About GitHub App permissions
GitHub Apps are created with a set of permissions. Permissions define what resources the GitHub App can access via the API. For more information, see "Choosing permissions for a GitHub App."
These permissions are required to access private resources with the following endpoints. Some endpoints can also be used to access public resources without these permissions.
Some endpoints require additional permissions. When this is the case, the "Additional permissions" column will indicate the other permissions that are required to use the endpoint. Some endpoints that require write access to the repository "Contents" permission also require write access to the repository "Workflows" permission if the request will affect workflow files. In these cases, the repository "Workflows" permission is indicated as an additional permission even though it is not always required to use the endpoint.
Business permissions for "Enterprise administration"
Organization permissions for "Administration"
Organization permissions for "Custom repository roles"
Endpoint | Access | Token types | Additional permissions |
---|---|---|---|
GET /organizations/{organization_id}/custom_roles | read | UAT IAT | ✖️ |
Organization permissions for "Events"
Endpoint | Access | Token types | Additional permissions |
---|---|---|---|
GET /users/{username}/events/orgs/{org} | read | UAT | ✖️ |
Organization permissions for "Members"
Organization permissions for "Organization dependabot secrets"
Organization permissions for "Pre-receive hooks"
Endpoint | Access | Token types | Additional permissions |
---|---|---|---|
DELETE /orgs/{org}/pre-receive-hooks/{pre_receive_hook_id} | write | UAT IAT | ✖️ |
GET /orgs/{org}/pre-receive-hooks | read | UAT IAT | ✖️ |
GET /orgs/{org}/pre-receive-hooks/{pre_receive_hook_id} | read | UAT IAT | ✖️ |
Organization permissions for "Projects"
Organization permissions for "Secrets"
Organization permissions for "Self-hosted runners"
Organization permissions for "Team discussions"
Endpoint | Access | Token types | Additional permissions |
---|---|---|---|
DELETE /orgs/{org}/teams/{team_slug}/discussions/{discussion_number}/comments/{comment_number}/reactions/{reaction_id} | write | UAT IAT | ✖️ |
DELETE /orgs/{org}/teams/{team_slug}/discussions/{discussion_number}/reactions/{reaction_id} | write | UAT IAT | ✖️ |
Organization permissions for "Webhooks"
Repository permissions for "Actions"
Repository permissions for "Administration"
Repository permissions for "Checks"
Repository permissions for "Code scanning alerts"
Repository permissions for "Commit statuses"
Endpoint | Access | Token types | Additional permissions |
---|---|---|---|
POST /repos/{owner}/{repo}/statuses/{sha} | write | UAT IAT | ✖️ |
GET /repos/{owner}/{repo}/commits/{ref}/status | read | UAT IAT | ✖️ |
GET /repos/{owner}/{repo}/commits/{ref}/statuses | read | UAT IAT | ✖️ |
Repository permissions for "Contents"
Repository permissions for "Dependabot secrets"
Endpoint | Access | Token types | Additional permissions |
---|---|---|---|
PUT /repos/{owner}/{repo}/dependabot/secrets/{secret_name} | write | UAT IAT | ✖️ |
DELETE /repos/{owner}/{repo}/dependabot/secrets/{secret_name} | write | UAT IAT | ✖️ |
GET /repos/{owner}/{repo}/dependabot/secrets | read | UAT IAT | ✖️ |
GET /repos/{owner}/{repo}/dependabot/secrets/public-key | read | UAT IAT | ✖️ |
GET /repos/{owner}/{repo}/dependabot/secrets/{secret_name} | read | UAT IAT | ✖️ |
Repository permissions for "Deployments"
Repository permissions for "Environments"
Repository permissions for "Issues"
Repository permissions for "Metadata"
Repository permissions for "Pages"
Endpoint | Access | Token types | Additional permissions |
---|---|---|---|
POST /repos/{owner}/{repo}/pages | write | UAT IAT | |
PUT /repos/{owner}/{repo}/pages | write | UAT IAT | |
DELETE /repos/{owner}/{repo}/pages | write | UAT IAT | |
POST /repos/{owner}/{repo}/pages/builds | write | UAT IAT | ✖️ |
POST /repos/{owner}/{repo}/pages/deployment | write | UAT IAT | ✖️ |
GET /repos/{owner}/{repo}/pages | read | UAT IAT | ✖️ |
