/enterprises/{enterprise}/dependabot/alerts": { "get": { "summary": "List Dependabot alerts for an enterprise", @@ -37141,7 +37274,7 @@ "/orgs/{org}/credential-authorizations": { "get": { "summary": "List SAML SSO authorizations for an organization", - "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", + "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -37205,7 +37338,7 @@ "/orgs/{org}/credential-authorizations/{credential_id}": { "delete": { "summary": "Remove a SAML SSO authorization for an organization", - "description": "Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", + "description": "Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -143879,7 +144012,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -143892,6 +144027,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", @@ -151267,13 +151416,19 @@ "credential_type": { "type": "string", "description": "Human-readable description of the credential type.", + "enum": [ + "personal access token", + "SSH key", + "OAuth app token", + "GitHub app token" + ], "examples": [ - "SSH Key" + "SSH key" ] }, "token_last_eight": { "type": "string", - "description": "Last eight characters of the credential. Only included in responses with credential_type of personal access token.", + "description": "Last eight characters of the credential. Only included in responses with a credential_type of personal access token, OAuth app token, or GitHub app token.", "examples": [ "12345678" ] @@ -151288,7 +151443,7 @@ }, "scopes": { "type": "array", - "description": "List of oauth scopes the token has been granted.", + "description": "List of OAuth scopes the token has been granted.", "items": { "type": "string" }, @@ -151299,7 +151454,7 @@ }, "fingerprint": { "type": "string", - "description": "Unique string to distinguish the credential. Only included in responses with credential_type of SSH Key.", + "description": "Unique string to distinguish the credential. Only included in responses with a credential_type of SSH key.", "examples": [ "jklmnop12345678" ] @@ -151320,7 +151475,7 @@ "integer", "null" ], - "description": "The ID of the underlying token that was authorized by the user. This will remain unchanged across authorizations of the token.", + "description": "The ID of the underlying token or key that was authorized by the user. This will remain unchanged across authorizations of the token or key.", "examples": [ 12345678 ] @@ -338772,6 +338927,7 @@ "token_last_eight": "71c3fc11", "credential_authorized_at": "2011-01-26T19:06:43Z", "credential_accessed_at": "2011-01-26T19:06:43Z", + "authorized_credential_id": 12345678, "authorized_credential_expires_at": "2011-02-25T19:06:43Z", "scopes": [ "user", @@ -338784,11 +338940,47 @@ "credential_type": "personal access token", "token_last_eight": "Ae178B4a", "credential_authorized_at": "2019-03-29T19:06:43Z", - "credential_accessed_at": "2011-01-26T19:06:43Z", + "credential_accessed_at": "2019-04-15T19:06:43Z", + "authorized_credential_id": 12345679, "authorized_credential_expires_at": "2019-04-28T19:06:43Z", "scopes": [ "repo" ] + }, + { + "login": "octocat", + "credential_id": 161197, + "credential_type": "OAuth app token", + "token_last_eight": "9f2c4d1e", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345680, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [ + "repo", + "read:org" + ] + }, + { + "login": "hubot", + "credential_id": 161198, + "credential_type": "GitHub app token", + "token_last_eight": "3b7a0c52", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345681, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [] + }, + { + "login": "octocat", + "credential_id": 161199, + "credential_type": "SSH key", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345682, + "fingerprint": "jklmnop12345678", + "authorized_credential_title": "my ssh key" } ] }, @@ -364939,6 +365131,15 @@ ] } }, + "username": { + "name": "username", + "description": "The handle for the GitHub user account.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + }, "dependabot-alert-comma-separated-classifications": { "name": "classification", "in": "query", @@ -365079,15 +365280,6 @@ "type": "integer" } }, - "username": { - "name": "username", - "description": "The handle for the GitHub user account.", - "in": "path", - "required": true, - "schema": { - "type": "string" - } - }, "network-configuration-id": { "name": "network_configuration_id", "description": "Unique identifier of the hosted compute network configuration.", diff --git a/descriptions-next/ghec/ghec.2022-11-28.yaml b/descriptions-next/ghec/ghec.2022-11-28.yaml index 1a85469fb..e69e98509 100644 --- a/descriptions-next/ghec/ghec.2022-11-28.yaml +++ b/descriptions-next/ghec/ghec.2022-11-28.yaml @@ -10227,6 +10227,125 @@ paths: enabledForGitHubApps: true category: enterprise-admin subcategory: credential-authorizations + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": + post: + summary: Revoke credential authorizations for a user in an enterprise + description: |- + Revokes all credential authorizations for a single user within the enterprise. + This includes any credential authorizations the user has across all organizations + in the enterprise. + + For Enterprise Managed User (EMU) enterprises, you