Environments
Pulumi ESC (Environments, Secrets, and Configuration) provides a centralized way to manage infrastructure configuration. The Environments API allows you to create, manage, and use environments for your Pulumi deployments.
See Pulumi ESC for conceptual documentation and getting-started guides.
List Environments
/api/esc/environmentsReturns a paginated list of all Pulumi ESC environments accessible to the authenticated user across all organizations they belong to. Each entry includes the organization, project, environment name, and creation/modification timestamps. Use the organization query parameter to filter results to a specific organization. Use continuationToken for pagination through large result sets.
Request Parameters
continuationTokenstring query optionalContinuation token for paginated resultsincludeReferrerMetadataboolean query optionalWhether to include referrer metadata. Defaults to false.maxResultsinteger query optionalMaximum number of results for paginationorganizationstring query optionalFilter results to this organization name
Responses
- The list of environments
- ↳
idstring requiredThe unique identifier of the environment. - ↳
organizationstring requiredThe login name of the organization that owns this environment. - ↳
projectstring optionalThe project name that contains this environment, if project-scoped. - ↳
namestring requiredThe name of the environment. - ↳
createdstring requiredThe ISO 8601 timestamp when the environment was created. - ↳
modifiedstring requiredThe ISO 8601 timestamp when the environment was last modified. - The user with ownership of this environment
- ↳
tagsmap[string]string requiredUser-defined key-value tags associated with the environment for organization and filtering. - ↳
deletedAtstring optionalThe ISO 8601 timestamp when the environment was soft-deleted, or null if not deleted. - Hypermedia links related to the environment.
- Metadata about what refers to this environment.
- Configuration settings for the environment, such as deletion protection.
nextTokenstring optionalToken for fetching the next page of results
List Org Environments
/api/esc/environments/{orgName}Returns a paginated list of all Pulumi ESC environments within a specific organization. Each entry includes the project, environment name, and creation/modification timestamps. Results are scoped to the organization specified in the URL path. Use continuationToken for pagination through large result sets.
Request Parameters
orgNamestring path requiredThe organization namecontinuationTokenstring query optionalContinuation token for paginated resultsincludeReferrerMetadataboolean query optionalWhether to include referrer metadata. Defaults to false.maxResultsinteger query optionalMaximum number of results for paginationroleIDstring query optionalThe custom role to use for listing environments
Responses
- The list of environments
- ↳
idstring requiredThe unique identifier of the environment. - ↳
organizationstring requiredThe login name of the organization that owns this environment. - ↳
projectstring optionalThe project name that contains this environment, if project-scoped. - ↳
namestring requiredThe name of the environment. - ↳
createdstring requiredThe ISO 8601 timestamp when the environment was created. - ↳
modifiedstring requiredThe ISO 8601 timestamp when the environment was last modified. - The user with ownership of this environment
- ↳
tagsmap[string]string requiredUser-defined key-value tags associated with the environment for organization and filtering. - ↳
deletedAtstring optionalThe ISO 8601 timestamp when the environment was soft-deleted, or null if not deleted. - Hypermedia links related to the environment.
- Metadata about what refers to this environment.
- Configuration settings for the environment, such as deletion protection.
nextTokenstring optionalToken for fetching the next page of results
Create Environment
/api/esc/environments/{orgName}Creates a new Pulumi ESC (Environments, Secrets, and Configuration) environment within the specified organization. The request body must include the project name and the environment name. Environment names must be unique within a project and may only contain alphanumeric characters, hyphens, underscores, and periods. The newly created environment starts with an empty YAML definition that can be updated via the UpdateEnvironment endpoint.
Request Parameters
orgNamestring path requiredThe organization name
Request Body
projectstring requiredThe project name for the environment.namestring requiredThe name of the environment.
Responses
Read Environment
/api/esc/environments/{orgName}/{projectName}/{envName}Returns the YAML definition of a Pulumi ESC environment. The response is in application/x-yaml format and includes the environment’s imports, values, provider configurations, and function invocations. Secrets remain in their encrypted form (use DecryptEnvironment to see plaintext secrets, or OpenEnvironment to fully resolve all dynamic values). When a version path parameter is provided, returns the definition for that specific revision.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Responses
Update Environment
/api/esc/environments/{orgName}/{projectName}/{envName}Validates and updates the YAML definition of a Pulumi ESC environment. The request body must contain the complete environment definition in application/x-yaml format, including imports, values, provider configurations, and function invocations. Each successful update creates a new immutable revision in the environment’s version history. Supports optimistic concurrency control via ETag/If-Match headers; returns 409 if the environment has been modified since it was last read.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Responses
- The list of diagnostics produced by the environment operation.
- The source range where the diagnostic occurred.
- ↳
summarystring optionalA summary of the diagnostic message. - ↳
pathstring optionalThe path within the environment definition where the diagnostic occurred. - ↳
severitystring optionalThe severity of the diagnostic: “error” or “warning”.
Delete Environment
/api/esc/environments/{orgName}/{projectName}/{envName}Permanently deletes a Pulumi ESC environment and all of its revision history, tags, and associated configuration. This operation is blocked if deletion protection is enabled on the environment (see PatchEnvironmentSettings). Enterprise and Business Critical edition organizations may be able to restore deleted environments within a retention window. Returns 409 if the environment is deletion-protected or has been modified since it was last read.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Responses
Head Environment
/api/esc/environments/{orgName}/{projectName}/{envName}Returns the ETag header for a Pulumi ESC environment without returning the full definition body. This is used for lightweight existence checks and for obtaining the current ETag value for optimistic concurrency control. The ETag should be included in subsequent update requests via the If-Match header to prevent concurrent modification conflicts. Returns 404 if the environment does not exist.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Responses
Check Environment
/api/esc/environments/{orgName}/{projectName}/{envName}/checkChecks a Pulumi ESC environment definition for errors without applying changes. This validates the YAML definition including imports, provider configurations, function invocations (fn::open, fn::secret, etc.), and interpolation expressions. When the showSecrets query parameter is set to true, secret values are returned in plaintext in the response. The response includes any diagnostics or validation errors found in the environment definition. Supports optimistic concurrency control via ETag headers.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment nameshowSecretsboolean query optionalWhether to show secret values in plaintext
Responses
- List of diagnostics
- The source range where the diagnostic occurred.
- ↳
summarystring optionalA summary of the diagnostic message. - ↳
pathstring optionalThe path within the environment definition where the diagnostic occurred. - ↳
severitystring optionalThe severity of the diagnostic: “error” or “warning”. - Exprs contains the AST for each expression in the environment definition.
- The environment function summary
- ↳
funcCountsmap[string]integer requiredA map of function names to the number of times they are used. - ↳
rotationPathsarray[string] requiredThe list of paths that have rotation configured. - Properties contains the detailed values produced by the environment.
- Schema contains the schema for Properties.
- Schema definitions that can be referenced by $ref.
- ↳
_refstring optionalA JSON reference to a schema definition. - A list of schemas, any of which the value must match.
- A list of schemas, exactly one of which the value must match.
- Schemas for the leading items in an array.
- The schema for array items.
- The schema for additional object properties.
- Schemas for named object properties.
- ↳
typestring requiredThe type of the schema (e.g. string, number, object, array, boolean). - ↳
constobject optionalA constant value the instance must equal. - ↳
enumarray[object] optionalA list of allowed values. - ↳
multipleOfstring optionalThe value must be a multiple of this number. - ↳
maximumstring optionalThe maximum allowed value (inclusive). - ↳
exclusiveMaximumstring optionalThe maximum allowed value (exclusive). - ↳
minimumstring optionalThe minimum allowed value (inclusive). - ↳
exclusiveMinimumstring optionalThe minimum allowed value (exclusive). - ↳
maxLengthstring optionalThe maximum allowed string length. - ↳
minLengthstring optionalThe minimum allowed string length. - ↳
patternstring optionalA regular expression pattern the string must match. - ↳
maxItemsstring optionalThe maximum number of items in an array. - ↳
minItemsstring optionalThe minimum number of items in an array. - ↳
uniqueItemsboolean optionalWhether array items must be unique. - ↳
maxPropertiesstring optionalThe maximum number of properties in an object. - ↳
minPropertiesstring optionalThe minimum number of properties in an object. - ↳
requiredarray[string] optionalThe list of required property names. - ↳
dependentRequiredmap[string]array optionalA map of property names to lists of properties they depend on. - ↳
titlestring optionalA short human-readable label for the schema (JSON Schema annotation). - ↳
descriptionstring optionalA human-readable explanation of the schema’s purpose (JSON Schema annotation). - ↳
defaultobject optionalThe default value for the schema. - ↳
deprecatedboolean optionalWhether the schema is deprecated. - ↳
examplesarray[object] optionalExample values for the schema. - ↳
secretboolean optionalPulumi ESC extension: if true, the value should be treated as sensitive and masked in output. - ↳
rotateOnlyarray[string] optionalPulumi ESC extension: property paths within this schema that support rotation-only updates. - ExecutionContext contains the values + schema for the execution context passed to the root environment.
- Properties contains the detailed values produced by the execution context.
- Schema contains the schema for Properties.
Clone Environment
/api/esc/environments/{orgName}/{projectName}/{envName}/cloneCreates a duplicate of a Pulumi ESC environment in a new project and/or under a new name. The request body specifies the destination project and environment name, along with options to control what is preserved during the clone: preserveAccess retains permission settings, preserveHistory retains the full revision history, preserveEnvironmentTags retains environment-level tags, and preserveRevisionTags retains version-specific tags. Environments cannot be renamed directly, so cloning is the mechanism for moving or renaming environments.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Request Body
projectstring optionalTarget project for the cloned environment. If omitted, uses the source project.namestring requiredName for the newly cloned environment.versioninteger optionalSpecific version of the source environment to clone. If omitted, clones the latest version.preserveHistoryboolean optionalWhether to copy the revision history from the source environment.preserveAccessboolean optionalWhether to copy access control settings from the source environment.preserveEnvironmentTagsboolean optionalWhether to copy environment-level tags from the source environment.preserveRevisionTagsboolean optionalWhether to copy revision-level tags from the source environment.
