POST /organization/git-credentials/{profile}
The POST /organization/git-credentials/{profile} endpoint returns GitHub
installation tokens in Git’s credential helper format, using
token permissions granted by a specified organization profile.
Purpose
Section titled “Purpose”This endpoint provides explicit control over which organization profile is used when vending GitHub tokens. Profiles allow configuring different sets of repositories and permissions for different use cases.
This endpoint serves the same underlying function as POST /organization/token/{profile} (vending GitHub installation tokens), however its request and response format follows Git’s credential helper protocol. This allows Chinmina Bridge to act as a Git credential helper, enabling transparent authentication for Git operations without requiring separate credential extraction and configuration steps.
See also
Section titled “See also”- Buildkite integration guide for details on how this endpoint is used in practice.
- Profile system for details on how profiles are configured and managed.
Request format
Section titled “Request format”Headers
Section titled “Headers”| Header | Required | Description |
|---|---|---|
Authorization | Yes | Bearer token containing Buildkite OIDC JWT |
Content-Type | Recommended | Should be text/plain |
Parameters
Section titled “Parameters”Profile parameter
Section titled “Profile parameter”The {profile} path parameter specifies which organization profile to use, in the format:
org:{profile-name}Example: POST /organization/git-credentials/org:deploy
Request body
Section titled “Request body”The request body follows Git’s credential helper input format:
protocol=httpshost=github.compath=owner/repositoryResponse format
Section titled “Response format”Success response (200 OK)
Section titled “Success response (200 OK)”When a token is successfully vended:
username=x-access-tokenpassword=ghs_...password_expiry_utc=1705320600The response body is plain text with newline-separated key-value pairs. Git parses this and uses the credentials for the requested operation.
Empty response (200 OK)
Section titled “Empty response (200 OK)”When the requested repository is not in the profile’s allowed repository list, the endpoint returns a successful but empty response. See Git credentials format for details. This allows Git credential helpers to fall through to other credential sources.
Error responses
Section titled “Error responses”| Status code | Condition | Response body |
|---|---|---|
| 400 Bad Request | Invalid profile format or parameter | JSON error message |
| 401 Unauthorized | Missing or invalid JWT | JSON error message |
| 403 Forbidden | JWT valid but claims insufficient | JSON error message |
| 404 Not Found | Profile does not exist | JSON error message |
| 500 Internal Server Error | Token vending failure, GitHub API error | JSON error message |
Error responses are returned in JSON format. Any response that Git does not recognize as valid for the format is regarded as an error and discarded.