Use the REST API to interact with JWTs for OIDC subject claims in GitHub Actions.
You can use the REST API to query and manage a customization template for an OpenID Connect (OIDC) subject claim. For more information, see " About security hardening with OpenID Connect ."
Gets the customization template for an OpenID Connect (OIDC) subject claim.
OAuth app tokens and personal access tokens (classic) need the read:org scope to use this endpoint.
read:org
This endpoint works with the following fine-grained token types :
The fine-grained token must have the following permission set:
accept
Setting to application/vnd.github+json is recommended.
application/vnd.github+json
org
The organization name. The name is not case sensitive.
200
A JSON serialized template for OIDC subject claim customization
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/orgs/ORG/actions/oidc/customization/sub
Status: 200
{ "include_claim_keys": [ "repo", "context" ] }
Creates or updates the customization template for an OpenID Connect (OIDC) subject claim.
OAuth app tokens and personal access tokens (classic) need the write:org scope to use this endpoint.
write:org
include_claim_keys
Array of unique strings. Each claim key can only contain alphanumeric characters and underscores.
201
Empty response
403
Forbidden
404
Resource not found
curl -L \ -X PUT \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/orgs/ORG/actions/oidc/customization/sub \ -d '{"include_claim_keys":["repo","context"]}'
Status: 201
OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.
repo
This endpoint can be used without authentication or the aforementioned permissions if only public resources are requested.
owner
The account owner of the repository. The name is not case sensitive.
The name of the repository without the .git extension. The name is not case sensitive.
.git
Status response
400
Bad Request
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/OWNER/REPO/actions/oidc/customization/sub
{ "use_default": false, "include_claim_keys": [ "repo", "context" ] }
Sets the customization template and opt-in or opt-out flag for an OpenID Connect (OIDC) subject claim for a repository.
opt-in
opt-out
OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.
use_default
Whether to use the default template or not. If true , the include_claim_keys field is ignored.
true
422
Validation failed, or the endpoint has been spammed.
curl -L \ -X PUT \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/OWNER/REPO/actions/oidc/customization/sub \ -d '{"use_default":false,"include_claim_keys":["repo","context"]}'