Responses
Decrypt Environment
/api/esc/environments/{orgName}/{projectName}/{envName}/decryptReads the YAML definition for a Pulumi ESC environment with all static secrets decrypted and shown in plaintext. Unlike the standard ReadEnvironment endpoint which returns secrets in their encrypted form, this endpoint resolves fn::secret values to their plaintext representations. The response is returned in application/x-yaml format. This does not resolve dynamic provider values (fn::open); use OpenEnvironment for full resolution. Requires environment open permission.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Responses
Decrypt Environment Secrets
/api/esc/environments/{orgName}/{projectName}/{envName}/decrypt-secretsDecrypts encrypted secret values in a Pulumi ESC environment definition. Takes an environment definition containing encrypted secrets and returns the same definition with those values decrypted to plaintext. This is useful for inspecting or migrating environment definitions that contain fn::secret values. Requires environment open permission. Returns 413 if the request content exceeds the maximum allowed size.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Request Body
ciphertextsarray[string] requiredThe list of encrypted ciphertext values to decrypt.
Responses
plaintextsarray[string] requiredThe list of decrypted plaintext values.
Create Environment Draft
/api/esc/environments/{orgName}/{projectName}/{envName}/draftsCreates a new draft change request for a Pulumi ESC environment. Drafts allow proposing changes to an environment definition that can be reviewed and approved before being applied. This is part of the approvals workflow for environments. Returns a ChangeRequestRef containing the draft identifier. Requires the Approvals feature to be enabled for the organization.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Responses
changeRequestIdstring optionalThe change request identifierlatestRevisionNumberinteger optionalThe latest revision number
Read Environment Draft
/api/esc/environments/{orgName}/{projectName}/{envName}/drafts/{changeRequestID}Reads the YAML definition for a draft version of a Pulumi ESC environment. Drafts are proposed changes created as part of the approvals workflow. The draft is identified by the changeRequestID path parameter. An optional revision query parameter can target a specific base revision. The response is returned in application/x-yaml format. Requires the Approvals feature to be enabled.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment namechangeRequestIDstring path requiredThe change request IDrevisioninteger query optionalThe environment revision number to target
Responses
Update Environment Draft
/api/esc/environments/{orgName}/{projectName}/{envName}/drafts/{changeRequestID}Updates the YAML definition of an existing draft change request for a Pulumi ESC environment. The draft is identified by the changeRequestID path parameter. The request body contains the updated YAML definition. Returns a ChangeRequestRef on success. Requires the Approvals feature to be enabled for the organization.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment namechangeRequestIDstring path requiredThe change request ID
Responses
changeRequestIdstring optionalThe change request identifierlatestRevisionNumberinteger optionalThe latest revision number
Open Environment Draft
/api/esc/environments/{orgName}/{projectName}/{envName}/drafts/{changeRequestID}/openOpens a draft version of a Pulumi ESC environment, fully resolving all dynamic values, provider integrations, and secrets for the proposed changes. The duration parameter specifies how long the open session remains valid using Go duration format (e.g., ‘2h’, ‘30m’). An optional revision parameter can target a specific base revision. Returns an OpenEnvironmentResponse containing the session ID for subsequent reads. Requires the Approvals feature.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment namechangeRequestIDstring path requiredThe change request IDdurationstring query optionalThe session duration, using Go time units: ns, us, ms, s, m, h (e.g. ‘2h’)revisioninteger query optionalThe environment revision number to target
Responses
idstring requiredThe unique identifier of the opened environment session.- Any diagnostics generated when opening the environment.
- The source range where the diagnostic occurred.
- ↳
summarystring optionalA summary of the diagnostic message. - ↳
pathstring optionalThe path within the environment definition where the diagnostic occurred. - ↳
severitystring optionalThe severity of the diagnostic: “error” or “warning”.
Encrypt Environment Secrets
/api/esc/environments/{orgName}/{projectName}/{envName}/encrypt-secretsEncrypts plaintext secret values in a Pulumi ESC environment definition. Takes an environment definition containing plaintext secrets and returns the same definition with those values encrypted using the environment’s encryption key. This is useful for preparing environment definitions that contain sensitive values before storing or updating them. Returns 413 if the request content exceeds the maximum allowed size.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Request Body
plaintextsarray[string] requiredThe list of plaintext values to encrypt.
Responses
ciphertextsarray[string] requiredThe encrypted values, in order of the plaintexts from the request.
List Webhooks
/api/esc/environments/{orgName}/{projectName}/{envName}/hooksReturns a list of all webhooks configured for a Pulumi ESC environment. Each webhook entry includes its name, destination URL, event filters, format, and active status. Webhooks enable external services to be notified of environment events such as updates and opens.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Responses
Create Webhook
/api/esc/environments/{orgName}/{projectName}/{envName}/hooksCreates a new webhook for a Pulumi ESC environment. Webhooks allow external services to be notified when environment events occur, such as updates or opens. The request body specifies the webhook configuration including the destination URL, event filters, and format. Returns 400 if the organization name in the request body does not match the URL path parameter. Returns 409 if a webhook with the same name already exists.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Request Body
organizationNamestring requiredThe organization that owns this webhook.projectNamestring optionalThe project name. Set when the webhook is scoped to a specific stack.stackNamestring optionalThe stack name. Set when the webhook is scoped to a specific stack.envNamestring optionalThe environment name. Set when the webhook is scoped to a specific environment.namestring requiredThe unique identifier name for the webhook within its scope.displayNamestring requiredThe human-readable display name shown in the UI.payloadUrlstring requiredThe URL to which webhook payloads are delivered.secretstring optionalSecret will be omitted when returned from the service.activeboolean requiredWhether the webhook is active and will receive deliveries.formatstring optionalThe format of the webhook payload (e.g., ‘raw’, ‘slack’, ‘ms_teams’).filtersarray[string] optionalSpecific event types this webhook subscribes to. If empty, all events are delivered.groupsarray[string] optionalEvent groups this webhook subscribes to (e.g., ‘stacks’, ‘deployments’).
Responses
hasSecretboolean requiredHasSecret is true if the webhook has a secret. This is used to determine whether to show that there is a secret in the UI.organizationNamestring requiredThe organization that owns this webhook.projectNamestring optionalThe project name. Set when the webhook is scoped to a specific stack.secretCiphertextstring requiredSecretCiphertext is the ciphertext value of the webhook’s secret. It’s used to check whether the secret was changed by the PSPstackNamestring optionalThe stack name. Set when the webhook is scoped to a specific stack.envNamestring optionalThe environment name. Set when the webhook is scoped to a specific environment.namestring requiredThe unique identifier name for the webhook within its scope.displayNamestring requiredThe human-readable display name shown in the UI.payloadUrlstring requiredThe URL to which webhook payloads are delivered.secretstring optionalSecret will be omitted when returned from the service.activeboolean requiredWhether the webhook is active and will receive deliveries.formatstring optionalThe format of the webhook payload (e.g., ‘raw’, ‘slack’, ‘ms_teams’).filtersarray[string] optionalSpecific event types this webhook subscribes to. If empty, all events are delivered.groupsarray[string] optionalEvent groups this webhook subscribes to (e.g., ‘stacks’, ‘deployments’).
Get Webhook
/api/esc/environments/{orgName}/{projectName}/{envName}/hooks/{hookName}Returns the configuration and status of a single webhook for a Pulumi ESC environment. The webhook is identified by its name in the URL path. The response includes the webhook’s destination URL, event filters, format, and active status. Returns 404 if the webhook does not exist.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment namehookNamestring path requiredThe webhook name
Responses
hasSecretboolean requiredHasSecret is true if the webhook has a secret. This is used to determine whether to show that there is a secret in the UI.organizationNamestring requiredThe organization that owns this webhook.projectNamestring optionalThe project name. Set when the webhook is scoped to a specific stack.secretCiphertextstring requiredSecretCiphertext is the ciphertext value of the webhook’s secret. It’s used to check whether the secret was changed by the PSPstackNamestring optionalThe stack name. Set when the webhook is scoped to a specific stack.envNamestring optionalThe environment name. Set when the webhook is scoped to a specific environment.namestring requiredThe unique identifier name for the webhook within its scope.displayNamestring requiredThe human-readable display name shown in the UI.payloadUrlstring requiredThe URL to which webhook payloads are delivered.secretstring optionalSecret will be omitted when returned from the service.activeboolean requiredWhether the webhook is active and will receive deliveries.formatstring optionalThe format of the webhook payload (e.g., ‘raw’, ‘slack’, ‘ms_teams’).filtersarray[string] optionalSpecific event types this webhook subscribes to. If empty, all events are delivered.groupsarray[string] optionalEvent groups this webhook subscribes to (e.g., ‘stacks’, ‘deployments’).
Update Webhook
/api/esc/environments/{orgName}/{projectName}/{envName}/hooks/{hookName}Updates the configuration of an existing webhook on a Pulumi ESC environment. The webhook is identified by its name in the URL path. The request body contains the updated webhook configuration including destination URL, event filters, format, and active status. Returns the updated WebhookResponse on success. Returns 400 if an invalid format is specified.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment namehookNamestring path requiredThe webhook name
Request Body
organizationNamestring requiredThe organization that owns this webhook.projectNamestring optionalThe project name. Set when the webhook is scoped to a specific stack.stackNamestring optionalThe stack name. Set when the webhook is scoped to a specific stack.envNamestring optionalThe environment name. Set when the webhook is scoped to a specific environment.namestring requiredThe unique identifier name for the webhook within its scope.displayNamestring requiredThe human-readable display name shown in the UI.payloadUrlstring requiredThe URL to which webhook payloads are delivered.secretstring optionalSecret will be omitted when returned from the service.activeboolean requiredWhether the webhook is active and will receive deliveries.formatstring optionalThe format of the webhook payload (e.g., ‘raw’, ‘slack’, ‘ms_teams’).filtersarray[string] optionalSpecific event types this webhook subscribes to. If empty, all events are delivered.groupsarray[string] optionalEvent groups this webhook subscribes to (e.g., ‘stacks’, ‘deployments’).