can optionally also destroy all + credentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting + the `revoke_credentials` parameter to `true`. + + This operation is performed asynchronously. A background job will be queued to process + the revocations. + + > [!WARNING] + > If you use a personal access token to call this endpoint and target yourself, that + > token may also be revoked or destroyed as part of this operation. + + The authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint. + + OAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint. + tags: + - enterprise-admin + operationId: enterprise-admin/revoke-credential-authorizations-for-user + externalDocs: + description: API method documentation + url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + parameters: + - "$ref": "#/components/parameters/enterprise" + - "$ref": "#/components/parameters/username" + requestBody: + required: false + content: + application/json: + schema: + type: object + properties: + revoke_credentials: + type: boolean + description: |- + Whether to also destroy the actual credentials (PATs and SSH keys) owned by + the user. This option is only available for Enterprise Managed User (EMU) + enterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned + by the user will be destroyed in addition to the credential authorizations. + default: false + examples: + default: + value: + revoke_credentials: false + emu_with_credential_revocation: + summary: EMU enterprise with credential revocation + value: + revoke_credentials: true + responses: + '202': + description: Accepted - The revocation request has been queued + content: + application/json: + schema: + type: object + properties: + message: + type: string + description: A message indicating the revocation has been queued + warning: + type: string + description: A warning message if the token used for this request + may be revoked + examples: + default: + value: + message: Credential authorization revocation for user 'octocat' + has been queued + with_authorization_revoked_warning: + summary: Warning when the calling token may have its authorization + revoked + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also have its authorization + revoked as part of this operation + with_credential_destroyed_warning: + summary: Warning when the calling token may be destroyed (EMU with + `revoke_credentials`) + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also be destroyed + as part of this operation + '403': + "$ref": "#/components/responses/forbidden" + '404': + "$ref": "#/components/responses/not_found" + '422': + description: Validation error - The target user cannot be revoked, or `revoke_credentials` + is not available for this enterprise + content: + application/json: + schema: + "$ref": "#/components/schemas/basic-error" + examples: + non_emu_enterprise: + summary: "`revoke_credentials` requested on a non-EMU enterprise" + value: + message: The `revoke_credentials` option is only available for + Enterprise Managed User (EMU) enterprises + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + first_emu_owner: + summary: Target user is the first EMU owner + value: + message: The first EMU owner cannot be targeted for credential + revocation. + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + x-github: + githubCloudOnly: true + enabledForGitHubApps: true + category: enterprise-admin + subcategory: credential-authorizations "/enterprises/{enterprise}/dependabot/alerts": get: summary: List Dependabot alerts for an enterprise @@ -27319,7 +27438,7 @@ paths: get: summary: List SAML SSO authorizations for an organization description: |- - Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). + Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). The authenticated user must be an organization owner to use this endpoint. @@ -27365,7 +27484,7 @@ paths: delete: summary: Remove a SAML SSO authorization for an organization description: |- - Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access. + Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access. The authenticated user must be an organization owner to use this endpoint. @@ -104585,6 +104704,8 @@ components: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -104592,6 +104713,18 @@ components: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a single user + (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within the budget. + Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based products, @@ -110021,12 +110154,18 @@ components: credential_type: type: string description: Human-readable description of the credential type. + enum: + - personal access token + - SSH key + - OAuth app token + - GitHub app token examples: - - SSH Key + - SSH key token_last_eight: type: string description: Last eight characters of the credential. Only included in responses - with credential_type of personal access token. + with a credential_type of personal access token, OAuth app token, or GitHub + app token. examples: - '12345678' credential_authorized_at: @@ -110037,7 +110176,7 @@ components: - '2011-01-26T19:06:43Z' scopes: type: array - description: List of oauth scopes the token has been granted. + description: List of OAuth scopes the token has