This version of GitHub Enterprise Server will be discontinued on 2026-06-02. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise Server. For help with the upgrade, contact GitHub Enterprise support.

The REST API is now versioned. For more information, see "About API versioning."

Organization configurations

Use the REST API to manage private registry configurations for organizations.

List private registries for an organization

Lists all private registry configurations available at the organization-level without revealing their encrypted values.

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

Fine-grained access tokens for "List private registries for an organization"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

  • "Organization private registries" organization permissions (read)

Parameters for "List private registries for an organization"

Headers
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
org string Required

The organization name. The name is not case sensitive.

Query parameters
per_page integer

The number of results per page (max 100). For more information, see "Using pagination in the REST API."

Default: 30

page integer

The page number of the results to fetch. For more information, see "Using pagination in the REST API."

Default: 1

HTTP response status codes for "List private registries for an organization"

Status codeDescription
200

OK

400

Bad Request

404

Resource not found

Code samples for "List private registries for an organization"

Request example

get/orgs/{org}/private-registries
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ http(s)://HOSTNAME/api/v3/orgs/ORG/private-registries

Response

Status: 200
{ "total_count": 1, "configurations": [ { "name": "MAVEN_REPOSITORY_SECRET", "registry_type": "maven_repository", "username": "monalisa", "created_at": "2019-08-10T14:59:22Z", "updated_at": "2020-01-10T14:59:22Z", "visibility": "selected" } ] }

Get private registries public key for an organization

Gets the org public key, which is needed to encrypt private registry secrets. You need to encrypt a secret before you can create or update secrets.

OAuth tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

Fine-grained access tokens for "Get private registries public key for an organization"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

  • "Organization private registries" organization permissions (read)

Parameters for "Get private registries public key for an organization"

Headers
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
org string Required

The organization name. The name is not case sensitive.

HTTP response status codes for "Get private registries public key for an organization"

Status codeDescription
200

OK

404

Resource not found

Code samples for "Get private registries public key for an organization"

Request example

get/orgs/{org}/private-registries/public-key
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ http(s)://HOSTNAME/api/v3/orgs/ORG/private-registries/public-key

Response

Status: 200
{ "key_id": "012345678912345678", "key": "2Sg8iYjAxxmI2LvUXpJjkYrMxURPc8r+dB7TJyvv1234" }

Get a private registry for an organization

Get the configuration of a single private registry defined for an organization, omitting its encrypted value.

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

Fine-grained access tokens for "Get a private registry for an organization"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

  • "Organization private registries" organization permissions (read)

Parameters for "Get a private registry for an organization"

Headers
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
org string Required

The organization name. The name is not case sensitive.

secret_name string Required

The name of the secret.

HTTP response status codes for "Get a private registry for an organization"

Status codeDescription
200

The specified private registry configuration for the organization

404

Resource not found

Code samples for "Get a private registry for an organization"

Request example

get/orgs/{org}/private-registries/{secret_name}
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ http(s)://HOSTNAME/api/v3/orgs/ORG/private-registries/SECRET_NAME

The specified private registry configuration for the organization

Status: 200
{ "name": "MAVEN_REPOSITORY_SECRET", "registry_type": "maven_repository", "username": "monalisa", "visibility": "private", "created_at": "2019-08-10T14:59:22Z", "updated_at": "2020-01-10T14:59:22Z" }

Update a private registry for an organization

Updates a private registry configuration with an encrypted value for an organization. Encrypt your secret using LibSodium. For more information, see "Encrypting secrets for the REST API." For OIDC-based registries (oidc_azure, oidc_aws, oidc_jfrog, oidc_cloudsmith, or oidc_gcp), the encrypted_value and key_id fields should be omitted.

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

Fine-grained access tokens for "Update a private registry for an organization"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

  • "Organization private registries" organization permissions (write)

Parameters for "Update a private registry for an organization"

Headers
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
org string Required

The organization name. The name is not case sensitive.

secret_name string Required

The name of the secret.

Body parameters
registry_type string

The registry type.

