This version of GitHub Enterprise Server was discontinued on 2024-09-25. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise Server. For help with the upgrade, contact GitHub Enterprise support.
REST API endpoints for collaborators
Use the REST API to manage collaborators for a repository.
List repository collaborators
For organization-owned repositories, the list of collaborators includes outside collaborators, organization members that are direct collaborators, organization members with access through team memberships, organization members with access through default organization permissions, and organization owners. Organization members with write, maintain, or admin privileges on the organization-owned repository can use this endpoint.
Team members will include the members of child teams.
The authenticated user must have push access to the repository to use this endpoint.
OAuth app tokens and personal access tokens (classic) need the read:org
and repo
scopes to use this endpoint.
Fine-grained access tokens for "List repository collaborators"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Metadata" repository permissions (read)
Parameters for "List repository collaborators"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
owner string RequiredThe account owner of the repository. The name is not case sensitive. |
repo string RequiredThe name of the repository without the |
Name, Type, Description |
---|
affiliation string Filter collaborators returned by their affiliation. Default: Can be one of: |
permission string Filter collaborators by the permissions they have on the repository. If not specified, all collaborators will be returned. Can be one of: |
per_page integer The number of results per page (max 100). For more information, see "Using pagination in the REST API." Default: |
page integer The page number of the results to fetch. For more information, see "Using pagination in the REST API." Default: |
HTTP response status codes for "List repository collaborators"
Status code | Description |
---|---|
200 | OK |
404 | Resource not found |
Code samples for "List repository collaborators"
Request example
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/collaborators
Response
Status: 200
[
{
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://HOSTNAME/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://HOSTNAME/users/octocat/followers",
"following_url": "https://HOSTNAME/users/octocat/following{/other_user}",
"gists_url": "https://HOSTNAME/users/octocat/gists{/gist_id}",
"starred_url": "https://HOSTNAME/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://HOSTNAME/users/octocat/subscriptions",
"organizations_url": "https://HOSTNAME/users/octocat/orgs",
"repos_url": "https://HOSTNAME/users/octocat/repos",
"events_url": "https://HOSTNAME/users/octocat/events{/privacy}",
"received_events_url": "https://HOSTNAME/users/octocat/received_events",
"type": "User",
"site_admin": false,
"permissions": {
"pull": true,
"triage": true,
"push": true,
"maintain": false,
"admin": false
},
"role_name": "write"
}
]
Check if a user is a repository collaborator
For organization-owned repositories, the list of collaborators includes outside collaborators, organization members that are direct collaborators, organization members with access through team memberships, organization members with access through default organization permissions, and organization owners.
Team members will include the members of child teams.
The authenticated user must have push access to the repository to use this endpoint.
OAuth app tokens and personal access tokens (classic) need the read:org
and repo
scopes to use this endpoint.
Fine-grained access tokens for "Check if a user is a repository collaborator"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Metadata" repository permissions (read)
Parameters for "Check if a user is a repository collaborator"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
owner string RequiredThe account owner of the repository. The name is not case sensitive. |
repo string RequiredThe name of the repository without the |
username string RequiredThe handle for the GitHub user account. |
HTTP response status codes for "Check if a user is a repository collaborator"
Status code | Description |
---|---|
204 | Response if user is a collaborator |
404 | Not Found if user is not a collaborator |
Code samples for "Check if a user is a repository collaborator"
Request example
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/collaborators/USERNAME
Response if user is a collaborator
Status: 204
Add a repository collaborator
This endpoint triggers notifications. Creating content too quickly using this endpoint may result in secondary rate limiting. For more information, see "Rate limits for the API" and "Best practices for using the REST API."
Adding an outside collaborator may be restricted by enterprise administrators. For more information, see "Enforcing repository management policies in your enterprise."
For more information on permission levels, see "Repository permission levels for an organization". There are restrictions on which permissions can be granted to organization members when an organization base role is in place. In this case, the permission being given must be equal to or higher than the org base permission. Otherwise, the request will fail with:
Cannot assign {member} permission of {role name}
Note that, if you choose not to pass any parameters, you'll need to set Content-Length
to zero when calling out to this endpoint. For more information, see "HTTP method."
Updating an existing collaborator's permission level
The endpoint can also be used to change the permissions of an existing collaborator without first removing and re-adding the collaborator. To change the permissions, use the same endpoint and pass a different permission
parameter. The response will be a 204
, with no other indication that the permission level changed.
