REST API endpoints for GitHub Actions OIDC

About GitHub Actions OIDC

You can use the REST API to query and manage a customization template for an OpenID Connect (OIDC) subject claim. For more information, see OpenID Connect.

List OIDC custom property inclusions for an enterprise

Lists the repository custom properties that are included in the OIDC token for repository actions in an enterprise.

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

Fine-grained access tokens for "List OIDC custom property inclusions for an enterprise"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

"Enterprise administration" enterprise permissions (read)

Parameters for "List OIDC custom property inclusions for an enterprise"

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`enterprise` string Required The slug version of the enterprise name.

HTTP response status codes for "List OIDC custom property inclusions for an enterprise"

Status code	Description
`200`	A JSON array of OIDC custom property inclusions
`403`	Forbidden
`404`	Resource not found

Code samples for "List OIDC custom property inclusions for an enterprise"

Request example

get/enterprises/{enterprise}/actions/oidc/customization/properties/repo

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/enterprises/ENTERPRISE/actions/oidc/customization/properties/repo

A JSON array of OIDC custom property inclusions

Status: 200

[
  {
    "custom_property_name": "environment",
    "inclusion_source": "enterprise"
  },
  {
    "custom_property_name": "team",
    "inclusion_source": "enterprise"
  }
]

Create an OIDC custom property inclusion for an enterprise

Adds a repository custom property to be included in the OIDC token for repository actions in an enterprise.

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

Fine-grained access tokens for "Create an OIDC custom property inclusion for an enterprise"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

"Enterprise administration" enterprise permissions (write)

Parameters for "Create an OIDC custom property inclusion for an enterprise"

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`enterprise` string Required The slug version of the enterprise name.

Body parameters
Name, Type, Description
`custom_property_name` string Required The name of the custom property to include in the OIDC token

HTTP response status codes for "Create an OIDC custom property inclusion for an enterprise"

Status code	Description
`201`	OIDC custom property inclusion created
`400`	Invalid input
`403`	Forbidden
`422`	Property inclusion already exists

Code samples for "Create an OIDC custom property inclusion for an enterprise"

Request example

post/enterprises/{enterprise}/actions/oidc/customization/properties/repo

curl -L \
  -X POST \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/enterprises/ENTERPRISE/actions/oidc/customization/properties/repo \
  -d '{"custom_property_name":"environment"}'

OIDC custom property inclusion created

Status: 201

{
  "custom_property_name": "environment"
}

Delete an OIDC custom property inclusion for an enterprise

Removes a repository custom property from being included in the OIDC token for repository actions in an enterprise.

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

Fine-grained access tokens for "Delete an OIDC custom property inclusion for an enterprise"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

"Enterprise administration" enterprise permissions (write)

Parameters for "Delete an OIDC custom property inclusion for an enterprise"

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`enterprise` string Required The slug version of the enterprise name.
`custom_property_name` string Required The name of the custom property to remove from OIDC token inclusion

HTTP response status codes for "Delete an OIDC custom property inclusion for an enterprise"

Status code	Description
`204`	OIDC custom property inclusion deleted
`400`	Invalid input
`403`	Forbidden
`404`	Property inclusion not found

Code samples for "Delete an OIDC custom property inclusion for an enterprise"

Request example

delete/enterprises/{enterprise}/actions/oidc/customization/properties/repo/{custom_property_name}

curl -L \
  -X DELETE \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/enterprises/ENTERPRISE/actions/oidc/customization/properties/repo/CUSTOM_PROPERTY_NAME

OIDC custom property inclusion deleted

Status: 204

List OIDC custom property inclusions for an organization

Lists the repository custom properties that are included in the OIDC token for repository actions in an organization.

OAuth app tokens and personal access tokens (classic) need the read:org scope to use this endpoint.

Fine-grained access tokens for "List OIDC custom property inclusions for an organization"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

"Administration" organization permissions (read)

Parameters for "List OIDC custom property inclusions for an organization"

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`org` string Required The organization name. The name is not case sensitive.

HTTP response status codes for "List OIDC custom property inclusions for an organization"

Status code	Description
`200`	A JSON array of OIDC custom property inclusions
`403`	Forbidden
`404`	Resource not found

Code samples for "List OIDC custom property inclusions for an organization"

Request example

get/orgs/{org}/actions/oidc/customization/properties/repo

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/orgs/ORG/actions/oidc/customization/properties/repo

A JSON array of OIDC custom property inclusions

Status: 200

[
  {
    "property_name": "environment"
  },
  {
    "property_name": "team"
  }
]

Create an OIDC custom property inclusion for an organization

Adds a repository custom property to be included in the OIDC token for repository actions in an organization.

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

Fine-grained access tokens for "Create an OIDC custom property inclusion for an organization"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

"Administration" organization permissions (write)

Parameters for "Create an OIDC custom property inclusion for an organization"

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`org` string Required The organization name. The name is not case sensitive.

Body parameters
Name, Type, Description
`custom_property_name` string Required The name of the custom property to include in the OIDC token

HTTP response status codes for "Create an OIDC custom property inclusion for an organization"

Status code	Description
`201`	OIDC custom property inclusion created
`400`	Invalid input
`403`	Forbidden
`422`	Property inclusion already exists

Code samples for "Create an OIDC custom property inclusion for an organization"

Request example

post/orgs/{org}/actions/oidc/customization/properties/repo

curl -L \
  -X POST \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/orgs/ORG/actions/oidc/customization/properties/repo \
  -d '{"custom_property_name":"environment"}'

OIDC custom property inclusion created

Status: 201

{
  "custom_property_name": "environment"
}

Delete an OIDC custom property inclusion for an organization

Removes a repository custom property from being included in the OIDC token for repository actions in an organization.