Responses
hasSecretboolean requiredHasSecret is true if the webhook has a secret. This is used to determine whether to show that there is a secret in the UI.organizationNamestring requiredThe organization that owns this webhook.projectNamestring optionalThe project name. Set when the webhook is scoped to a specific stack.secretCiphertextstring requiredSecretCiphertext is the ciphertext value of the webhook’s secret. It’s used to check whether the secret was changed by the PSPstackNamestring optionalThe stack name. Set when the webhook is scoped to a specific stack.envNamestring optionalThe environment name. Set when the webhook is scoped to a specific environment.namestring requiredThe unique identifier name for the webhook within its scope.displayNamestring requiredThe human-readable display name shown in the UI.payloadUrlstring requiredThe URL to which webhook payloads are delivered.secretstring optionalSecret will be omitted when returned from the service.activeboolean requiredWhether the webhook is active and will receive deliveries.formatstring optionalThe format of the webhook payload (e.g., ‘raw’, ‘slack’, ‘ms_teams’).filtersarray[string] optionalSpecific event types this webhook subscribes to. If empty, all events are delivered.groupsarray[string] optionalEvent groups this webhook subscribes to (e.g., ‘stacks’, ‘deployments’).
Delete Webhook
/api/esc/environments/{orgName}/{projectName}/{envName}/hooks/{hookName}Deletes a webhook from a Pulumi ESC environment. The webhook is identified by its name in the URL path. After deletion, the external service will no longer receive notifications for environment events. Returns 204 on success with no response body.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment namehookNamestring path requiredThe webhook name
Responses
Get Webhook Deliveries
/api/esc/environments/{orgName}/{projectName}/{envName}/hooks/{hookName}/deliveriesReturns a list of recent delivery attempts for a specific webhook on a Pulumi ESC environment. Each delivery record includes the HTTP status code, response body, timestamp, and whether the delivery was successful. This is useful for debugging webhook integration issues and verifying that events are being received.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment namehookNamestring path requiredThe webhook name
Responses
Redeliver Webhook Event
/api/esc/environments/{orgName}/{projectName}/{envName}/hooks/{hookName}/deliveries/{event}/redeliverTriggers the Pulumi Service to redeliver a specific event to a webhook on a Pulumi ESC environment. This is useful for resending events that the webhook endpoint failed to process on the initial delivery attempt (e.g., due to temporary downtime or errors). The event is identified by its delivery event ID in the URL path. Returns the new WebhookDelivery record for the redelivery.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment namehookNamestring path requiredThe webhook nameeventstring path requiredThe webhook delivery event ID to redeliver
Responses
idstring requiredThe unique identifier of the delivery.kindstring requiredThe kind of webhook event.payloadstring requiredThe JSON payload that was sent.timestampinteger requiredThe time the delivery was sent, as a Unix epoch timestamp.durationinteger requiredThe duration of the delivery request in milliseconds.requestUrlstring requiredThe URL the webhook was delivered to.requestHeadersstring requiredThe HTTP headers sent with the request.responseCodeinteger requiredThe HTTP response status code.responseHeadersstring requiredThe HTTP response headers.responseBodystring requiredThe HTTP response body.
Ping Webhook
/api/esc/environments/{orgName}/{projectName}/{envName}/hooks/{hookName}/pingSends a test ping event to a webhook on a Pulumi ESC environment to verify that the webhook endpoint is reachable and functioning correctly. This bypasses the normal message queue and issues the request directly to the webhook URL. Returns the WebhookDelivery record containing the HTTP status code and response from the target endpoint.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment namehookNamestring path requiredThe webhook name
Responses
idstring requiredThe unique identifier of the delivery.kindstring requiredThe kind of webhook event.payloadstring requiredThe JSON payload that was sent.timestampinteger requiredThe time the delivery was sent, as a Unix epoch timestamp.durationinteger requiredThe duration of the delivery request in milliseconds.requestUrlstring requiredThe URL the webhook was delivered to.requestHeadersstring requiredThe HTTP headers sent with the request.responseCodeinteger requiredThe HTTP response status code.responseHeadersstring requiredThe HTTP response headers.responseBodystring requiredThe HTTP response body.
Get Environment Metadata
/api/esc/environments/{orgName}/{projectName}/{envName}/metadataReturns metadata for a Pulumi ESC environment, including the calling user’s effective permission level (read, open, write, admin), creation and modification timestamps, the environment’s project, and other administrative information. This is useful for determining what actions the current user can perform on the environment before attempting those operations.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Responses
idstring requiredEnvironment metadata follows other Pulumi Cloud “Metadata” fields and contains read-only information about the environment- The user with ownership of this environment
- ↳
namestring requiredThe user’s display name. - ↳
githubLoginstring requiredThe user’s login name. - ↳
avatarUrlstring requiredThe URL of the user’s avatar image. - ↳
emailstring optionalIMPORTANT: The email address of the user is only included on a few admin-only APIs. For nearly all APIs that return a UserInfo object, this will not be provided. considered sensitive information. - ActiveChangeRequest contains information about any active change request for this environment. Will be nil if there is no active change request.
- ↳
changeRequestIdstring optionalThe change request identifier - ↳
latestRevisionNumberinteger optionalThe latest revision number gatedActionsarray[string] optionalGatedActions indicates which actions on this environment require change request approval.openRequestNeededboolean optionalOpenRequestNeeded indicates whether an open request is currently needed in order to open the environment.
Open Environment
/api/esc/environments/{orgName}/{projectName}/{envName}/openOpens a Pulumi ESC environment, fully resolving all dynamic values, provider integrations (fn::open), interpolation expressions, and secrets. This initiates an access session that evaluates the complete environment definition including all imports. The duration parameter specifies how long the session remains valid using Go duration format (e.g., ‘2h45m’, ‘300ms’). Returns an OpenEnvironmentResponse containing the session ID and any diagnostics. Use the session ID with ReadOpenEnvironment to retrieve the resolved values.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment namedurationstring query optionalThe session duration, using Go time units: ns, us, ms, s, m, h (e.g. ‘2h’)
Responses
idstring requiredThe unique identifier of the opened environment session.- Any diagnostics generated when opening the environment.
- The source range where the diagnostic occurred.
- ↳
summarystring optionalA summary of the diagnostic message. - ↳
pathstring optionalThe path within the environment definition where the diagnostic occurred. - ↳
severitystring optionalThe severity of the diagnostic: “error” or “warning”.
Read Open Environment
/api/esc/environments/{orgName}/{projectName}/{envName}/open/{openSessionID}Reads the fully resolved values from an open environment session that was created via the OpenEnvironment endpoint. The openSessionID path parameter must match a valid, non-expired session. The optional property query parameter accepts a dot-separated path to retrieve a specific nested value instead of the entire resolved environment (e.g., ‘aws.credentials.accessKeyId’). The response contains all resolved configuration values with secrets decrypted and provider-sourced values fully evaluated.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment nameopenSessionIDstring path requiredThe session ID returned from the open environment operationpropertystring query optionalA dot-separated path to a specific property to retrieve from the environment
Responses
Create Open Environment Request
/api/esc/environments/{orgName}/{projectName}/{envName}/open/requestCreates an open request for a Pulumi ESC environment that has gated opens enabled. When an environment has open gates configured, opening the environment requires an approval workflow. This endpoint initiates that process by creating an open request, and also creates corresponding open requests for each imported environment that has open gates. Requires the Approvals feature to be enabled for the organization. Returns 400 if the environment does not have gated opens.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Request Body
grantExpirationSecondsinteger requiredTime from application of the request until the resulting grant expiresaccessDurationSecondsinteger requiredTotal duration that the resulting grant can be used to access the environment open endpoint (after first open)
Responses
- List of change requests
- ↳
projectNamestring requiredThe project name - ↳
environmentNamestring requiredThe environment name - ↳
changeRequestIdstring requiredThe change request identifier - ↳
latestRevisionNumberinteger requiredThe latest revision number - ↳
etagstring requiredThe entity tag for concurrency control
Read Open Environment Request
/api/esc/environments/{orgName}/{projectName}/{envName}/open/request/{changeRequestID}Reads the details of an open environment request that was created as part of the gated opens approval workflow. The request is identified by the changeRequestID path parameter. The response includes the request’s status, the requesting user, and approval details. An optional revision query parameter can target a specific environment revision. Requires the Approvals feature to be enabled.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment namechangeRequestIDstring path requiredThe change request IDrevisioninteger query optionalThe environment revision number to target
Responses
grantExpirationSecondsinteger requiredTime from application of the request until the resulting grant expiresaccessDurationSecondsinteger requiredTotal duration that the resulting grant can be used to access the environment open endpoint (after first open)
Update Open Environment Request
/api/esc/environments/{orgName}/{projectName}/{envName}/open/request/{changeRequestID}Updates an existing open environment request that was created as part of the gated opens approval workflow. The request is identified by the changeRequestID path parameter. The request body contains the updated open request details, such as approval status. Returns a ChangeRequestRef on success. Requires the Approvals feature to be enabled for the organization.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment namechangeRequestIDstring path requiredThe change request ID
Request Body
grantExpirationSecondsinteger requiredTime from application of the request until the resulting grant expiresaccessDurationSecondsinteger requiredTotal duration that the resulting grant can be used to access the environment open endpoint (after first open)
Responses
changeRequestIdstring optionalThe change request identifierlatestRevisionNumberinteger optionalThe latest revision number
Reassign Environment Ownership
/api/esc/environments/{orgName}/{projectName}/{envName}/ownershipChanges the ownership of the specified environment to the provided user. Returns the identity of the previous owner.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Request Body
namestring requiredThe user’s display name.githubLoginstring requiredThe user’s login name.avatarUrlstring requiredThe URL of the user’s avatar image.emailstring optionalIMPORTANT: The email address of the user is only included on a few admin-only APIs. For nearly all APIs that return a UserInfo object, this will not be provided. considered sensitive information.