Fine-grained access tokens for "Add a repository collaborator"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Administration" repository permissions (write)
Parameters for "Add a repository collaborator"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
owner string RequiredThe account owner of the repository. The name is not case sensitive. |
repo string RequiredThe name of the repository without the |
username string RequiredThe handle for the GitHub user account. |
Name, Type, Description |
---|
permission string The permission to grant the collaborator. Only valid on organization-owned repositories. Default: |
HTTP response status codes for "Add a repository collaborator"
Status code | Description |
---|---|
204 | Response when:
|
403 | Forbidden |
422 | Validation failed, or the endpoint has been spammed. |
Code samples for "Add a repository collaborator"
Request example
curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/collaborators/USERNAME \
-d '{"permission":"triage"}'
Response when:
- an existing collaborator is added as a collaborator
- an organization member is added as an individual collaborator
- an existing team member (whose team is also a repository collaborator) is added as an individual collaborator
Status: 204
Remove a repository collaborator
Removes a collaborator from a repository.
To use this endpoint, the authenticated user must either be an administrator of the repository or target themselves for removal.
This endpoint also:
- Cancels any outstanding invitations
- Unasigns the user from any issues
- Removes access to organization projects if the user is not an organization member and is not a collaborator on any other organization repositories.
- Unstars the repository
- Updates access permissions to packages
Removing a user as a collaborator has the following effects on forks:
- If the user had access to a fork through their membership to this repository, the user will also be removed from the fork.
- If the user had their own fork of the repository, the fork will be deleted.
- If the user still has read access to the repository, open pull requests by this user from a fork will be denied.
Note
A user can still have access to the repository through organization permissions like base repository permissions.
Although the API responds immediately, the additional permission updates might take some extra time to complete in the background.
For more information on fork permissions, see "About permissions and visibility of forks".
Fine-grained access tokens for "Remove a repository collaborator"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Administration" repository permissions (write)
Parameters for "Remove a repository collaborator"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
owner string RequiredThe account owner of the repository. The name is not case sensitive. |
repo string RequiredThe name of the repository without the |
username string RequiredThe handle for the GitHub user account. |
HTTP response status codes for "Remove a repository collaborator"
Status code | Description |
---|---|
204 | No Content when collaborator was removed from the repository. |
403 | Forbidden |
422 | Validation failed, or the endpoint has been spammed. |
Code samples for "Remove a repository collaborator"
Request example
curl -L \
-X DELETE \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/collaborators/USERNAME
No Content when collaborator was removed from the repository.
Status: 204
Get repository permissions for a user
Checks the repository permission of a collaborator. The possible repository
permissions are admin
, write
, read
, and none
.
Note: The permission
attribute provides the legacy base roles of admin
, write
, read
, and none
, where the
maintain
role is mapped to write
and the triage
role is mapped to read
. To determine the role assigned to the
collaborator, see the role_name
attribute, which will provide the full role name, including custom roles. The
permissions
hash can also be used to determine which base level of access the collaborator has to the repository.
Fine-grained access tokens for "Get repository permissions for a user"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Metadata" repository permissions (read)
Parameters for "Get repository permissions for a user"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
owner string RequiredThe account owner of the repository. The name is not case sensitive. |
repo string RequiredThe name of the repository without the |
username string RequiredThe handle for the GitHub user account. |
HTTP response status codes for "Get repository permissions for a user"
Status code | Description |
---|---|
200 | if user has admin permissions |
404 | Resource not found |
Code samples for "Get repository permissions for a user"
Request example
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/collaborators/USERNAME/permission
if user has admin permissions
Status: 200
{
"permission": "admin",
"role_name": "admin",
"user": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://HOSTNAME/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://HOSTNAME/users/octocat/followers",
"following_url": "https://HOSTNAME/users/octocat/following{/other_user}",
"gists_url": "https://HOSTNAME/users/octocat/gists{/gist_id}",
"starred_url": "https://HOSTNAME/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://HOSTNAME/users/octocat/subscriptions",
"organizations_url": "https://HOSTNAME/users/octocat/orgs",
"repos_url": "https://HOSTNAME/users/octocat/repos",
"events_url": "https://HOSTNAME/users/octocat/events{/privacy}",
"received_events_url": "https://HOSTNAME/users/octocat/received_events",
"type": "User",
"site_admin": false
}
}