GET /repos/{owner}/{repo}/pages/builds | read | UAT IAT | ✖️ |
GET /repos/{owner}/{repo}/pages/builds/latest | read | UAT IAT | ✖️ |
GET /repos/{owner}/{repo}/pages/builds/{build_id} | read | UAT IAT | ✖️ |
Repository permissions for "Pre-receive hooks"
Endpoint | Access | Token types | Additional permissions |
---|---|---|---|
DELETE /repos/{owner}/{repo}/pre-receive-hooks/{pre_receive_hook_id} | write | UAT IAT | ✖️ |
GET /repos/{owner}/{repo}/pre-receive-hooks | read | UAT IAT | ✖️ |
GET /repos/{owner}/{repo}/pre-receive-hooks/{pre_receive_hook_id} | read | UAT IAT | ✖️ |
Repository permissions for "Projects"
Repository permissions for "Pull requests"
Repository permissions for "Secret scanning alerts"
Repository permissions for "Secrets"
Repository permissions for "Webhooks"
Repository permissions for "Workflows"
Endpoint | Access | Token types | Additional permissions |
---|---|---|---|
POST /repos/{owner}/{repo}/git/refs | write | UAT IAT | |
PATCH /repos/{owner}/{repo}/git/refs/{ref} | write | UAT IAT | |
POST /repos/{owner}/{repo}/releases | write | UAT IAT |
User permissions for "Email addresses"
Endpoint | Access | Token types | Additional permissions |
---|---|---|---|
POST /user/emails | write | UAT | ✖️ |
DELETE /user/emails | write | UAT | ✖️ |
GET /user/emails | read | UAT | ✖️ |
GET /user/public_emails | read | UAT | ✖️ |
User permissions for "Followers"
Endpoint | Access | Token types | Additional permissions |
---|---|---|---|
PUT /user/following/{username} | write | UAT | ✖️ |
DELETE /user/following/{username} | write | UAT | ✖️ |
GET /user/followers | read | UAT | ✖️ |
GET /user/following | read | UAT | ✖️ |
GET /user/following/{username} | read | UAT | ✖️ |
User permissions for "GPG keys"
Endpoint | Access | Token types | Additional permissions |
---|---|---|---|
POST /user/gpg_keys | write | UAT | ✖️ |
DELETE /user/gpg_keys/{gpg_key_id} | write | UAT | ✖️ |
GET /user/gpg_keys | read | UAT | ✖️ |
GET /user/gpg_keys/{gpg_key_id} | read | UAT | ✖️ |
User permissions for "Gists"
Endpoint | Access | Token types | Additional permissions |
---|---|---|---|
POST /gists | write | UAT | |
PATCH /gists/{gist_id} | write | UAT | |
DELETE /gists/{gist_id} | write | UAT | |
POST /gists/{gist_id}/comments | write | UAT | |
PATCH /gists/{gist_id}/comments/{comment_id} | write | UAT | |
DELETE /gists/{gist_id}/comments/{comment_id} | write | UAT | |
POST /gists/{gist_id}/forks | write | UAT | |
PUT /gists/{gist_id}/star | write | UAT | |
DELETE /gists/{gist_id}/star | write | UAT |
User permissions for "Git SSH keys"
Endpoint | Access | Token types | Additional permissions |
---|---|---|---|
POST /user/keys | write | UAT | ✖️ |
DELETE /user/keys/{key_id} | write | UAT | ✖️ |
GET /user/keys | read | UAT | ✖️ |
GET /user/keys/{key_id} | read | UAT | ✖️ |
GET /users/{username}/keys | read | UAT IAT | ✖️ |
User permissions for "Notifications"
Endpoint | Access | Token types | Additional permissions |
---|---|---|---|
GET /notifications | read | UAT |
User permissions for "Profile"
Endpoint | Access | Token types | Additional permissions |
---|---|---|---|
PATCH /user | write | UAT | ✖️ |
User permissions for "SSH signing keys"
Endpoint | Access | Token types | Additional permissions |
---|---|---|---|
POST /user/ssh_signing_keys | write | UAT | ✖️ |
DELETE /user/ssh_signing_keys/{ssh_signing_key_id} | write | UAT | ✖️ |
GET /user/ssh_signing_keys | read | UAT | ✖️ |
GET /user/ssh_signing_keys/{ssh_signing_key_id} | read | UAT | ✖️ |
User permissions for "Starring"
Endpoint | Access | Token types | Additional permissions |
---|---|---|---|
PUT /user/starred/{owner}/{repo} | write | UAT | ✖️ |
DELETE /user/starred/{owner}/{repo} | write | UAT | ✖️ |
GET /user/starred | read | UAT | ✖️ |
GET /user/starred/{owner}/{repo} | read | UAT | ✖️ |
GET /users/{username}/starred | read | UAT IAT | ✖️ |
User permissions for "Watching"
Endpoint | Access | Token types | Additional permissions |
---|---|---|---|
GET /user/subscriptions | read | UAT | ✖️ |
GET /users/{username}/subscriptions | read | UAT IAT | ✖️ |