{"meta":{"title":"GITHUB ACTIONS OIDC の REST API エンドポイント","intro":"この REST API を使って、GitHub Actions の OIDC サブジェクト要求について JWT を操作します。","product":"REST API","breadcrumbs":[{"href":"/ja/rest","title":"REST API"},{"href":"/ja/rest/actions","title":"アクション"},{"href":"/ja/rest/actions/oidc","title":"OIDC"}],"documentType":"article"},"body":"# GITHUB ACTIONS OIDC の REST API エンドポイント\n\nこの REST API を使って、GitHub Actions の OIDC サブジェクト要求について JWT を操作します。\n\n## GitHub Actions の OIDC について\n\nREST API を使用して、OpenID Connect (OIDC) サブジェクト要求のカスタマイズ テンプレートのクエリと管理を行うことができます。 詳しくは、「[OpenID Connect](/ja/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)」をご覧ください。\n\n> \\[!NOTE]\n> Most endpoints use `Authorization: Bearer <YOUR-TOKEN>` and `Accept: application/vnd.github+json` headers, plus `X-GitHub-Api-Version: 2026-03-10`. Curl examples below omit these standard headers for brevity.\n\n## List OIDC custom property inclusions for an enterprise\n\n```\nGET /enterprises/{enterprise}/actions/oidc/customization/properties/repo\n```\n\nLists the repository custom properties that are included in the OIDC token for repository actions in an enterprise.\nOAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.\n\n### Parameters\n\n#### Headers\n\n* **`accept`** (string)\n  Setting to `application/vnd.github+json` is recommended.\n\n#### Path and query parameters\n\n* **`enterprise`** (string) (required)\n  The slug version of the enterprise name.\n\n### HTTP response status codes\n\n* **200** - A JSON array of OIDC custom property inclusions\n\n* **403** - Forbidden\n\n* **404** - Resource not found\n\n### Code examples\n\n#### Example\n\n**Request:**\n\n```curl\ncurl -L \\\n  -X GET \\\n  https://api.github.com/enterprises/ENTERPRISE/actions/oidc/customization/properties/repo\n```\n\n**Response schema (Status: 200):**\n\nArray of `Actions OIDC Custom Property Inclusion`:\n\n* `custom_property_name`: required, string\n* `inclusion_source`: required, string, enum: `organization`, `enterprise`\n\n## Create an OIDC custom property inclusion for an enterprise\n\n```\nPOST /enterprises/{enterprise}/actions/oidc/customization/properties/repo\n```\n\nAdds a repository custom property to be included in the OIDC token for repository actions in an enterprise.\nOAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.\n\n### Parameters\n\n#### Headers\n\n* **`accept`** (string)\n  Setting to `application/vnd.github+json` is recommended.\n\n#### Path and query parameters\n\n* **`enterprise`** (string) (required)\n  The slug version of the enterprise name.\n\n#### Body parameters\n\n* **`custom_property_name`** (string) (required)\n  The name of the custom property to include in the OIDC token\n\n### HTTP response status codes\n\n* **201** - OIDC custom property inclusion created\n\n* **400** - Invalid input\n\n* **403** - Forbidden\n\n* **422** - Property inclusion already exists\n\n### Code examples\n\n#### Example\n\n**Request:**\n\n```curl\ncurl -L \\\n  -X POST \\\n  https://api.github.com/enterprises/ENTERPRISE/actions/oidc/customization/properties/repo \\\n  -d '{\n  \"custom_property_name\": \"environment\"\n}'\n```\n\n**Response schema (Status: 201):**\n\n* `custom_property_name`: required, string\n* `inclusion_source`: required, string, enum: `organization`, `enterprise`\n\n## Delete an OIDC custom property inclusion for an enterprise\n\n```\nDELETE /enterprises/{enterprise}/actions/oidc/customization/properties/repo/{custom_property_name}\n```\n\nRemoves a repository custom property from being included in the OIDC token for repository actions in an enterprise.\nOAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.\n\n### Parameters\n\n#### Headers\n\n* **`accept`** (string)\n  Setting to `application/vnd.github+json` is recommended.\n\n#### Path and query parameters\n\n* **`enterprise`** (string) (required)\n  The slug version of the enterprise name.\n\n* **`custom_property_name`** (string) (required)\n  The name of the custom property to remove from OIDC token inclusion\n\n### HTTP response status codes\n\n* **204** - OIDC custom property inclusion deleted\n\n* **400** - Invalid input\n\n* **403** - Forbidden\n\n* **404** - Property inclusion not found\n\n### Code examples\n\n#### Example\n\n**Request:**\n\n```curl\ncurl -L \\\n  -X DELETE \\\n  https://api.github.com/enterprises/ENTERPRISE/actions/oidc/customization/properties/repo/CUSTOM_PROPERTY_NAME\n```\n\n**Response schema (Status: 204):**\n\n## List OIDC custom property inclusions for an organization\n\n```\nGET /orgs/{org}/actions/oidc/customization/properties/repo\n```\n\nLists the repository custom properties that are included in the OIDC token for repository actions in an organization.