Responses
namestring requiredThe user’s display name.githubLoginstring requiredThe user’s login name.avatarUrlstring requiredThe URL of the user’s avatar image.emailstring optionalIMPORTANT: The email address of the user is only included on a few admin-only APIs. For nearly all APIs that return a UserInfo object, this will not be provided. considered sensitive information.
List Environment Referrers
/api/esc/environments/{orgName}/{projectName}/{envName}/referrersReturns a paginated list of entities that reference a Pulumi ESC environment, including other environments that import it and Pulumi stacks that use it in their configuration. The count parameter limits results (range 1-500). Set allRevisions to true to include references across all revisions, and latestStackVersionOnly to true to return only the latest stack version for each referring stack. Use continuationToken for pagination.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment nameallRevisionsboolean query optionalWhether to include all revisionscontinuationTokenstring query optionalContinuation token for paginated resultscountinteger query optionalMaximum number of results to returnlatestStackVersionOnlyboolean query optionalWhether to return only the latest stack version
Responses
referrersmap[string]array requiredMap of referrer types to their referrer detailscontinuationTokenstring optionalContinuation token for pagination
Rotate Environment
/api/esc/environments/{orgName}/{projectName}/{envName}/rotateTriggers secret rotation for a Pulumi ESC environment. This evaluates all fn::rotate declarations in the environment definition and rotates the corresponding secrets in their external systems (e.g., rotating database passwords, API keys, or cloud credentials). Requires the secret rotation feature to be enabled for the organization. Returns 409 if the environment has been modified since it was last read.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Request Body
pathsarray[string] requiredThe paths of the secrets to rotate.
Responses
idstring requiredThe unique identifier for this rotation operation.- Diagnostics generated during the rotation operation.
- The source range where the diagnostic occurred.
- ↳
summarystring optionalA summary of the diagnostic message. - ↳
pathstring optionalThe path within the environment definition where the diagnostic occurred. - ↳
severitystring optionalThe severity of the diagnostic: “error” or “warning”. - Details of the secret rotation event.
- ↳
idstring requiredThe unique identifier for this rotation event. - ↳
environmentIdstring requiredThe ID of the environment being rotated. - ↳
createdstring requiredThe timestamp when this rotation event was created. - ↳
preRotationRevisioninteger requiredThe environment revision before the rotation. - ↳
postRotationRevisioninteger optionalThe environment revision after the rotation, if completed. - ↳
userIDstring requiredThe ID of the user who initiated the rotation. - ↳
completedstring optionalThe timestamp when the rotation completed. - ↳
statusstring requiredThe current status of the rotation event. - ↳
scheduledActionIDstring optionalThe ID of the scheduled action that triggered this rotation, if any. - ↳
errorMessagestring optionalAn error message if the rotation failed. - The individual secret rotations within this event.
List Environment Secret Rotation History
/api/esc/environments/{orgName}/{projectName}/{envName}/rotate/historyReturns the secret rotation history for a Pulumi ESC environment. Each entry represents a rotation event where secrets defined with fn::rotate were cycled to new values in their external systems. The response includes timestamps, outcomes, and the rotators involved. Requires the secret rotation feature to be enabled for the organization.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Responses
- The list of secret rotation events
- ↳
idstring requiredThe unique identifier for this rotation event. - ↳
environmentIdstring requiredThe ID of the environment being rotated. - ↳
createdstring requiredThe timestamp when this rotation event was created. - ↳
preRotationRevisioninteger requiredThe environment revision before the rotation. - ↳
postRotationRevisioninteger optionalThe environment revision after the rotation, if completed. - ↳
userIDstring requiredThe ID of the user who initiated the rotation. - ↳
completedstring optionalThe timestamp when the rotation completed. - ↳
statusstring requiredThe current status of the rotation event. - ↳
scheduledActionIDstring optionalThe ID of the scheduled action that triggered this rotation, if any. - ↳
errorMessagestring optionalAn error message if the rotation failed. - The individual secret rotations within this event.
List Environment Schedule
/api/esc/environments/{orgName}/{projectName}/{envName}/schedulesReturns all scheduled actions configured for a Pulumi ESC environment. Schedules automate recurring operations such as secret rotation. The response includes each schedule’s timing configuration, action type, and current status (active or paused).
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Responses
- The list of scheduled actions
- ↳
idstring requiredThe unique identifier for this scheduled action. - ↳
orgIDstring requiredThe organization ID that owns this scheduled action. - ↳
scheduleCronstring optionalA cron expression defining the recurring schedule. - ↳
scheduleOncestring optionalA timestamp for a one-time scheduled execution. - ↳
nextExecutionstring requiredThe timestamp of the next scheduled execution. - ↳
pausedboolean requiredWhether the scheduled action is currently paused. - ↳
kindenum requiredThe kind of action to be executed.Values:deployment,environment_rotation,scan,agent_automation - ↳
definitionmap[string]object requiredThe action definition, which varies based on the action kind. - ↳
createdstring requiredThe timestamp when this scheduled action was created. - ↳
modifiedstring requiredThe timestamp when this scheduled action was last modified. - ↳
lastExecutedstring requiredThe timestamp of the last execution, if any.
Create Environment Schedule
/api/esc/environments/{orgName}/{projectName}/{envName}/schedulesCreates a new scheduled action for a Pulumi ESC environment. Schedules can be used to automate recurring operations on environments, such as secret rotation. The request body specifies the schedule timing and the action to perform. Returns the created ScheduledAction on success. Requires the secret rotation feature to be enabled for the organization.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Request Body
scheduleCronstring optionalThe schedule cronscheduleOncestring optionalThe schedule once- The secret rotation request
- ↳
environmentPathstring requiredEnvironment Path specifies a path to a rotated secret to be updated Leave the field blank to rotate ALL rotated secrets in an environment
Responses
idstring requiredThe unique identifier for this scheduled action.orgIDstring requiredThe organization ID that owns this scheduled action.scheduleCronstring optionalA cron expression defining the recurring schedule.scheduleOncestring optionalA timestamp for a one-time scheduled execution.nextExecutionstring requiredThe timestamp of the next scheduled execution.pausedboolean requiredWhether the scheduled action is currently paused.kindenum requiredThe kind of action to be executed.Values:deployment,environment_rotation,scan,agent_automationdefinitionmap[string]object requiredThe action definition, which varies based on the action kind.createdstring requiredThe timestamp when this scheduled action was created.modifiedstring requiredThe timestamp when this scheduled action was last modified.lastExecutedstring requiredThe timestamp of the last execution, if any.
Read Environment Schedule
/api/esc/environments/{orgName}/{projectName}/{envName}/schedules/{scheduleID}Returns the details of a specific scheduled action for a Pulumi ESC environment. The schedule is identified by the scheduleID path parameter. The response includes the schedule’s timing configuration (cron expression or one-time), the action to perform, and the current status (active or paused).
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment namescheduleIDstring path requiredThe schedule ID
Responses
idstring requiredThe unique identifier for this scheduled action.orgIDstring requiredThe organization ID that owns this scheduled action.scheduleCronstring optionalA cron expression defining the recurring schedule.scheduleOncestring optionalA timestamp for a one-time scheduled execution.nextExecutionstring requiredThe timestamp of the next scheduled execution.pausedboolean requiredWhether the scheduled action is currently paused.kindenum requiredThe kind of action to be executed.Values:deployment,environment_rotation,scan,agent_automationdefinitionmap[string]object requiredThe action definition, which varies based on the action kind.createdstring requiredThe timestamp when this scheduled action was created.modifiedstring requiredThe timestamp when this scheduled action was last modified.lastExecutedstring requiredThe timestamp of the last execution, if any.
Update Environment Schedule
/api/esc/environments/{orgName}/{projectName}/{envName}/schedules/{scheduleID}Updates the configuration of a scheduled action for a Pulumi ESC environment. The schedule is identified by the scheduleID path parameter. The request body specifies the updated timing and action configuration. Changes take effect for future executions only; any currently running execution is not affected. Returns the updated ScheduledAction on success.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment namescheduleIDstring path requiredThe schedule ID
Request Body
scheduleCronstring optionalThe schedule cronscheduleOncestring optionalThe schedule once- The secret rotation request
- ↳
environmentPathstring requiredEnvironment Path specifies a path to a rotated secret to be updated Leave the field blank to rotate ALL rotated secrets in an environment
Responses
idstring requiredThe unique identifier for this scheduled action.orgIDstring requiredThe organization ID that owns this scheduled action.scheduleCronstring optionalA cron expression defining the recurring schedule.scheduleOncestring optionalA timestamp for a one-time scheduled execution.nextExecutionstring requiredThe timestamp of the next scheduled execution.pausedboolean requiredWhether the scheduled action is currently paused.kindenum requiredThe kind of action to be executed.Values:deployment,environment_rotation,scan,agent_automationdefinitionmap[string]object requiredThe action definition, which varies based on the action kind.createdstring requiredThe timestamp when this scheduled action was created.modifiedstring requiredThe timestamp when this scheduled action was last modified.lastExecutedstring requiredThe timestamp of the last execution, if any.
