Skip to content

GET /api/v1/admin/orgs/:slug/oidc-bindings

This page is auto-generated from src/admin/routes.ts. Do not edit by hand — see docs/dev/docs-auto-sync.md.

:warning: Heuristic extraction — not a contract. Response shapes below are mined from c.json(...) literals in the handler via an AST walker. Computed fields, ternaries, and non-literal returns are shown as placeholders. Refer to the linked source file for the authoritative behaviour.

GET /api/v1/admin/orgs/:slug/oidc-bindings

Section titled “GET /api/v1/admin/orgs/:slug/oidc-bindings”

Requires the following capability(ies):

  • oidc:r

Other middleware observed on this route (heuristic):

  • requireCapability

--- #569 Phase A2 — OIDC trust-binding registry ----------------------------

Three endpoints back the allowlist of (issuer, sub, repository_id) triples the OIDC verifier consults on every request. See migration 0052 + the design comment on #569 for the strictness rules + origin-flag layering.

Capability split:

  • oidc:r → LIST endpoint (members:r-shaped read access).
  • oidc:w → CREATE / REVOKE.

Origin-flag layering enforcement: ON TOP of the capability check, the create endpoint validates origin shape:

  • org_admin bindings can be created by any oidc:w-bearing principal.
  • team_admin bindings can be created only when the caller’s role on the named team_id is admin AND the proposed (sub, repository_id) falls inside an active org_admin envelope for the same tenant.
  • platform_admin bindings are reserved for the platform-admin surface (#446 / #447). The customer-facing admin API refuses to create them; they land via a platform-admin path in a future PR. GET /api/v1/admin/orgs/:slug/oidc-bindings — list active + revoked bindings for this tenant. Read access only; no sensitive data is surfaced beyond the (issuer, sub, repository_id) tuple + the origin / added-by / revoked-by audit columns.
{
"error": "Org not found"
}
{
"org": <slug>,
"count": <member-expr>,
"bindings": <rows>
}
  • File: src/admin/routes.ts
  • Line: 6332