REST API endpoints for Codespaces repository secrets

About Codespaces repository secrets

You can create, list, and delete secrets (such as access tokens for cloud services) for repositories that the user has access to. These secrets are made available to the codespace at runtime. For more information, see Managing your account-specific secrets for GitHub Codespaces.

List repository secrets

Lists all development environment secrets available in a repository without revealing their encrypted values.

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Codespaces secrets" repository permissions (write)

Parameters for "List repository secrets"

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`owner` string Required The account owner of the repository. The name is not case sensitive.
`repo` string Required The name of the repository without the `.git` extension. The name is not case sensitive.

Query parameters
Name, Type, Description
`per_page` integer The number of results per page (max 100). For more information, see "Using pagination in the REST API." Default: `30`
`page` integer The page number of the results to fetch. For more information, see "Using pagination in the REST API." Default: `1`

http_status_code

status_code	Description
`200`	OK

code_samples

request_example

get/repos/{owner}/{repo}/codespaces/secrets

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/repos/OWNER/REPO/codespaces/secrets

Response

Status: 200

{
  "total_count": 2,
  "secrets": [
    {
      "name": "GH_TOKEN",
      "created_at": "2019-08-10T14:59:22Z",
      "updated_at": "2020-01-10T14:59:22Z",
      "visibility": "all"
    },
    {
      "name": "GIST_ID",
      "created_at": "2020-01-10T10:59:22Z",
      "updated_at": "2020-01-11T11:59:22Z",
      "visibility": "all"
    }
  ]
}

Get a repository public key

Gets your public key, which you need to encrypt secrets. You need to encrypt a secret before you can create or update secrets.

If the repository is private, OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Codespaces secrets" repository permissions (write)

Parameters for "Get a repository public key"

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`owner` string Required The account owner of the repository. The name is not case sensitive.
`repo` string Required The name of the repository without the `.git` extension. The name is not case sensitive.

http_status_code

status_code	Description
`200`	OK

code_samples

request_example

get/repos/{owner}/{repo}/codespaces/secrets/public-key

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/repos/OWNER/REPO/codespaces/secrets/public-key

Response

Status: 200

{
  "key_id": "012345678912345678",
  "key": "2Sg8iYjAxxmI2LvUXpJjkYrMxURPc8r+dB7TJyvv1234"
}

Get a repository secret

Gets a single repository development environment secret without revealing its encrypted value.

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Codespaces secrets" repository permissions (write)

Parameters for "Get a repository secret"

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`owner` string Required The account owner of the repository. The name is not case sensitive.
`repo` string Required The name of the repository without the `.git` extension. The name is not case sensitive.
`secret_name` string Required The name of the secret.

http_status_code

status_code	Description
`200`	OK

code_samples

request_example

get/repos/{owner}/{repo}/codespaces/secrets/{secret_name}

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/repos/OWNER/REPO/codespaces/secrets/SECRET_NAME

Response

Status: 200

{
  "name": "GH_TOKEN",
  "created_at": "2019-08-10T14:59:22Z",
  "updated_at": "2020-01-10T14:59:22Z",
  "visibility": "all"
}

Create or update a repository secret

Creates or updates a repository development environment secret with an encrypted value. Encrypt your secret using LibSodium. For more information, see "Encrypting secrets for the REST API."

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint. The associated user must be a repository admin.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Codespaces secrets" repository permissions (write)

Parameters for "Create or update a repository secret"

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`owner` string Required The account owner of the repository. The name is not case sensitive.
`repo` string Required The name of the repository without the `.git` extension. The name is not case sensitive.
`secret_name` string Required The name of the secret.

Body parameters
Name, Type, Description
`encrypted_value` string Value for your secret, encrypted with LibSodium using the public key retrieved from the Get a repository public key endpoint.
`key_id` string ID of the key you used to encrypt the secret.

http_status_code

status_code	Description
`201`	Response when creating a secret
`204`	Response when updating a secret

code_samples

request_examples

Select the example type

put/repos/{owner}/{repo}/codespaces/secrets/{secret_name}

curl -L \
  -X PUT \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/repos/OWNER/REPO/codespaces/secrets/SECRET_NAME \
  -d '{"encrypted_value":"c2VjcmV0","key_id":"012345678912345678"}'

Response when creating a secret

Status: 201

Delete a repository secret

Deletes a development environment secret in a repository using the secret name.

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint. The associated user must be a repository admin.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Codespaces secrets" repository permissions (write)

Parameters for "Delete a repository secret"

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`owner` string Required The account owner of the repository. The name is not case sensitive.
`repo` string Required The name of the repository without the `.git` extension. The name is not case sensitive.
`secret_name` string Required The name of the secret.

http_status_code

status_code	Description
`204`	No Content

code_samples

request_example

delete/repos/{owner}/{repo}/codespaces/secrets/{secret_name}

curl -L \
  -X DELETE \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/repos/OWNER/REPO/codespaces/secrets/SECRET_NAME

Response

Status: 204

REST API endpoints for Codespaces repository secrets

Who can use this feature?

request_example

Response

request_example

Response

request_example

Response

request_examples

Response when creating a secret

request_example

Response