Delete Environment Schedule
/api/esc/environments/{orgName}/{projectName}/{envName}/schedules/{scheduleID}Permanently deletes a scheduled action from a Pulumi ESC environment. This removes the schedule and cancels any future executions. The schedule is identified by its scheduleID. Requires the secret rotation feature to be enabled for the organization.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment namescheduleIDstring path requiredThe schedule ID
Responses
List Environment Schedule History
/api/esc/environments/{orgName}/{projectName}/{envName}/schedules/{scheduleID}/historyReturns the execution history for a specific scheduled action on a Pulumi ESC environment. Each history entry includes the execution timestamp, outcome (success or failure), and any error details. This is useful for monitoring the reliability of automated operations like secret rotation.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment namescheduleIDstring path requiredThe schedule ID
Responses
- The list of scheduled action history events
- ↳
idstring requiredThe unique identifier for this history event. - ↳
scheduledActionIDstring requiredThe ID of the scheduled action this event belongs to. - ↳
executedstring requiredThe timestamp when the action was executed. - ↳
versioninteger requiredThe version of the scheduled action at the time of execution. - ↳
resultstring requiredThe result of the execution.
Pause Environment Schedule
/api/esc/environments/{orgName}/{projectName}/{envName}/schedules/{scheduleID}/pausePauses a scheduled action on a Pulumi ESC environment, preventing any future executions until the schedule is resumed. The schedule’s configuration is preserved and can be reactivated via the ResumeEnvironmentSchedule endpoint. This is useful for temporarily disabling automated operations like secret rotation without deleting the schedule.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment namescheduleIDstring path requiredThe schedule ID
Responses
Resume Environment Schedule
/api/esc/environments/{orgName}/{projectName}/{envName}/schedules/{scheduleID}/resumeResumes a previously paused scheduled action on a Pulumi ESC environment, re-enabling future executions. The schedule will continue from its next scheduled time according to its configured timing (cron expression or one-time schedule). The schedule is identified by the scheduleID path parameter.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment namescheduleIDstring path requiredThe schedule ID
Responses
Get Environment Settings
/api/esc/environments/{orgName}/{projectName}/{envName}/settingsReturns the current settings for a Pulumi ESC environment, including whether deletion protection is enabled. Deletion protection prevents the environment from being deleted until the setting is explicitly disabled. Settings can be modified via the PatchEnvironmentSettings endpoint.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Responses
deletionProtectedboolean requiredWhether the environment is protected from deletion.
Patch Environment Settings
/api/esc/environments/{orgName}/{projectName}/{envName}/settingsUpdates settings for a Pulumi ESC environment using a partial update (patch) approach. Currently supports toggling deletion protection via the deletionProtected field. When deletionProtected is set to true, the environment cannot be deleted until the setting is explicitly disabled. Only the fields included in the request body are modified; omitted fields retain their current values.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Request Body
deletionProtectedboolean optionalDeletionProtected indicates whether deletion protection should be enabled for this environment. Null means no change.
Responses
List Environment Tags
/api/esc/environments/{orgName}/{projectName}/{envName}/tagsReturns a paginated list of user-defined tags for a Pulumi ESC environment. Tags are key-value pairs used for organizing and categorizing environments. Use the after parameter for cursor-based pagination and count to limit the number of results returned.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment nameafterinteger query optionalOnly return results after this valuecountinteger query optionalMaximum number of results to return
Responses
- Map of tag names to their tag details
nextTokenstring requiredToken for fetching the next page of results
Create Environment Tag
/api/esc/environments/{orgName}/{projectName}/{envName}/tagsAdds a new user-defined tag to a Pulumi ESC environment. Tags are key-value pairs that provide contextual metadata for organizing and searching environments (e.g., region=us-east-1, team=platform). The tag name and value are provided in the request body. Returns the created EnvironmentTag on success. Returns 409 if a tag with the same name already exists on the environment.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Request Body
namestring requiredThe namevaluestring requiredThe value
Responses
namestring requiredThe name of the tag.valuestring requiredThe value of the tag.createdstring requiredThe timestamp when the tag was created.modifiedstring requiredThe timestamp when the tag was last modified.editorLoginstring requiredThe login name of the user who last edited the tag.editorNamestring requiredThe display name of the user who last edited the tag.
Get Environment Tag
/api/esc/environments/{orgName}/{projectName}/{envName}/tags/{tagName}Returns a single user-defined tag for a Pulumi ESC environment, identified by the tag name in the URL path. The response includes the tag name, value, and metadata. Returns 404 if the tag does not exist on the environment.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment nametagNamestring path requiredThe environment tag name
Responses
namestring requiredThe name of the tag.valuestring requiredThe value of the tag.createdstring requiredThe timestamp when the tag was created.modifiedstring requiredThe timestamp when the tag was last modified.editorLoginstring requiredThe login name of the user who last edited the tag.editorNamestring requiredThe display name of the user who last edited the tag.
Update Environment Tag
/api/esc/environments/{orgName}/{projectName}/{envName}/tags/{tagName}Modifies the value of an existing user-defined tag on a Pulumi ESC environment. The tag is identified by its name in the URL path. The request body contains the new value for the tag. Returns the updated EnvironmentTag on success. Returns 404 if the tag does not exist on the environment.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment nametagNamestring path requiredThe environment tag name
Request Body
- The current tag value to match for optimistic concurrency control.
- ↳
valuestring requiredThe current tag value. - The new tag name and value to set.
- ↳
namestring optionalThe new tag name. - ↳
valuestring optionalThe new tag value.
Responses
namestring requiredThe name of the tag.valuestring requiredThe value of the tag.createdstring requiredThe timestamp when the tag was created.modifiedstring requiredThe timestamp when the tag was last modified.editorLoginstring requiredThe login name of the user who last edited the tag.editorNamestring requiredThe display name of the user who last edited the tag.
Delete Environment Tag
/api/esc/environments/{orgName}/{projectName}/{envName}/tags/{tagName}Removes a user-defined tag from a Pulumi ESC environment. The tag is identified by its name in the URL path. Returns 204 on success with no response body. Returns 404 if the tag does not exist on the environment.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment nametagNamestring path requiredThe environment tag name
Responses
List Environment Revisions
/api/esc/environments/{orgName}/{projectName}/{envName}/versionsReturns a paginated list of revisions for a Pulumi ESC environment. Each revision represents an immutable snapshot of the environment definition created when the environment is updated. The response includes revision numbers, timestamps, and the identity of the user who made each change. Use the before parameter to fetch revisions before a specific revision number, and count to limit the number of results returned.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment namebeforeinteger query optionalOnly return results before this revisioncountinteger query optionalMaximum number of results to return
Responses
Read Environment
/api/esc/environments/{orgName}/{projectName}/{envName}/versions/{version}Returns the YAML definition of a Pulumi ESC environment. The response is in application/x-yaml format and includes the environment’s imports, values, provider configurations, and function invocations. Secrets remain in their encrypted form (use DecryptEnvironment to see plaintext secrets, or OpenEnvironment to fully resolve all dynamic values). When a version path parameter is provided, returns the definition for that specific revision.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment nameversionstring path requiredThe revision version number
Responses
Check Environment
/api/esc/environments/{orgName}/{projectName}/{envName}/versions/{version}/checkChecks a Pulumi ESC environment definition for errors without applying changes. This validates the YAML definition including imports, provider configurations, function invocations (fn::open, fn::secret, etc.), and interpolation expressions. When the showSecrets query parameter is set to true, secret values are returned in plaintext in the response. The response includes any diagnostics or validation errors found in the environment definition. Supports optimistic concurrency control via ETag headers.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment nameversionstring path requiredThe revision version numbershowSecretsboolean query optionalWhether to show secret values in plaintext
Responses
- List of diagnostics
- The source range where the diagnostic occurred.
- ↳
summarystring optionalA summary of the diagnostic message. - ↳
pathstring optionalThe path within the environment definition where the diagnostic occurred. - ↳
severitystring optionalThe severity of the diagnostic: “error” or “warning”. - Exprs contains the AST for each expression in the environment definition.
- The environment function summary
- ↳
funcCountsmap[string]integer requiredA map of function names to the number of times they are used. - ↳
rotationPathsarray[string] requiredThe list of paths that have rotation configured. - Properties contains the detailed values produced by the environment.
- Schema contains the schema for Properties.
- Schema definitions that can be referenced by $ref.
- ↳
_refstring optionalA JSON reference to a schema definition. - A list of schemas, any of which the value must match.
- A list of schemas, exactly one of which the value must match.
- Schemas for the leading items in an array.
- The schema for array items.
- The schema for additional object properties.
- Schemas for named object properties.
- ↳
typestring requiredThe type of the schema (e.g. string, number, object, array, boolean). - ↳
constobject optionalA constant value the instance must equal. - ↳
enumarray[object] optionalA list of allowed values. - ↳
multipleOfstring optionalThe value must be a multiple of this number. - ↳
maximumstring optionalThe maximum allowed value (inclusive). - ↳
exclusiveMaximumstring optionalThe maximum allowed value (exclusive). - ↳
minimumstring optionalThe minimum allowed value (inclusive). - ↳
exclusiveMinimumstring optionalThe minimum allowed value (exclusive). - ↳
maxLengthstring optionalThe maximum allowed string length. - ↳
minLengthstring optionalThe minimum allowed string length. - ↳
patternstring optionalA regular expression pattern the string must match. - ↳
maxItemsstring optionalThe maximum number of items in an array. - ↳
minItemsstring optionalThe minimum number of items in an array. - ↳
uniqueItemsboolean optionalWhether array items must be unique. - ↳
maxPropertiesstring optionalThe maximum number of properties in an object. - ↳
minPropertiesstring optionalThe minimum number of properties in an object. - ↳
requiredarray[string] optionalThe list of required property names. - ↳
dependentRequiredmap[string]array optionalA map of property names to lists of properties they depend on. - ↳
titlestring optionalA short human-readable label for the schema (JSON Schema annotation). - ↳
descriptionstring optionalA human-readable explanation of the schema’s purpose (JSON Schema annotation). - ↳
defaultobject optionalThe default value for the schema. - ↳
deprecatedboolean optionalWhether the schema is deprecated. - ↳
examplesarray[object] optionalExample values for the schema. - ↳
secretboolean optionalPulumi ESC extension: if true, the value should be treated as sensitive and masked in output. - ↳
rotateOnlyarray[string] optionalPulumi ESC extension: property paths within this schema that support rotation-only updates. - ExecutionContext contains the values + schema for the execution context passed to the root environment.