\nOAuth app tokens and personal access tokens (classic) need the read:org scope to use this endpoint.\n\n### Parameters\n\n#### Headers\n\n* **`accept`** (string)\n  Setting to `application/vnd.github+json` is recommended.\n\n#### Path and query parameters\n\n* **`org`** (string) (required)\n  The organization name. The name is not case sensitive.\n\n### HTTP response status codes\n\n* **200** - A JSON array of OIDC custom property inclusions\n\n* **403** - Forbidden\n\n* **404** - Resource not found\n\n### Code examples\n\n#### Example\n\n**Request:**\n\n```curl\ncurl -L \\\n  -X GET \\\n  https://api.github.com/orgs/ORG/actions/oidc/customization/properties/repo\n```\n\n**Response schema (Status: 200):**\n\nSame response schema as [List OIDC custom property inclusions for an enterprise](#list-oidc-custom-property-inclusions-for-an-enterprise).\n\n## Create an OIDC custom property inclusion for an organization\n\n```\nPOST /orgs/{org}/actions/oidc/customization/properties/repo\n```\n\nAdds a repository custom property to be included in the OIDC token for repository actions in an organization.\nOAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.\n\n### Parameters\n\n#### Headers\n\n* **`accept`** (string)\n  Setting to `application/vnd.github+json` is recommended.\n\n#### Path and query parameters\n\n* **`org`** (string) (required)\n  The organization name. The name is not case sensitive.\n\n#### Body parameters\n\n* **`custom_property_name`** (string) (required)\n  The name of the custom property to include in the OIDC token\n\n### HTTP response status codes\n\n* **201** - OIDC custom property inclusion created\n\n* **400** - Invalid input\n\n* **403** - Forbidden\n\n* **422** - Property inclusion already exists\n\n### Code examples\n\n#### Example\n\n**Request:**\n\n```curl\ncurl -L \\\n  -X POST \\\n  https://api.github.com/orgs/ORG/actions/oidc/customization/properties/repo \\\n  -d '{\n  \"custom_property_name\": \"environment\"\n}'\n```\n\n**Response schema (Status: 201):**\n\nSame response schema as [Create an OIDC custom property inclusion for an enterprise](#create-an-oidc-custom-property-inclusion-for-an-enterprise).\n\n## Delete an OIDC custom property inclusion for an organization\n\n```\nDELETE /orgs/{org}/actions/oidc/customization/properties/repo/{custom_property_name}\n```\n\nRemoves a repository custom property from being included in the OIDC token for repository actions in an organization.\nOAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.\n\n### Parameters\n\n#### Headers\n\n* **`accept`** (string)\n  Setting to `application/vnd.github+json` is recommended.\n\n#### Path and query parameters\n\n* **`org`** (string) (required)\n  The organization name. The name is not case sensitive.\n\n* **`custom_property_name`** (string) (required)\n  The name of the custom property to remove from OIDC token inclusion\n\n### HTTP response status codes\n\n* **204** - OIDC custom property inclusion deleted\n\n* **400** - Invalid input\n\n* **403** - Forbidden\n\n* **404** - Property inclusion not found\n\n### Code examples\n\n#### Example\n\n**Request:**\n\n```curl\ncurl -L \\\n  -X DELETE \\\n  https://api.github.com/orgs/ORG/actions/oidc/customization/properties/repo/CUSTOM_PROPERTY_NAME\n```\n\n**Response schema (Status: 204):**\n\n## Get the customization template for an OIDC subject claim for an organization\n\n```\nGET /orgs/{org}/actions/oidc/customization/sub\n```\n\nGets the customization template for an OpenID Connect (OIDC) subject claim.\nOAuth app tokens and personal access tokens (classic) need the read:org scope to use this endpoint.\n\n### Parameters\n\n#### Headers\n\n* **`accept`** (string)\n  Setting to `application/vnd.github+json` is recommended.\n\n#### Path and query parameters\n\n* **`org`** (string) (required)\n  The organization name. The name is not case sensitive.