POST /git-credentials

The POST /git-credentials endpoint returns GitHub installation tokens in Git’s credential helper format, enabling seamless integration with Git operations like clone, fetch, and pull.

Purpose

This endpoint serves the same underlying function as /token (vending GitHub installation tokens), however its request and response format follows Git’s credential helper protocol. This allows Chinmina Bridge to act as a Git credential helper, enabling transparent authentication for Git operations without requiring separate credential extraction and configuration steps.

See the Buildkite integration guide for details on how this endpoint is used in practice.

Request format

Headers

Header	Required	Description
`Authorization`	Yes	Bearer token containing Buildkite OIDC JWT
`Content-Type`	Recommended	Should be `text/plain`

Request body

The request body follows Git’s credential helper input format:

protocol=https
host=github.com
path=owner/repository

Response format

Success response (200 OK)

When a token is successfully vended, the response contains Git credential helper output:

username=x-access-token
password=ghs_...
password_expiry_utc=1705320600

The response body is plain text with newline-separated key-value pairs. Git parses this and uses the credentials for the requested operation.

Empty response (200 OK)

When the requested repository does not match the pipeline’s repository the endpoint returns a successful but empty response. See Git credentials format for details on empty response behavior.

Error responses

Status code	Condition	Response body
401 Unauthorized	Missing or invalid JWT	Plain text
403 Forbidden	JWT valid but claims insufficient	Plain text
500 Internal Server Error	Token vending failure, GitHub API error	Plain text

Error responses are returned in plain text. Any response that Git does not recognize as valid for the format is regarded as an error and discarded. Note that the server will never return client content as part of an error message.