- Properties contains the detailed values produced by the execution context.
- Schema contains the schema for Properties.
Decrypt Environment
/api/esc/environments/{orgName}/{projectName}/{envName}/versions/{version}/decryptReads the YAML definition for a Pulumi ESC environment with all static secrets decrypted and shown in plaintext. Unlike the standard ReadEnvironment endpoint which returns secrets in their encrypted form, this endpoint resolves fn::secret values to their plaintext representations. The response is returned in application/x-yaml format. This does not resolve dynamic provider values (fn::open); use OpenEnvironment for full resolution. Requires environment open permission.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment nameversionstring path requiredThe revision version number
Responses
Open Environment
/api/esc/environments/{orgName}/{projectName}/{envName}/versions/{version}/openOpens a Pulumi ESC environment, fully resolving all dynamic values, provider integrations (fn::open), interpolation expressions, and secrets. This initiates an access session that evaluates the complete environment definition including all imports. The duration parameter specifies how long the session remains valid using Go duration format (e.g., ‘2h45m’, ‘300ms’). Returns an OpenEnvironmentResponse containing the session ID and any diagnostics. Use the session ID with ReadOpenEnvironment to retrieve the resolved values.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment nameversionstring path requiredThe revision version numberdurationstring query optionalThe session duration, using Go time units: ns, us, ms, s, m, h (e.g. ‘2h’)
Responses
idstring requiredThe unique identifier of the opened environment session.- Any diagnostics generated when opening the environment.
- The source range where the diagnostic occurred.
- ↳
summarystring optionalA summary of the diagnostic message. - ↳
pathstring optionalThe path within the environment definition where the diagnostic occurred. - ↳
severitystring optionalThe severity of the diagnostic: “error” or “warning”.
List Environment Referrers
/api/esc/environments/{orgName}/{projectName}/{envName}/versions/{version}/referrersReturns a paginated list of entities that reference a Pulumi ESC environment, including other environments that import it and Pulumi stacks that use it in their configuration. The count parameter limits results (range 1-500). Set allRevisions to true to include references across all revisions, and latestStackVersionOnly to true to return only the latest stack version for each referring stack. Use continuationToken for pagination.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment nameversionstring path requiredThe revision version numberallRevisionsboolean query optionalWhether to include all revisionscontinuationTokenstring query optionalContinuation token for paginated resultscountinteger query optionalMaximum number of results to returnlatestStackVersionOnlyboolean query optionalWhether to return only the latest stack version
Responses
referrersmap[string]array requiredMap of referrer types to their referrer detailscontinuationTokenstring optionalContinuation token for pagination
Retract Environment Revision
/api/esc/environments/{orgName}/{projectName}/{envName}/versions/{version}/retractRetracts a specific revision of a Pulumi ESC environment, marking it as withdrawn. A retracted revision remains in the history but is no longer considered a valid version for use. The request body may include a reason for the retraction. The revision is identified by the version path parameter. Returns 204 on success with no response body.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment nameversionstring path requiredThe revision version number
Request Body
replacementinteger optionalThe revision number to use as a replacement, if any.reasonstring optionalThe reason for retracting the revision.
Responses
List Revision Tags
/api/esc/environments/{orgName}/{projectName}/{envName}/versions/{version}/tagsReturns a paginated list of revision tags for a Pulumi ESC environment. Revision tags are named references pointing to specific revision numbers (e.g., ’latest’, ‘prod’, ‘stable’). They can be used in environment imports and Pulumi stack configuration to pin to a specific version. Use the after parameter for cursor-based pagination and count to limit results.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment nameversionstring path requiredThe revision version numberafterstring query optionalOnly return results after this valuecountinteger query optionalMaximum number of results to return
Responses
- The list of revision tags
- ↳
namestring requiredThe name of the tag. - ↳
revisioninteger requiredThe revision number this tag points to. - ↳
createdstring requiredThe timestamp when the tag was created. - ↳
modifiedstring requiredThe timestamp when the tag was last modified. - ↳
editorLoginstring optionalThe login name of the user who last edited the tag. - ↳
editorNamestring optionalThe display name of the user who last edited the tag. nextTokenstring requiredToken for fetching the next page of results
List Revision Tags
/api/esc/environments/{orgName}/{projectName}/{envName}/versions/tagsReturns a paginated list of revision tags for a Pulumi ESC environment. Revision tags are named references pointing to specific revision numbers (e.g., ’latest’, ‘prod’, ‘stable’). They can be used in environment imports and Pulumi stack configuration to pin to a specific version. Use the after parameter for cursor-based pagination and count to limit results.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment nameafterstring query optionalOnly return results after this valuecountinteger query optionalMaximum number of results to return
Responses
- The list of revision tags
- ↳
namestring requiredThe name of the tag. - ↳
revisioninteger requiredThe revision number this tag points to. - ↳
createdstring requiredThe timestamp when the tag was created. - ↳
modifiedstring requiredThe timestamp when the tag was last modified. - ↳
editorLoginstring optionalThe login name of the user who last edited the tag. - ↳
editorNamestring optionalThe display name of the user who last edited the tag. nextTokenstring requiredToken for fetching the next page of results
Create Revision Tag
/api/esc/environments/{orgName}/{projectName}/{envName}/versions/tagsCreates a new revision tag for a Pulumi ESC environment. Revision tags are named references that point to specific revision numbers, similar to Git tags. They allow pinning a stable reference to a known-good version of an environment. Tagged versions can be used in imports and Pulumi stack configuration (e.g., myproject/env@prod) to ensure stable references unaffected by subsequent changes. The built-in ’latest’ tag always points to the most recent revision.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Request Body
namestring requiredThe namerevisioninteger optionalThe revision
Responses
Read Revision Tag
/api/esc/environments/{orgName}/{projectName}/{envName}/versions/tags/{tagName}Returns the details of a specific revision tag for a Pulumi ESC environment. The tag is identified by its name in the URL path. The response includes the tag name and the revision number it points to. Returns 404 if the tag does not exist.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment nametagNamestring path requiredThe revision tag name
Responses
namestring requiredThe name of the tag.revisioninteger requiredThe revision number this tag points to.createdstring requiredThe timestamp when the tag was created.modifiedstring requiredThe timestamp when the tag was last modified.editorLoginstring optionalThe login name of the user who last edited the tag.editorNamestring optionalThe display name of the user who last edited the tag.
Update Revision Tag
/api/esc/environments/{orgName}/{projectName}/{envName}/versions/tags/{tagName}Updates an existing revision tag for a Pulumi ESC environment to point to a different revision number. The tag is identified by its name in the URL path. The request body specifies the new revision number. This allows advancing or rolling back a named reference (e.g., moving the ‘prod’ tag to a newer or older revision). Returns 204 on success with no response body.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment nametagNamestring path requiredThe revision tag name
Request Body
revisioninteger optionalThe revision number to associate with the tag.
Responses
Delete Revision Tag
/api/esc/environments/{orgName}/{projectName}/{envName}/versions/tags/{tagName}Deletes a named revision tag from a Pulumi ESC environment. The tag is identified by its name in the URL path. After deletion, any imports or stack configurations referencing this tag will fail to resolve. The built-in ’latest’ tag cannot be deleted. Returns 204 on success with no response body.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment nametagNamestring path requiredThe revision tag name
Responses
List Deleted Environments
/api/esc/environments/{orgName}/restoreReturns a paginated list of soft-deleted Pulumi ESC environments within an organization that are still within the retention window and eligible for restoration. Use the continuationToken query parameter for pagination. Deleted environments can be restored via the RestoreEnvironment endpoint.
Request Parameters
orgNamestring path requiredThe organization namecontinuationTokenstring query optionalContinuation token for paginated results
Responses
- The list of environments
- ↳
idstring requiredThe unique identifier of the environment. - ↳
organizationstring requiredThe login name of the organization that owns this environment. - ↳
projectstring optionalThe project name that contains this environment, if project-scoped. - ↳
namestring requiredThe name of the environment. - ↳
createdstring requiredThe ISO 8601 timestamp when the environment was created. - ↳
modifiedstring requiredThe ISO 8601 timestamp when the environment was last modified. - The user with ownership of this environment
- ↳
tagsmap[string]string requiredUser-defined key-value tags associated with the environment for organization and filtering. - ↳
deletedAtstring optionalThe ISO 8601 timestamp when the environment was soft-deleted, or null if not deleted. - Hypermedia links related to the environment.
- Metadata about what refers to this environment.
- Configuration settings for the environment, such as deletion protection.
nextTokenstring optionalToken for fetching the next page of results
Restore Environment
/api/esc/environments/{orgName}/restoreRestores a previously deleted Pulumi ESC environment within an organization. The request body specifies the environment to restore by its project and name. The environment must have been deleted within the retention window and not yet permanently purged. Returns 204 on success with no response body. Returns 404 if the deleted environment cannot be found.
Request Parameters
orgNamestring path requiredThe organization name
Request Body
deletionTimestampstring requiredThe ISO 8601 timestamp of the environment’s deletion, used to identify which deleted version to restore.projectstring requiredThe project name for the environment.namestring requiredThe name of the environment.
Responses
List All Environment Tags
/api/esc/environments/{orgName}/tagsReturns a map of all unique tag names and their distinct values across all Pulumi ESC environments in the organization. The response is a map where each key is a tag name and the value is a list of all distinct values for that tag across all environments. This is useful for building tag-based filtering or discovery UIs.
Request Parameters
orgNamestring path requiredThe organization name
Responses
Check YAML
/api/esc/environments/{orgName}/yaml/checkChecks a raw YAML environment definition for errors without creating or modifying any environment. The YAML definition is provided in the request body and validated for correctness, including imports, provider configurations, function invocations, and interpolation expressions. When the showSecrets query parameter is set to true, secret values are returned in plaintext in the response. This is useful for validating environment definitions before applying them.