Can be one of: maven_repository, nuget_feed, goproxy_server, npm_registry, rubygems_server, cargo_registry, composer_repository, docker_registry, git_source, helm_registry, hex_organization, hex_repository, pub_repository, python_index, terraform_registry

url string

The URL of the private registry.

username string or null

The username to use when authenticating with the private registry. This field should be omitted if the private registry does not require a username for authentication.

replaces_base boolean

Whether this private registry should replace the base registry (e.g., npmjs.org for npm, rubygems.org for rubygems). When set to true, Dependabot will only use this registry and will not fall back to the public registry. When set to false (default), Dependabot will use this registry for scoped packages but may fall back to the public registry for other packages.

Default: false

encrypted_value string

The value for your secret, encrypted with LibSodium using the public key retrieved from the Get private registries public key for an organization endpoint.

key_id string

The ID of the key you used to encrypt the secret.

visibility string

Which type of organization repositories have access to the private registry. selected means only the repositories specified by selected_repository_ids can access the private registry.

Can be one of: all, private, selected

selected_repository_ids array of integers

An array of repository IDs that can access the organization private registry. You can only provide a list of repository IDs when visibility is set to selected. This field should be omitted if visibility is set to all or private.

auth_type string

The authentication type for the private registry. This field cannot be changed after creation. If provided, it must match the existing auth_type of the configuration. To change the authentication type, delete and recreate the configuration.

Can be one of: token, username_password, oidc_azure, oidc_aws, oidc_jfrog, oidc_cloudsmith, oidc_gcp

tenant_id string

The tenant ID of the Azure AD application. Required when auth_type is oidc_azure.

client_id string

The client ID of the Azure AD application. Required when auth_type is oidc_azure.

aws_region string

The AWS region. Required when auth_type is oidc_aws.

account_id string

The AWS account ID. Required when auth_type is oidc_aws.

role_name string

The AWS IAM role name. Required when auth_type is oidc_aws.

domain string

The CodeArtifact domain. Required when auth_type is oidc_aws.

domain_owner string

The CodeArtifact domain owner (AWS account ID). Required when auth_type is oidc_aws.

jfrog_oidc_provider_name string

The JFrog OIDC provider name. Required when auth_type is oidc_jfrog.

audience string

The OIDC audience. Optional for oidc_aws, oidc_jfrog, and oidc_gcp, and required for oidc_cloudsmith auth types.

identity_mapping_name string

The JFrog identity mapping name. Optional for oidc_jfrog auth type.

namespace string

The Cloudsmith organization namespace. Required when auth_type is oidc_cloudsmith.

service_slug string

The Cloudsmith service account slug. Required when auth_type is oidc_cloudsmith.

api_host string

The Cloudsmith API host. Optional for oidc_cloudsmith auth type. If omitted, api.cloudsmith.io is used by default.

workload_identity_provider string

The full resource name of the GCP Workload Identity Provider (e.g. projects/<NUM>/locations/global/workloadIdentityPools/<POOL>/providers/<PROVIDER>). Required when auth_type is oidc_gcp.

service_account string

The GCP service account email to impersonate. Optional for oidc_gcp auth type. If omitted, the federated token is used directly (direct WIF).

HTTP response status codes for "Update a private registry for an organization"

Status codeDescription
204

No Content

404

Resource not found

422

Validation failed, or the endpoint has been spammed.

Delete a private registry for an organization

Delete a private registry configuration at the organization-level.

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

Fine-grained access tokens for "Delete a private registry for an organization"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

  • "Organization private registries" organization permissions (write)

Parameters for "Delete a private registry for an organization"

Headers
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
org string Required

The organization name. The name is not case sensitive.

secret_name string Required

The name of the secret.

HTTP response status codes for "Delete a private registry for an organization"

Status codeDescription
204

No Content

400

Bad Request

404

Resource not found

Code samples for "Delete a private registry for an organization"

Request example

delete/orgs/{org}/private-registries/{secret_name}
curl -L \ -X DELETE \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ http(s)://HOSTNAME/api/v3/orgs/ORG/private-registries/SECRET_NAME

Response

Status: 204