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

Fine-grained access tokens for "Delete an OIDC custom property inclusion for an organization"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

"Administration" organization permissions (write)

Parameters for "Delete an OIDC custom property inclusion for an organization"

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`org` string Required The organization name. The name is not case sensitive.
`custom_property_name` string Required The name of the custom property to remove from OIDC token inclusion

HTTP response status codes for "Delete an OIDC custom property inclusion for an organization"

Status code	Description
`204`	OIDC custom property inclusion deleted
`400`	Invalid input
`403`	Forbidden
`404`	Property inclusion not found

Code samples for "Delete an OIDC custom property inclusion for an organization"

Request example

delete/orgs/{org}/actions/oidc/customization/properties/repo/{custom_property_name}

curl -L \
  -X DELETE \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/orgs/ORG/actions/oidc/customization/properties/repo/CUSTOM_PROPERTY_NAME

OIDC custom property inclusion deleted

Status: 204

Get the customization template for an OIDC subject claim for an organization

Gets the customization template for an OpenID Connect (OIDC) subject claim.

OAuth app tokens and personal access tokens (classic) need the read:org scope to use this endpoint.

Fine-grained access tokens for "Get the customization template for an OIDC subject claim for an organization"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

"Administration" organization permissions (read)

Parameters for "Get the customization template for an OIDC subject claim for an organization"

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`org` string Required The organization name. The name is not case sensitive.

HTTP response status codes for "Get the customization template for an OIDC subject claim for an organization"

Status code	Description
`200`	A JSON serialized template for OIDC subject claim customization

Code samples for "Get the customization template for an OIDC subject claim for an organization"

Request example

get/orgs/{org}/actions/oidc/customization/sub

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/orgs/ORG/actions/oidc/customization/sub

A JSON serialized template for OIDC subject claim customization

Status: 200

{
  "include_claim_keys": [
    "repo",
    "context"
  ]
}

Set the customization template for an OIDC subject claim for an organization

Creates or updates the customization template for an OpenID Connect (OIDC) subject claim.

OAuth app tokens and personal access tokens (classic) need the write:org scope to use this endpoint.

Fine-grained access tokens for "Set the customization template for an OIDC subject claim for an organization"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

"Administration" organization permissions (write)

Parameters for "Set the customization template for an OIDC subject claim for an organization"

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`org` string Required The organization name. The name is not case sensitive.

Body parameters
Name, Type, Description
`include_claim_keys` array of strings Required Array of unique strings. Each claim key can only contain alphanumeric characters and underscores.

HTTP response status codes for "Set the customization template for an OIDC subject claim for an organization"

Status code	Description
`201`	Empty response
`403`	Forbidden
`404`	Resource not found

Code samples for "Set the customization template for an OIDC subject claim for an organization"

Request example

put/orgs/{org}/actions/oidc/customization/sub

curl -L \
  -X PUT \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/orgs/ORG/actions/oidc/customization/sub \
  -d '{"include_claim_keys":["repo","context"]}'

Empty response

Status: 201

Get the customization template for an OIDC subject claim for a repository

Gets the customization template for an OpenID Connect (OIDC) subject claim.

OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

Fine-grained access tokens for "Get the customization template for an OIDC subject claim for a repository"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

"Actions" repository permissions (read)

This endpoint can be used without authentication or the aforementioned permissions if only public resources are requested.

Parameters for "Get the customization template for an OIDC subject claim for a repository"

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`owner` string Required The account owner of the repository. The name is not case sensitive.
`repo` string Required The name of the repository without the `.git` extension. The name is not case sensitive.

HTTP response status codes for "Get the customization template for an OIDC subject claim for a repository"

Status code	Description
`200`	Status response
`400`	Bad Request
`404`	Resource not found

Code samples for "Get the customization template for an OIDC subject claim for a repository"

Request example

get/repos/{owner}/{repo}/actions/oidc/customization/sub

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/repos/OWNER/REPO/actions/oidc/customization/sub

Status response

Status: 200

{
  "use_default": false,
  "include_claim_keys": [
    "repo",
    "context"
  ]
}

Set the customization template for an OIDC subject claim for a repository

Sets the customization template and opt-in or opt-out flag for an OpenID Connect (OIDC) subject claim for a repository.

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

Fine-grained access tokens for "Set the customization template for an OIDC subject claim for a repository"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

"Actions" repository permissions (write)

Parameters for "Set the customization template for an OIDC subject claim for a repository"

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`owner` string Required The account owner of the repository. The name is not case sensitive.
`repo` string Required The name of the repository without the `.git` extension. The name is not case sensitive.

Body parameters
Name, Type, Description
`use_default` boolean Required Whether to use the default template or not. If `true`, the `include_claim_keys` field is ignored.
`include_claim_keys` array of strings Array of unique strings. Each claim key can only contain alphanumeric characters and underscores.

HTTP response status codes for "Set the customization template for an OIDC subject claim for a repository"

Status code	Description
`201`	Empty response
`400`	Bad Request
`404`	Resource not found
`422`	Validation failed, or the endpoint has been spammed.

Code samples for "Set the customization template for an OIDC subject claim for a repository"

Request example

put/repos/{owner}/{repo}/actions/oidc/customization/sub

curl -L \
  -X PUT \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/repos/OWNER/REPO/actions/oidc/customization/sub \
  -d '{"use_default":false,"include_claim_keys":["repo","context"]}'

Empty response

Status: 201