Request Parameters
orgNamestring path requiredThe organization nameshowSecretsboolean query optionalWhether to show secret values in plaintext
Responses
- The list of diagnostics produced during environment evaluation.
- The source range where the diagnostic occurred.
- ↳
summarystring optionalA summary of the diagnostic message. - ↳
pathstring optionalThe path within the environment definition where the diagnostic occurred. - ↳
severitystring optionalThe severity of the diagnostic: “error” or “warning”. - Exprs contains the AST for each expression in the environment definition.
- A summary of the functions used in the environment.
- ↳
funcCountsmap[string]integer requiredA map of function names to the number of times they are used. - ↳
rotationPathsarray[string] requiredThe list of paths that have rotation configured. - Properties contains the detailed values produced by the environment.
- Schema contains the schema for Properties.
- Schema definitions that can be referenced by $ref.
- ↳
_refstring optionalA JSON reference to a schema definition. - A list of schemas, any of which the value must match.
- A list of schemas, exactly one of which the value must match.
- Schemas for the leading items in an array.
- The schema for array items.
- The schema for additional object properties.
- Schemas for named object properties.
- ↳
typestring requiredThe type of the schema (e.g. string, number, object, array, boolean). - ↳
constobject optionalA constant value the instance must equal. - ↳
enumarray[object] optionalA list of allowed values. - ↳
multipleOfstring optionalThe value must be a multiple of this number. - ↳
maximumstring optionalThe maximum allowed value (inclusive). - ↳
exclusiveMaximumstring optionalThe maximum allowed value (exclusive). - ↳
minimumstring optionalThe minimum allowed value (inclusive). - ↳
exclusiveMinimumstring optionalThe minimum allowed value (exclusive). - ↳
maxLengthstring optionalThe maximum allowed string length. - ↳
minLengthstring optionalThe minimum allowed string length. - ↳
patternstring optionalA regular expression pattern the string must match. - ↳
maxItemsstring optionalThe maximum number of items in an array. - ↳
minItemsstring optionalThe minimum number of items in an array. - ↳
uniqueItemsboolean optionalWhether array items must be unique. - ↳
maxPropertiesstring optionalThe maximum number of properties in an object. - ↳
minPropertiesstring optionalThe minimum number of properties in an object. - ↳
requiredarray[string] optionalThe list of required property names. - ↳
dependentRequiredmap[string]array optionalA map of property names to lists of properties they depend on. - ↳
titlestring optionalA short human-readable label for the schema (JSON Schema annotation). - ↳
descriptionstring optionalA human-readable explanation of the schema’s purpose (JSON Schema annotation). - ↳
defaultobject optionalThe default value for the schema. - ↳
deprecatedboolean optionalWhether the schema is deprecated. - ↳
examplesarray[object] optionalExample values for the schema. - ↳
secretboolean optionalPulumi ESC extension: if true, the value should be treated as sensitive and masked in output. - ↳
rotateOnlyarray[string] optionalPulumi ESC extension: property paths within this schema that support rotation-only updates. - ExecutionContext contains the values + schema for the execution context passed to the root environment.
- Properties contains the detailed values produced by the execution context.
- Schema contains the schema for Properties.
Open YAML
/api/esc/environments/{orgName}/yaml/openOpens an anonymous Pulumi ESC environment from a raw YAML definition provided in the request body, fully resolving all dynamic values, provider integrations, and secrets. Unlike OpenEnvironment, this does not require a pre-existing environment to be stored. The duration parameter specifies how long the session remains valid using Go duration format. Returns an OpenEnvironmentResponse containing the session ID. Use the session ID with ReadAnonymousOpenEnvironment to retrieve the resolved values.
Request Parameters
orgNamestring path requiredThe organization namedurationstring query optionalThe session duration, using Go time units: ns, us, ms, s, m, h (e.g. ‘2h’)
Responses
idstring requiredThe unique identifier of the opened environment session.- Any diagnostics generated when opening the environment.
- The source range where the diagnostic occurred.
- ↳
summarystring optionalA summary of the diagnostic message. - ↳
pathstring optionalThe path within the environment definition where the diagnostic occurred. - ↳
severitystring optionalThe severity of the diagnostic: “error” or “warning”.
Read Anonymous Open Environment
/api/esc/environments/{orgName}/yaml/open/{openSessionID}Reads the fully resolved values from an anonymous open environment session that was created via the OpenYAML endpoint. The openSessionID path parameter must match a valid, non-expired session. The optional property query parameter accepts a dot-separated path to retrieve a specific nested value instead of the entire resolved environment (e.g., ‘aws.credentials.accessKeyId’). The response contains the resolved configuration values with secrets decrypted.
Request Parameters
orgNamestring path requiredThe organization nameopenSessionIDstring path requiredThe session ID returned from the open environment operationpropertystring query optionalA dot-separated path to a specific property to retrieve from the environment
Responses
List Providers
/api/esc/providersReturns a list of all available Pulumi ESC providers. Providers are integrations that dynamically retrieve configuration and secrets from external sources (e.g., AWS, Azure, Google Cloud, HashiCorp Vault, 1Password) via the fn::open function in environment definitions. Optionally filter by organization using the orgName query parameter to see only providers available to that organization.
Request Parameters
orgNamestring query optionalFilter providers available to this organization
Responses
Get Provider Schema
/api/esc/providers/{providerName}/schemaReturns the JSON schema for a Pulumi ESC provider. Providers are integrations that dynamically retrieve configuration and secrets from external sources such as AWS, Azure, Google Cloud, HashiCorp Vault, and others via fn::open. The schema describes the provider’s input parameters, output structure, and configuration options. The provider is identified by name in the URL path.
Request Parameters
providerNamestring path requiredThe provider name
Responses
namestring requiredThe name of the provider.descriptionstring requiredA description of the provider.- The input schema for the provider.
- Schema definitions that can be referenced by $ref.
- ↳
_refstring optionalA JSON reference to a schema definition. - A list of schemas, any of which the value must match.
- A list of schemas, exactly one of which the value must match.
- Schemas for the leading items in an array.
- The schema for array items.
- The schema for additional object properties.
- Schemas for named object properties.
- ↳
typestring requiredThe type of the schema (e.g. string, number, object, array, boolean). - ↳
constobject optionalA constant value the instance must equal. - ↳
enumarray[object] optionalA list of allowed values. - ↳
multipleOfstring optionalThe value must be a multiple of this number. - ↳
maximumstring optionalThe maximum allowed value (inclusive). - ↳
exclusiveMaximumstring optionalThe maximum allowed value (exclusive). - ↳
minimumstring optionalThe minimum allowed value (inclusive). - ↳
exclusiveMinimumstring optionalThe minimum allowed value (exclusive). - ↳
maxLengthstring optionalThe maximum allowed string length. - ↳
minLengthstring optionalThe minimum allowed string length. - ↳
patternstring optionalA regular expression pattern the string must match. - ↳
maxItemsstring optionalThe maximum number of items in an array. - ↳
minItemsstring optionalThe minimum number of items in an array. - ↳
uniqueItemsboolean optionalWhether array items must be unique. - ↳
maxPropertiesstring optionalThe maximum number of properties in an object. - ↳
minPropertiesstring optionalThe minimum number of properties in an object. - ↳
requiredarray[string] optionalThe list of required property names. - ↳
dependentRequiredmap[string]array optionalA map of property names to lists of properties they depend on. - ↳
titlestring optionalA short human-readable label for the schema (JSON Schema annotation). - ↳
descriptionstring optionalA human-readable explanation of the schema’s purpose (JSON Schema annotation). - ↳
defaultobject optionalThe default value for the schema. - ↳
deprecatedboolean optionalWhether the schema is deprecated. - ↳
examplesarray[object] optionalExample values for the schema. - ↳
secretboolean optionalPulumi ESC extension: if true, the value should be treated as sensitive and masked in output. - ↳
rotateOnlyarray[string] optionalPulumi ESC extension: property paths within this schema that support rotation-only updates. - The output schema for the provider.
- Schema definitions that can be referenced by $ref.
- ↳
_refstring optionalA JSON reference to a schema definition. - A list of schemas, any of which the value must match.
- A list of schemas, exactly one of which the value must match.
- Schemas for the leading items in an array.
- The schema for array items.
- The schema for additional object properties.
- Schemas for named object properties.
- ↳
typestring requiredThe type of the schema (e.g. string, number, object, array, boolean). - ↳
constobject optionalA constant value the instance must equal. - ↳
enumarray[object] optionalA list of allowed values. - ↳
multipleOfstring optionalThe value must be a multiple of this number. - ↳
maximumstring optionalThe maximum allowed value (inclusive). - ↳
exclusiveMaximumstring optionalThe maximum allowed value (exclusive). - ↳
minimumstring optionalThe minimum allowed value (inclusive). - ↳
exclusiveMinimumstring optionalThe minimum allowed value (exclusive). - ↳
maxLengthstring optionalThe maximum allowed string length. - ↳
minLengthstring optionalThe minimum allowed string length. - ↳
patternstring optionalA regular expression pattern the string must match. - ↳
maxItemsstring optionalThe maximum number of items in an array. - ↳
minItemsstring optionalThe minimum number of items in an array. - ↳
uniqueItemsboolean optionalWhether array items must be unique. - ↳
maxPropertiesstring optionalThe maximum number of properties in an object. - ↳
minPropertiesstring optionalThe minimum number of properties in an object. - ↳
requiredarray[string] optionalThe list of required property names. - ↳
dependentRequiredmap[string]array optionalA map of property names to lists of properties they depend on. - ↳
titlestring optionalA short human-readable label for the schema (JSON Schema annotation). - ↳
descriptionstring optionalA human-readable explanation of the schema’s purpose (JSON Schema annotation). - ↳
defaultobject optionalThe default value for the schema. - ↳
deprecatedboolean optionalWhether the schema is deprecated. - ↳
examplesarray[object] optionalExample values for the schema. - ↳
secretboolean optionalPulumi ESC extension: if true, the value should be treated as sensitive and masked in output. - ↳
rotateOnlyarray[string] optionalPulumi ESC extension: property paths within this schema that support rotation-only updates.
