Skip to main content
The REST API is now versioned. For more information, see "About API versioning."

REST API endpoints for enterprise credential authorizations

Use the REST API to manage enterprise credential authorizations.

Revoke all credential authorizations for an enterprise

Revokes all credential authorizations for all organizations within the enterprise. This includes any guest, outside, or repository collaborators.

For Enterprise Managed User (EMU) enterprises, you can optionally also destroy all credentials (PATs v1, PATs v2, and SSH keys) owned by enterprise members by setting the revoke_credentials parameter to true.

This operation is performed asynchronously. A background job will be queued to process the revocations.

Warning

If you use a personal access token to call this endpoint, that token may also be revoked or destroyed as part of this operation.

The authenticated user must be an enterprise owner or have the write_enterprise_credentials permission to use this endpoint.

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

Fine-grained access tokens for "Revoke all credential authorizations for an enterprise"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

  • "Enterprise credentials" enterprise permissions (write)

Parameters for "Revoke all credential authorizations for an enterprise"

Headers
Name, Type, Description
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
Name, Type, Description
enterprise string Required

The slug version of the enterprise name.

Body parameters
Name, Type, Description
revoke_credentials boolean

Whether to also destroy the actual credentials (PATs and SSH keys) owned by enterprise members. This option is only available for Enterprise Managed User (EMU) enterprises. When set to true, all PATs (v1 and v2) and SSH keys owned by enterprise members will be destroyed in addition to the credential authorizations.

Default: false

HTTP response status codes for "Revoke all credential authorizations for an enterprise"

Status codeDescription
202

Accepted - The revocation request has been queued

403

Forbidden

404

Resource not found

422

Validation error - The revoke_credentials option is only available for EMU enterprises

Code samples for "Revoke all credential authorizations for an enterprise"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

post/enterprises/{enterprise}/credential-authorizations/revoke-all
curl -L \ -X POST \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2026-03-10" \ https://api.github.com/enterprises/ENTERPRISE/credential-authorizations/revoke-all \ -d '{"revoke_credentials":false}'

Accepted - The revocation request has been queued

Status: 202
{ "message": "Credential authorization revocation has been queued" }

Revoke credential authorizations for a user in an enterprise

Revokes all credential authorizations for a single user within the enterprise. This includes any credential authorizations the user has across all organizations in the enterprise.

For Enterprise Managed User (EMU) enterprises, you can optionally also destroy all credentials (PATs v1, PATs v2, and SSH keys) owned by the user by setting the revoke_credentials parameter to true.

This operation is performed asynchronously. A background job will be queued to process the revocations.

Warning

If you use a personal access token to call this endpoint and target yourself, that token may also be revoked or destroyed as part of this operation.

The authenticated user must be an enterprise owner or have the write_enterprise_credentials permission to use this endpoint.

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

Fine-grained access tokens for "Revoke credential authorizations for a user in an enterprise"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

  • "Enterprise credentials" enterprise permissions (write)

Parameters for "Revoke credential authorizations for a user in an enterprise"

Headers
Name, Type, Description
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
Name, Type, Description
enterprise string Required

The slug version of the enterprise name.

username string Required

The handle for the GitHub user account.

Body parameters
Name, Type, Description
revoke_credentials boolean

Whether to also destroy the actual credentials (PATs and SSH keys) owned by the user. This option is only available for Enterprise Managed User (EMU) enterprises. When set to true, all PATs (v1 and v2) and SSH keys owned by the user will be destroyed in addition to the credential authorizations.

Default: false

HTTP response status codes for "Revoke credential authorizations for a user in an enterprise"

Status codeDescription
202

Accepted - The revocation request has been queued

403

Forbidden

404

Resource not found

422

Validation error - The target user cannot be revoked, or revoke_credentials is not available for this enterprise

Code samples for "Revoke credential authorizations for a user in an enterprise"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

post/enterprises/{enterprise}/credential-authorizations/{username}/revoke
curl -L \ -X POST \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2026-03-10" \ https://api.github.com/enterprises/ENTERPRISE/credential-authorizations/USERNAME/revoke \ -d '{"revoke_credentials":false}'

Accepted - The revocation request has been queued

Status: 202
{ "message": "Credential authorization revocation for user 'octocat' has been queued" }