been granted. items: type: string examples: @@ -110046,7 +110185,7 @@ components: fingerprint: type: string description: Unique string to distinguish the credential. Only included - in responses with credential_type of SSH Key. + in responses with a credential_type of SSH key. examples: - jklmnop12345678 credential_accessed_at: @@ -110062,8 +110201,9 @@ components: type: - integer - 'null' - description: The ID of the underlying token that was authorized by the user. - This will remain unchanged across authorizations of the token. + description: The ID of the underlying token or key that was authorized by + the user. This will remain unchanged across authorizations of the token + or key. examples: - 12345678 authorized_credential_title: @@ -249899,6 +250039,7 @@ components: token_last_eight: 71c3fc11 credential_authorized_at: '2011-01-26T19:06:43Z' credential_accessed_at: '2011-01-26T19:06:43Z' + authorized_credential_id: 12345678 authorized_credential_expires_at: '2011-02-25T19:06:43Z' scopes: - user @@ -249908,10 +250049,39 @@ components: credential_type: personal access token token_last_eight: Ae178B4a credential_authorized_at: '2019-03-29T19:06:43Z' - credential_accessed_at: '2011-01-26T19:06:43Z' + credential_accessed_at: '2019-04-15T19:06:43Z' + authorized_credential_id: 12345679 authorized_credential_expires_at: '2019-04-28T19:06:43Z' scopes: - repo + - login: octocat + credential_id: 161197 + credential_type: OAuth app token + token_last_eight: 9f2c4d1e + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345680 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: + - repo + - read:org + - login: hubot + credential_id: 161198 + credential_type: GitHub app token + token_last_eight: 3b7a0c52 + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345681 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: [] + - login: octocat + credential_id: 161199 + credential_type: SSH key + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345682 + fingerprint: jklmnop12345678 + authorized_credential_title: my ssh key organization-custom-repository-role-list-example: value: total_count: 2 @@ -272316,6 +272486,13 @@ components: format: date examples: - '2025-10-13' + username: + name: username + description: The handle for the GitHub user account. + in: path + required: true + schema: + type: string dependabot-alert-comma-separated-classifications: name: classification in: query @@ -272450,13 +272627,6 @@ components: required: true schema: type: integer - username: - name: username - description: The handle for the GitHub user account. - in: path - required: true - schema: - type: string network-configuration-id: name: network_configuration_id description: Unique identifier of the hosted compute network configuration. diff --git a/descriptions-next/ghec/ghec.2026-03-10.json b/descriptions-next/ghec/ghec.2026-03-10.json index 2ad2c4c42..2dcd3844d 100644 --- a/descriptions-next/ghec/ghec.2026-03-10.json +++ b/descriptions-next/ghec/ghec.2026-03-10.json @@ -13831,6 +13831,139 @@ } } }, + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": { + "post": { + "summary": "Revoke credential authorizations for a user in an enterprise", + "description": "Revokes all credential authorizations for a single user within the enterprise.\nThis includes any credential authorizations the user has across all organizations\nin the enterprise.\n\nFor Enterprise Managed User (EMU) enterprises, you can optionally also destroy all\ncredentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting\nthe `revoke_credentials` parameter to `true`.\n\nThis operation is performed asynchronously. A background job will be queued to process\nthe revocations.\n\n> [!WARNING]\n> If you use a personal access token to call this endpoint and target yourself, that\n> token may also be revoked or destroyed as part of this operation.\n\nThe authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint.", + "tags": [ + "enterprise-admin" + ], + "operationId": "enterprise-admin/revoke-credential-authorizations-for-user", + "externalDocs": { + "description": "API method documentation", + "url": "https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + }, + "parameters": [ + { + "$ref": "#/components/parameters/enterprise" + }, + { + "$ref": "#/components/parameters/username" + } + ], + "requestBody": { + "required": false, + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "revoke_credentials": { + "type": "boolean", + "description": "Whether to also destroy the actual credentials (PATs and SSH keys) owned by\nthe user. This option is only available for Enterprise Managed User (EMU)\nenterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned\nby the user will be destroyed in addition to the credential authorizations.", + "default": false + } + } + }, + "examples": { + "default": { + "value": { + "revoke_credentials": false + } + }, + "emu_with_credential_revocation": { + "summary": "EMU enterprise with credential revocation", + "value": { + "revoke_credentials": true + } + } + } + } + } + }, + "responses": { + "202": { + "description": "Accepted - The revocation request has been queued", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "message": { + "type": "string", + "description": "A