\n\n### HTTP response status codes\n\n* **200** - A JSON serialized template for OIDC subject claim customization\n\n### Code examples\n\n#### Example\n\n**Request:**\n\n```curl\ncurl -L \\\n  -X GET \\\n  https://api.github.com/orgs/ORG/actions/oidc/customization/sub\n```\n\n**Response schema (Status: 200):**\n\n* `include_claim_keys`: required, array of string\n* `use_immutable_subject`: boolean\n\n## Set the customization template for an OIDC subject claim for an organization\n\n```\nPUT /orgs/{org}/actions/oidc/customization/sub\n```\n\nCreates or updates the customization template for an OpenID Connect (OIDC) subject claim.\nOAuth app tokens and personal access tokens (classic) need the write:org scope to use this endpoint.\n\n### Parameters\n\n#### Headers\n\n* **`accept`** (string)\n  Setting to `application/vnd.github+json` is recommended.\n\n#### Path and query parameters\n\n* **`org`** (string) (required)\n  The organization name. The name is not case sensitive.\n\n#### Body parameters\n\n* **`include_claim_keys`** (array of strings)\n  Array of unique strings. Each claim key can only contain alphanumeric characters and underscores.\n\n* **`use_immutable_subject`** (boolean)\n  Whether to opt in to the immutable OIDC subject claim format for the organization. When true, new OIDC tokens will use a stable, repository-ID-based sub claim instead of the name-based format.\n\n### HTTP response status codes\n\n* **201** - Empty response\n\n* **403** - Forbidden\n\n* **404** - Resource not found\n\n### Code examples\n\n#### Example\n\n**Request:**\n\n```curl\ncurl -L \\\n  -X PUT \\\n  https://api.github.com/orgs/ORG/actions/oidc/customization/sub \\\n  -d '{\n  \"include_claim_keys\": [\n    \"repo\",\n    \"context\"\n  ]\n}'\n```\n\n**Response schema (Status: 201):**\n\n## Get the customization template for an OIDC subject claim for a repository\n\n```\nGET /repos/{owner}/{repo}/actions/oidc/customization/sub\n```\n\nGets the customization template for an OpenID Connect (OIDC) subject claim.\nOAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.\n\n### Parameters\n\n#### Headers\n\n* **`accept`** (string)\n  Setting to `application/vnd.github+json` is recommended.\n\n#### Path and query parameters\n\n* **`owner`** (string) (required)\n  The account owner of the repository. The name is not case sensitive.\n\n* **`repo`** (string) (required)\n  The name of the repository without the .git extension. The name is not case sensitive.\n\n### HTTP response status codes\n\n* **200** - Status response\n\n* **400** - Bad Request\n\n* **404** - Resource not found\n\n### Code examples\n\n#### Example\n\n**Request:**\n\n```curl\ncurl -L \\\n  -X GET \\\n  https://api.github.com/repos/OWNER/REPO/actions/oidc/customization/sub\n```\n\n**Response schema (Status: 200):**\n\n* `use_default`: required, boolean\n* `include_claim_keys`: array of string\n* `use_immutable_subject`: boolean\n* `sub_claim_prefix`: string\n\n## Set the customization template for an OIDC subject claim for a repository\n\n```\nPUT /repos/{owner}/{repo}/actions/oidc/customization/sub\n```\n\nSets the customization template and opt-in or opt-out flag for an OpenID Connect (OIDC) subject claim for a repository.\nOAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.\n\n### Parameters\n\n#### Headers\n\n* **`accept`** (string)\n  Setting to `application/vnd.github+json` is recommended.\n\n#### Path and query parameters\n\n* **`owner`** (string) (required)\n  The account owner of the repository. The name is not case sensitive.\n\n* **`repo`** (string) (required)\n  The name of the repository without the .git extension. The name is not case sensitive.\n\n#### Body parameters\n\n* **`use_default`** (boolean) (required)\n  Whether to use the default template or not. If true, the include\\_claim\\_keys field is ignored.\n\n* **`include_claim_keys`** (array of strings)\n  Array of unique strings. Each claim key can only contain alphanumeric characters and underscores.\n\n* **`use_immutable_subject`** (boolean)\n  Whether to opt in to the immutable OIDC subject claim format for this repository. When true, OIDC tokens will use a stable, repository-ID-based sub claim.\n\n### HTTP response status codes\n\n* **201** - Empty response\n\n* **400** - Bad Request\n\n* **404** - Resource not found\n\n* **422** - Validation failed, or the endpoint has been spammed.\n\n### Code examples\n\n#### Example\n\n**Request:**\n\n```curl\ncurl -L \\\n  -X PUT \\\n  https://api.github.com/repos/OWNER/REPO/actions/oidc/customization/sub \\\n  -d '{\n  \"use_default\": false,\n  \"include_claim_keys\": [\n    \"repo\",\n    \"context\"\n  ]\n}'\n```\n\n**Response schema (Status: 201):**"}