Skip to main content
The REST API is now versioned. For more information, see "About API versioning."

REST API endpoints for Codespaces repository secrets

Use the REST API to manage secrets for repositories that the user has access to in a codespace.

Who can use this feature?

Users with write access to a repository can manage Codespaces repository secrets.

About Codespaces repository secrets

You can create, list, and delete secrets (such as access tokens for cloud services) for repositories that the user has access to. These secrets are made available to the codespace at runtime. For more information, see "Managing your account-specific secrets for GitHub Codespaces."

List repository secrets

Lists all development environment secrets available in a repository without revealing their encrypted values.

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

Fine-grained access tokens for "List repository secrets"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

  • "Codespaces secrets" repository permissions (write)

Parameters for "List repository secrets"

Headers
Name, Type, Description
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
Name, Type, Description
owner string Required

The account owner of the repository. The name is not case sensitive.

repo string Required

The name of the repository without the .git extension. The name is not case sensitive.

Query parameters
Name, Type, Description
per_page integer

The number of results per page (max 100). For more information, see "Using pagination in the REST API."

Default: 30

page integer

The page number of the results to fetch. For more information, see "Using pagination in the REST API."

Default: 1

HTTP response status codes for "List repository secrets"

Status codeDescription
200

OK

Code samples for "List repository secrets"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

get/repos/{owner}/{repo}/codespaces/secrets
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/OWNER/REPO/codespaces/secrets

Response

Status: 200
{ "total_count": 2, "secrets": [ { "name": "GH_TOKEN", "created_at": "2019-08-10T14:59:22Z", "updated_at": "2020-01-10T14:59:22Z", "visibility": "all" }, { "name": "GIST_ID", "created_at": "2020-01-10T10:59:22Z", "updated_at": "2020-01-11T11:59:22Z", "visibility": "all" } ] }

Get a repository public key

Gets your public key, which you need to encrypt secrets. You need to encrypt a secret before you can create or update secrets.

If the repository is private, OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

Fine-grained access tokens for "Get a repository public key"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

  • "Codespaces secrets" repository permissions (write)

Parameters for "Get a repository public key"

Headers
Name, Type, Description
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
Name, Type, Description
owner string Required

The account owner of the repository. The name is not case sensitive.

repo string Required

The name of the repository without the .git extension. The name is not case sensitive.

HTTP response status codes for "Get a repository public key"

Status codeDescription
200

OK

Code samples for "Get a repository public key"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

get/repos/{owner}/{repo}/codespaces/secrets/public-key
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/OWNER/REPO/codespaces/secrets/public-key

Response

Status: 200
{ "key_id": "012345678912345678", "key": "2Sg8iYjAxxmI2LvUXpJjkYrMxURPc8r+dB7TJyvv1234" }

Get a repository secret

Gets a single repository development environment secret without revealing its encrypted value.

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

Fine-grained access tokens for "Get a repository secret"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

  • "Codespaces secrets" repository permissions (write)

Parameters for "Get a repository secret"

Headers
Name, Type, Description
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
Name, Type, Description
owner string Required

The account owner of the repository. The name is not case sensitive.

repo string Required

The name of the repository without the .git extension. The name is not case sensitive.

secret_name string Required

The name of the secret.

HTTP response status codes for "Get a repository secret"

Status codeDescription
200

OK

Code samples for "Get a repository secret"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

get/repos/{owner}/{repo}/codespaces/secrets/{secret_name}
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/OWNER/REPO/codespaces/secrets/SECRET_NAME

Response

Status: 200
{ "name": "GH_TOKEN", "created_at": "2019-08-10T14:59:22Z", "updated_at": "2020-01-10T14:59:22Z", "visibility": "all" }

Create or update a repository secret

Creates or updates a repository development environment secret with an encrypted value. Encrypt your secret using LibSodium. For more information, see "Encrypting secrets for the REST API."

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

Fine-grained access tokens for "Create or update a repository secret"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

  • "Codespaces secrets" repository permissions (write)

Parameters for "Create or update a repository secret"

Headers
Name, Type, Description
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
Name, Type, Description
owner string Required

The account owner of the repository. The name is not case sensitive.

repo string Required

The name of the repository without the .git extension. The name is not case sensitive.

secret_name string Required

The name of the secret.

Body parameters
Name, Type, Description
encrypted_value string

Value for your secret, encrypted with LibSodium using the public key retrieved from the Get a repository public key endpoint.

key_id string

ID of the key you used to encrypt the secret.

HTTP response status codes for "Create or update a repository secret"

Status codeDescription
201

Response when creating a secret

204

Response when updating a secret

Code samples for "Create or update a repository secret"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request examples

put/repos/{owner}/{repo}/codespaces/secrets/{secret_name}
curl -L \ -X PUT \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/OWNER/REPO/codespaces/secrets/SECRET_NAME \ -d '{"encrypted_value":"c2VjcmV0","key_id":"012345678912345678"}'

Response when creating a secret

Delete a repository secret

Deletes a development environment secret in a repository using the secret name.

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

Fine-grained access tokens for "Delete a repository secret"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

  • "Codespaces secrets" repository permissions (write)

Parameters for "Delete a repository secret"

Headers
Name, Type, Description
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
Name, Type, Description
owner string Required

The account owner of the repository. The name is not case sensitive.

repo string Required

The name of the repository without the .git extension. The name is not case sensitive.

secret_name string Required

The name of the secret.

HTTP response status codes for "Delete a repository secret"

Status codeDescription
204

No Content

Code samples for "Delete a repository secret"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

delete/repos/{owner}/{repo}/codespaces/secrets/{secret_name}
curl -L \ -X DELETE \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/OWNER/REPO/codespaces/secrets/SECRET_NAME

Response

Status: 204