message indicating the revocation has been queued" + }, + "warning": { + "type": "string", + "description": "A warning message if the token used for this request may be revoked" + } + } + }, + "examples": { + "default": { + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued" + } + }, + "with_authorization_revoked_warning": { + "summary": "Warning when the calling token may have its authorization revoked", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also have its authorization revoked as part of this operation" + } + }, + "with_credential_destroyed_warning": { + "summary": "Warning when the calling token may be destroyed (EMU with `revoke_credentials`)", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also be destroyed as part of this operation" + } + } + } + } + } + }, + "403": { + "$ref": "#/components/responses/forbidden" + }, + "404": { + "$ref": "#/components/responses/not_found" + }, + "422": { + "description": "Validation error - The target user cannot be revoked, or `revoke_credentials` is not available for this enterprise", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/basic-error" + }, + "examples": { + "non_emu_enterprise": { + "summary": "`revoke_credentials` requested on a non-EMU enterprise", + "value": { + "message": "The `revoke_credentials` option is only available for Enterprise Managed User (EMU) enterprises", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + }, + "first_emu_owner": { + "summary": "Target user is the first EMU owner", + "value": { + "message": "The first EMU owner cannot be targeted for credential revocation.", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + } + } + } + } + } + }, + "x-github": { + "githubCloudOnly": true, + "enabledForGitHubApps": true, + "category": "enterprise-admin", + "subcategory": "credential-authorizations" + } + } + }, "/enterprises/{enterprise}/dependabot/alerts": { "get": { "summary": "List Dependabot alerts for an enterprise", @@ -37079,7 +37212,7 @@ "/orgs/{org}/credential-authorizations": { "get": { "summary": "List SAML SSO authorizations for an organization", - "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", + "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -37143,7 +37276,7 @@ "/orgs/{org}/credential-authorizations/{credential_id}": { "delete": { "summary": "Remove a SAML SSO authorization for an organization", - "description": "Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", + "description": "Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -143651,7 +143784,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -143664,6 +143799,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", @@ -150624,13 +150773,19 @@ "credential_type": { "type": "string", "description": "Human-readable description of the credential type.", + "enum": [ + "personal access token", + "SSH key", + "OAuth app token", + "GitHub app token" + ], "examples": [ - "SSH Key" + "SSH key" ] }, "token_last_eight": { "type": "string", - "description": "Last eight characters of the credential. Only included in responses with credential_type of personal access token.", + "description": "Last eight characters of the credential. Only included in responses with a credential_type of personal access token, OAuth app token, or GitHub app token.", "examples": [ "12345678" ] @@ -150645,7 +150800,7 @@ }, "scopes": { "type": "array", - "description": "List of oauth scopes the token has been granted.", + "description": "List of OAuth scopes the token has been granted.", "items": { "type": "string" }, @@ -150656,7 +150811,7 @@ }, "fingerprint": { "type": "string", - "description": "Unique string to distinguish the credential. Only included in responses with credential_type of SSH Key.", + "description": "Unique string to distinguish the credential. Only included in responses with a credential_type of SSH key.", "examples": [ "jklmnop12345678" ] @@ -150677,7 +150832,7 @@ "integer", "null" ], - "description": "The ID of the underlying token that was authorized by the user. This will remain unchanged across authorizations of the token.", + "description": "The ID of the underlying token or key that was authorized by the user. This will remain unchanged across authorizations of the token or key.", "examples": [ 12345678 ] @@ -337884,6 +338039,7 @@ "token_last_eight": "71c3fc11", "credential_authorized_at": "2011-01-26T19:06:43Z", "credential_accessed_at": "2011-01-26T19:06:43Z", + "authorized_credential_id": 12345678, "authorized_credential_expires_at": "2011-02-25T19:06:43Z", "scopes": [ "user", @@ -337896,11 +338052,47 @@ "credential_type": "personal access token", "token_last_eight": "Ae178B4a", "credential_authorized_at": "2019-03-29T19:06:43Z", - "credential_accessed_at": "2011-01-26T19:06:43Z", + "credential_accessed_at": "2019-04-15T19:06:43Z", + "authorized_credential_id": 12345679, "authorized_credential_expires_at": "2019-04-28T19:06:43Z", "scopes": [ "repo" ] + }, + { + "login": "octocat", + "credential_id": 161197, + "credential_type": "OAuth app token", + "token_last_eight": "9f2c4d1e", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345680, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [ + "repo", + "read:org" + ] + }, + { + "login": "hubot", + "credential_id": 161198, + "credential_type": "GitHub app token", + "token_last_eight": "3b7a0c52", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345681, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [] + }, + { + "login": "octocat", + "credential_id": 161199, + "credential_type": "SSH key", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345682, + "fingerprint": "jklmnop12345678", + "authorized_credential_title": "my ssh key" } ] }, @@ -363979,6 +364171,15 @@ ] } }, + "username": { + "name": "username", + "description": "The handle for the GitHub user account.", + "in": "path", + "required": true, + "schema": { + "type": "string" + } + }, "dependabot-alert-comma-separated-classifications": { "name": "classification", "in": "query", @@ -364119,15 +364320,6 @@ "type": "integer" } }, - "username": { - "name": "username", - "description": "The handle for the GitHub user account.", - "in": "path", - "required": true, - "schema": { - "type": "string" - } - }, "network-configuration-id": { "name": "network_configuration_id", "description": "Unique identifier of the hosted compute network configuration.", diff --git a/descriptions-next/ghec/ghec.2026-03-10.yaml b/descriptions-next/ghec/ghec.2026-03-10.yaml index b367be8c8..9c74db300 100644 --- a/descriptions-next/ghec/ghec.2026-03-10.yaml +++ b/descriptions-next/ghec/ghec.2026-03-10.yaml @@ -10227,6 +10227,125 @@ paths: enabledForGitHubApps: true category: enterprise-admin subcategory: credential-authorizations + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": + post: + summary: Revoke credential authorizations for a user in an enterprise + description: |- + Revokes all credential authorizations for a single user within the enterprise. + This includes any credential authorizations the user has across all organizations + in the enterprise. + + For Enterprise Managed User (EMU) enterprises, you can optionally also destroy all + credentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting + the `revoke_credentials` parameter to `true`. + + This operation is performed asynchronously. A background job will be queued to process + the revocations. + + > [!WARNING] + > If you use a personal access token to call this endpoint and target yourself, that + > token may also be revoked or destroyed as part of this operation. + + The authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint. + + OAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint. + tags: + - enterprise-admin + operationId: enterprise-admin/revoke-credential-authorizations-for-user + externalDocs: + description: API method documentation + url: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + parameters: + - "$ref": "#/components/parameters/enterprise" + - "$ref": "#/components/parameters/username" + requestBody: + required: false + content: + application/json: + schema: + type: object + properties: + revoke_credentials: + type: boolean + description: |- + Whether to also destroy the actual credentials (PATs and SSH keys) owned by + the user. This option is only available for Enterprise Managed User (EMU) + enterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned + by the user will be destroyed in addition to the credential authorizations. + default: false + examples: + default: + value: + revoke_credentials: false + emu_with_credential_revocation: + summary: EMU enterprise with credential revocation + value: + revoke_credentials: true + responses: + '202': + description: Accepted - The revocation request has been queued + content: + application/json: + schema: + type: object + properties: + message: + type: string + description: A message indicating the revocation has been queued + warning: + type: string + description: A warning message if the token used for this request + may be revoked + examples: + default: + value: + message: Credential authorization revocation for user 'octocat' + has been queued + with_authorization_revoked_warning: + summary: Warning when the calling token may have its authorization + revoked + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also have its authorization + revoked as part of this operation + with_credential_destroyed_warning: + summary: Warning when the calling token may be destroyed (EMU with + `revoke_credentials`) + value: + message: Credential authorization revocation for user 'octocat' + has been queued + warning: The token used for this request may also be destroyed + as part of this operation + '403': + "$ref": "#/components/responses/forbidden" + '404': + "$ref": "#/components/responses/not_found" + '422': + description: Validation error - The target user cannot be revoked, or `revoke_credentials` + is not available for this enterprise + content: + application/json: + schema: + "$ref": "#/components/schemas/basic-error" + examples: + non_emu_enterprise: + summary: "`revoke_credentials` requested on a non-EMU enterprise" + value: + message: The `revoke_credentials` option is only available for + Enterprise Managed User (EMU) enterprises + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + first_emu_owner: + summary: Target user is the first EMU owner + value: + message: The first EMU owner cannot be targeted for credential + revocation. + documentation_url: https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise + x-github: + githubCloudOnly: true + enabledForGitHubApps: true + category: enterprise-admin + subcategory: credential-authorizations "/enterprises/{enterprise}/dependabot/alerts": get: summary: List Dependabot alerts for an enterprise @@ -27272,7 +27391,7 @@ paths: get: summary: List SAML SSO authorizations for an organization description: |- - Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). + Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on). The authenticated user must be an organization owner to use this endpoint. @@ -27318,7 +27437,7 @@ paths: delete: summary: Remove a SAML SSO authorization for an organization description: |- - Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access. + Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access. The authenticated user must be an organization owner to use this endpoint. @@ -104401,6 +104520,8 @@ components: - organization - repository - cost_center + - multi_user_customer + - user examples: - enterprise budget_entity_name: @@ -104408,6 +104529,18 @@ components: description: The name of the entity to apply the budget to examples: - example-repository-name + user: + type: string + description: The user login when the budget is scoped to a single user + (`user` scope). + examples: + - octocat + consumed_amount: + type: number + description: The consumed amount for the specified user within the budget. + Only included for `user`-scoped budgets. + examples: + - 42.5 budget_amount: type: integer description: The budget amount in whole dollars. For license-based products, @@ -109543,12 +109676,18 @@ components: credential_type: type: string description: Human-readable description of the credential type. + enum: + - personal access token + - SSH key + - OAuth app token + - GitHub app token examples: - - SSH Key + - SSH key token_last_eight: type: string description: Last eight characters of the credential. Only included in responses - with credential_type of personal access token. + with a credential_type of personal access token, OAuth app token, or GitHub + app token. examples: - '12345678' credential_authorized_at: @@ -109559,7 +109698,7 @@ components: - '2011-01-26T19:06:43Z' scopes: type: array - description: List of oauth scopes the token has been granted. + description: List of OAuth scopes the token has been granted. items: type: string examples: @@ -109568,7 +109707,7 @@ components: fingerprint: type: string description: Unique string to distinguish the credential. Only included - in responses with credential_type of SSH Key. + in responses with a credential_type of SSH key. examples: - jklmnop12345678 credential_accessed_at: @@ -109584,8 +109723,9 @@ components: type: - integer - 'null' - description: The ID of the underlying token that was authorized by the user. - This will remain unchanged across authorizations of the token. + description: The ID of the underlying token or key that was authorized by + the user. This will remain unchanged across authorizations of the token + or key. examples: - 12345678 authorized_credential_title: @@ -249168,6 +249308,7 @@ components: token_last_eight: 71c3fc11 credential_authorized_at: '2011-01-26T19:06:43Z' credential_accessed_at: '2011-01-26T19:06:43Z' + authorized_credential_id: 12345678 authorized_credential_expires_at: '2011-02-25T19:06:43Z' scopes: - user @@ -249177,10 +249318,39 @@ components: credential_type: personal access token token_last_eight: Ae178B4a credential_authorized_at: '2019-03-29T19:06:43Z' - credential_accessed_at: '2011-01-26T19:06:43Z' + credential_accessed_at: '2019-04-15T19:06:43Z' + authorized_credential_id: 12345679 authorized_credential_expires_at: '2019-04-28T19:06:43Z' scopes: - repo + - login: octocat + credential_id: 161197 + credential_type: OAuth app token + token_last_eight: 9f2c4d1e + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345680 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: + - repo + - read:org + - login: hubot + credential_id: 161198 + credential_type: GitHub app token + token_last_eight: 3b7a0c52 + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345681 + authorized_credential_expires_at: '2023-06-14T19:06:43Z' + scopes: [] + - login: octocat + credential_id: 161199 + credential_type: SSH key + credential_authorized_at: '2023-05-15T19:06:43Z' + credential_accessed_at: '2023-05-16T19:06:43Z' + authorized_credential_id: 12345682 + fingerprint: jklmnop12345678 + authorized_credential_title: my ssh key organization-custom-repository-role-list-example: value: total_count: 2 @@ -271515,6 +271685,13 @@ components: format: date examples: - '2025-10-13' + username: + name: username + description: The handle for the GitHub user account. + in: path + required: true + schema: + type: string dependabot-alert-comma-separated-classifications: name: classification in: query @@ -271649,13 +271826,6 @@ components: required: true schema: type: integer - username: - name: username - description: The handle for the GitHub user account. - in: path - required: true - schema: - type: string network-configuration-id: name: network_configuration_id description: Unique identifier of the hosted compute network configuration. diff --git a/descriptions-next/ghec/ghec.json b/descriptions-next/ghec/ghec.json index 460529e3a..520c388c1 100644 --- a/descriptions-next/ghec/ghec.json +++ b/descriptions-next/ghec/ghec.json @@ -13845,6 +13845,139 @@ } } }, + "/enterprises/{enterprise}/credential-authorizations/{username}/revoke": { + "post": { + "summary": "Revoke credential authorizations for a user in an enterprise", + "description": "Revokes all credential authorizations for a single user within the enterprise.\nThis includes any credential authorizations the user has across all organizations\nin the enterprise.\n\nFor Enterprise Managed User (EMU) enterprises, you can optionally also destroy all\ncredentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting\nthe `revoke_credentials` parameter to `true`.\n\nThis operation is performed asynchronously. A background job will be queued to process\nthe revocations.\n\n> [!WARNING]\n> If you use a personal access token to call this endpoint and target yourself, that\n> token may also be revoked or destroyed as part of this operation.\n\nThe authenticated user must be an enterprise owner or have the `write_enterprise_credentials` permission to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:enterprise` scope to use this endpoint.", + "tags": [ + "enterprise-admin" + ], + "operationId": "enterprise-admin/revoke-credential-authorizations-for-user", + "externalDocs": { + "description": "API method documentation", + "url": "https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + }, + "parameters": [ + { + "$ref": "#/components/parameters/enterprise" + }, + { + "$ref": "#/components/parameters/username" + } + ], + "requestBody": { + "required": false, + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "revoke_credentials": { + "type": "boolean", + "description": "Whether to also destroy the actual credentials (PATs and SSH keys) owned by\nthe user. This option is only available for Enterprise Managed User (EMU)\nenterprises. When set to `true`, all PATs (v1 and v2) and SSH keys owned\nby the user will be destroyed in addition to the credential authorizations.", + "default": false + } + } + }, + "examples": { + "default": { + "value": { + "revoke_credentials": false + } + }, + "emu_with_credential_revocation": { + "summary": "EMU enterprise with credential revocation", + "value": { + "revoke_credentials": true + } + } + } + } + } + }, + "responses": { + "202": { + "description": "Accepted - The revocation request has been queued", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "message": { + "type": "string", + "description": "A message indicating the revocation has been queued" + }, + "warning": { + "type": "string", + "description": "A warning message if the token used for this request may be revoked" + } + } + }, + "examples": { + "default": { + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued" + } + }, + "with_authorization_revoked_warning": { + "summary": "Warning when the calling token may have its authorization revoked", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also have its authorization revoked as part of this operation" + } + }, + "with_credential_destroyed_warning": { + "summary": "Warning when the calling token may be destroyed (EMU with `revoke_credentials`)", + "value": { + "message": "Credential authorization revocation for user 'octocat' has been queued", + "warning": "The token used for this request may also be destroyed as part of this operation" + } + } + } + } + } + }, + "403": { + "$ref": "#/components/responses/forbidden" + }, + "404": { + "$ref": "#/components/responses/not_found" + }, + "422": { + "description": "Validation error - The target user cannot be revoked, or `revoke_credentials` is not available for this enterprise", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/basic-error" + }, + "examples": { + "non_emu_enterprise": { + "summary": "`revoke_credentials` requested on a non-EMU enterprise", + "value": { + "message": "The `revoke_credentials` option is only available for Enterprise Managed User (EMU) enterprises", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + }, + "first_emu_owner": { + "summary": "Target user is the first EMU owner", + "value": { + "message": "The first EMU owner cannot be targeted for credential revocation.", + "documentation_url": "https://docs.github.com/rest/enterprise-admin/credential-authorizations#revoke-credential-authorizations-for-a-user-in-an-enterprise" + } + } + } + } + } + } + }, + "x-github": { + "githubCloudOnly": true, + "enabledForGitHubApps": true, + "category": "enterprise-admin", + "subcategory": "credential-authorizations" + } + } + }, "/enterprises/{enterprise}/dependabot/alerts": { "get": { "summary": "List Dependabot alerts for an enterprise", @@ -37269,7 +37402,7 @@ "/orgs/{org}/credential-authorizations": { "get": { "summary": "List SAML SSO authorizations for an organization", - "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials are either personal access tokens or SSH keys that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", + "description": "Lists all credential authorizations for an organization that uses SAML single sign-on (SSO). The credentials can be personal access tokens, SSH keys, OAuth app access tokens, or user-to-server tokens from GitHub Apps that organization members have authorized for the organization. For more information, see [About authentication with SAML single sign-on](https://docs.github.com/enterprise-cloud@latest/articles/about-authentication-with-saml-single-sign-on).\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `read:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -37333,7 +37466,7 @@ "/orgs/{org}/credential-authorizations/{credential_id}": { "delete": { "summary": "Remove a SAML SSO authorization for an organization", - "description": "Removes a credential authorization for an organization that uses SAML SSO. Once you remove someone's credential authorization, they will need to create a new personal access token or SSH key and authorize it for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", + "description": "Removes a credential authorization for an organization that uses SAML SSO. The credential can be a personal access token, an SSH key, an OAuth app access token, or a user-to-server token from a GitHub App. Once you remove someone's credential authorization, they will need to authorize the credential again for the organization they want to access.\n\nThe authenticated user must be an organization owner to use this endpoint.\n\nOAuth app tokens and personal access tokens (classic) need the `admin:org` scope to use this endpoint.", "tags": [ "orgs" ], @@ -144516,7 +144649,9 @@ "enterprise", "organization", "repository", - "cost_center" + "cost_center", + "multi_user_customer", + "user" ], "examples": [ "enterprise" @@ -144529,6 +144664,20 @@ "example-repository-name" ] }, + "user": { + "type": "string", + "description": "The user login when the budget is scoped to a single user (`user` scope).", + "examples": [ + "octocat" + ] + }, + "consumed_amount": { + "type": "number", + "description": "The consumed amount for the specified user within the budget. Only included for `user`-scoped budgets.", + "examples": [ + 42.5 + ] + }, "budget_amount": { "type": "integer", "description": "The budget amount in whole dollars. For license-based products, this represents the number of licenses.", @@ -152045,13 +152194,19 @@ "credential_type": { "type": "string", "description": "Human-readable description of the credential type.", + "enum": [ + "personal access token", + "SSH key", + "OAuth app token", + "GitHub app token" + ], "examples": [ - "SSH Key" + "SSH key" ] }, "token_last_eight": { "type": "string", - "description": "Last eight characters of the credential. Only included in responses with credential_type of personal access token.", + "description": "Last eight characters of the credential. Only included in responses with a credential_type of personal access token, OAuth app token, or GitHub app token.", "examples": [ "12345678" ] @@ -152066,7 +152221,7 @@ }, "scopes": { "type": "array", - "description": "List of oauth scopes the token has been granted.", + "description": "List of OAuth scopes the token has been granted.", "items": { "type": "string" }, @@ -152077,7 +152232,7 @@ }, "fingerprint": { "type": "string", - "description": "Unique string to distinguish the credential. Only included in responses with credential_type of SSH Key.", + "description": "Unique string to distinguish the credential. Only included in responses with a credential_type of SSH key.", "examples": [ "jklmnop12345678" ] @@ -152098,7 +152253,7 @@ "integer", "null" ], - "description": "The ID of the underlying token that was authorized by the user. This will remain unchanged across authorizations of the token.", + "description": "The ID of the underlying token or key that was authorized by the user. This will remain unchanged across authorizations of the token or key.", "examples": [ 12345678 ] @@ -340734,6 +340889,7 @@ "token_last_eight": "71c3fc11", "credential_authorized_at": "2011-01-26T19:06:43Z", "credential_accessed_at": "2011-01-26T19:06:43Z", + "authorized_credential_id": 12345678, "authorized_credential_expires_at": "2011-02-25T19:06:43Z", "scopes": [ "user", @@ -340746,11 +340902,47 @@ "credential_type": "personal access token", "token_last_eight": "Ae178B4a", "credential_authorized_at": "2019-03-29T19:06:43Z", - "credential_accessed_at": "2011-01-26T19:06:43Z", + "credential_accessed_at": "2019-04-15T19:06:43Z", + "authorized_credential_id": 12345679, "authorized_credential_expires_at": "2019-04-28T19:06:43Z", "scopes": [ "repo" ] + }, + { + "login": "octocat", + "credential_id": 161197, + "credential_type": "OAuth app token", + "token_last_eight": "9f2c4d1e", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345680, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [ + "repo", + "read:org" + ] + }, + { + "login": "hubot", + "credential_id": 161198, + "credential_type": "GitHub app token", + "token_last_eight": "3b7a0c52", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345681, + "authorized_credential_expires_at": "2023-06-14T19:06:43Z", + "scopes": [] + }, + { + "login": "octocat", + "credential_id": 161199, + "credential_type": "SSH key", + "credential_authorized_at": "2023-05-15T19:06:43Z", + "credential_accessed_at": "2023-05-16T19:06:43Z", + "authorized_credential_id": 12345682, + "finge{"code":"deadline_exceeded","msg":"operation timed out"}