List Rotators
/api/esc/rotatorsReturns a list of all available Pulumi ESC secret rotators. Rotators are integrations that automatically rotate secrets in external systems via the fn::rotate function in environment definitions. Optionally filter by organization using the orgName query parameter to see only rotators available to that organization.
Request Parameters
orgNamestring query optionalFilter rotators available to this organization
Responses
Get Rotator Schema
/api/esc/rotators/{rotatorName}/schemaReturns the JSON schema for a Pulumi ESC secret rotator. Rotators are integrations that automatically rotate secrets in external systems via fn::rotate. The schema describes the rotator’s input parameters, output structure, and configuration options. The rotator is identified by name in the URL path.
Request Parameters
rotatorNamestring path requiredThe rotator name
Responses
namestring requiredThe name of the provider.descriptionstring requiredA description of the provider.- The input schema for the provider.
- Schema definitions that can be referenced by $ref.
- ↳
_refstring optionalA JSON reference to a schema definition. - A list of schemas, any of which the value must match.
- A list of schemas, exactly one of which the value must match.
- Schemas for the leading items in an array.
- The schema for array items.
- The schema for additional object properties.
- Schemas for named object properties.
- ↳
typestring requiredThe type of the schema (e.g. string, number, object, array, boolean). - ↳
constobject optionalA constant value the instance must equal. - ↳
enumarray[object] optionalA list of allowed values. - ↳
multipleOfstring optionalThe value must be a multiple of this number. - ↳
maximumstring optionalThe maximum allowed value (inclusive). - ↳
exclusiveMaximumstring optionalThe maximum allowed value (exclusive). - ↳
minimumstring optionalThe minimum allowed value (inclusive). - ↳
exclusiveMinimumstring optionalThe minimum allowed value (exclusive). - ↳
maxLengthstring optionalThe maximum allowed string length. - ↳
minLengthstring optionalThe minimum allowed string length. - ↳
patternstring optionalA regular expression pattern the string must match. - ↳
maxItemsstring optionalThe maximum number of items in an array. - ↳
minItemsstring optionalThe minimum number of items in an array. - ↳
uniqueItemsboolean optionalWhether array items must be unique. - ↳
maxPropertiesstring optionalThe maximum number of properties in an object. - ↳
minPropertiesstring optionalThe minimum number of properties in an object. - ↳
requiredarray[string] optionalThe list of required property names. - ↳
dependentRequiredmap[string]array optionalA map of property names to lists of properties they depend on. - ↳
titlestring optionalA short human-readable label for the schema (JSON Schema annotation). - ↳
descriptionstring optionalA human-readable explanation of the schema’s purpose (JSON Schema annotation). - ↳
defaultobject optionalThe default value for the schema. - ↳
deprecatedboolean optionalWhether the schema is deprecated. - ↳
examplesarray[object] optionalExample values for the schema. - ↳
secretboolean optionalPulumi ESC extension: if true, the value should be treated as sensitive and masked in output. - ↳
rotateOnlyarray[string] optionalPulumi ESC extension: property paths within this schema that support rotation-only updates. - The output schema for the provider.
- Schema definitions that can be referenced by $ref.
- ↳
_refstring optionalA JSON reference to a schema definition. - A list of schemas, any of which the value must match.
- A list of schemas, exactly one of which the value must match.
- Schemas for the leading items in an array.
- The schema for array items.
- The schema for additional object properties.
- Schemas for named object properties.
- ↳
typestring requiredThe type of the schema (e.g. string, number, object, array, boolean). - ↳
constobject optionalA constant value the instance must equal. - ↳
enumarray[object] optionalA list of allowed values. - ↳
multipleOfstring optionalThe value must be a multiple of this number. - ↳
maximumstring optionalThe maximum allowed value (inclusive). - ↳
exclusiveMaximumstring optionalThe maximum allowed value (exclusive). - ↳
minimumstring optionalThe minimum allowed value (inclusive). - ↳
exclusiveMinimumstring optionalThe minimum allowed value (exclusive). - ↳
maxLengthstring optionalThe maximum allowed string length. - ↳
minLengthstring optionalThe minimum allowed string length. - ↳
patternstring optionalA regular expression pattern the string must match. - ↳
maxItemsstring optionalThe maximum number of items in an array. - ↳
minItemsstring optionalThe minimum number of items in an array. - ↳
uniqueItemsboolean optionalWhether array items must be unique. - ↳
maxPropertiesstring optionalThe maximum number of properties in an object. - ↳
minPropertiesstring optionalThe minimum number of properties in an object. - ↳
requiredarray[string] optionalThe list of required property names. - ↳
dependentRequiredmap[string]array optionalA map of property names to lists of properties they depend on. - ↳
titlestring optionalA short human-readable label for the schema (JSON Schema annotation). - ↳
descriptionstring optionalA human-readable explanation of the schema’s purpose (JSON Schema annotation). - ↳
defaultobject optionalThe default value for the schema. - ↳
deprecatedboolean optionalWhether the schema is deprecated. - ↳
examplesarray[object] optionalExample values for the schema. - ↳
secretboolean optionalPulumi ESC extension: if true, the value should be treated as sensitive and masked in output. - ↳
rotateOnlyarray[string] optionalPulumi ESC extension: property paths within this schema that support rotation-only updates.
List Environments
ListEnvironments_esc instead./api/preview/environmentsReturns a paginated list of all Pulumi ESC environments accessible to the authenticated user across all organizations they belong to. Each entry includes the organization, project, environment name, and creation/modification timestamps. Use the organization query parameter to filter results to a specific organization. Use continuationToken for pagination through large result sets.
Request Parameters
continuationTokenstring query optionalContinuation token for paginated resultsincludeReferrerMetadataboolean query optionalWhether to include referrer metadata. Defaults to false.maxResultsinteger query optionalMaximum number of results for paginationorganizationstring query optionalFilter results to this organization name
Responses
- The list of environments
- ↳
idstring requiredThe unique identifier of the environment. - ↳
organizationstring requiredThe login name of the organization that owns this environment. - ↳
projectstring optionalThe project name that contains this environment, if project-scoped. - ↳
namestring requiredThe name of the environment. - ↳
createdstring requiredThe ISO 8601 timestamp when the environment was created. - ↳
modifiedstring requiredThe ISO 8601 timestamp when the environment was last modified. - The user with ownership of this environment
- ↳
tagsmap[string]string requiredUser-defined key-value tags associated with the environment for organization and filtering. - ↳
deletedAtstring optionalThe ISO 8601 timestamp when the environment was soft-deleted, or null if not deleted. - Hypermedia links related to the environment.
- Metadata about what refers to this environment.
- Configuration settings for the environment, such as deletion protection.
nextTokenstring optionalToken for fetching the next page of results
List Org Environments
ListOrgEnvironments_esc instead./api/preview/environments/{orgName}Returns a paginated list of all Pulumi ESC environments within a specific organization. Each entry includes the project, environment name, and creation/modification timestamps. Results are scoped to the organization specified in the URL path. Use continuationToken for pagination through large result sets.
Request Parameters
orgNamestring path requiredThe organization namecontinuationTokenstring query optionalContinuation token for paginated resultsincludeReferrerMetadataboolean query optionalWhether to include referrer metadata. Defaults to false.maxResultsinteger query optionalMaximum number of results for paginationroleIDstring query optionalThe custom role to use for listing environments
Responses
- The list of environments
- ↳
idstring requiredThe unique identifier of the environment. - ↳
organizationstring requiredThe login name of the organization that owns this environment. - ↳
projectstring optionalThe project name that contains this environment, if project-scoped. - ↳
namestring requiredThe name of the environment. - ↳
createdstring requiredThe ISO 8601 timestamp when the environment was created. - ↳
modifiedstring requiredThe ISO 8601 timestamp when the environment was last modified. - The user with ownership of this environment
- ↳
tagsmap[string]string requiredUser-defined key-value tags associated with the environment for organization and filtering. - ↳
deletedAtstring optionalThe ISO 8601 timestamp when the environment was soft-deleted, or null if not deleted. - Hypermedia links related to the environment.
- Metadata about what refers to this environment.
- Configuration settings for the environment, such as deletion protection.
nextTokenstring optionalToken for fetching the next page of results
Read Environment
ReadEnvironment_esc_environments instead./api/preview/environments/{orgName}/{envName}Returns the YAML definition of a Pulumi ESC environment. The response is in application/x-yaml format and includes the environment’s imports, values, provider configurations, and function invocations. Secrets remain in their encrypted form (use DecryptEnvironment to see plaintext secrets, or OpenEnvironment to fully resolve all dynamic values). When a version path parameter is provided, returns the definition for that specific revision.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment name
Responses
Create Environment
CreateEnvironment_esc_environments instead./api/preview/environments/{orgName}/{envName}Creates a new Pulumi ESC (Environments, Secrets, and Configuration) environment within the specified organization. The request body must include the project name and the environment name. Environment names must be unique within a project and may only contain alphanumeric characters, hyphens, underscores, and periods. The newly created environment starts with an empty YAML definition that can be updated via the UpdateEnvironment endpoint.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment name
Request Body
projectstring requiredThe project name for the environment.namestring requiredThe name of the environment.
Responses
Update Environment
UpdateEnvironment_esc_environments instead./api/preview/environments/{orgName}/{envName}Validates and updates the YAML definition of a Pulumi ESC environment. The request body must contain the complete environment definition in application/x-yaml format, including imports, values, provider configurations, and function invocations. Each successful update creates a new immutable revision in the environment’s version history. Supports optimistic concurrency control via ETag/If-Match headers; returns 409 if the environment has been modified since it was last read.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment name
Responses
- The list of diagnostics produced by the environment operation.
- The source range where the diagnostic occurred.
- ↳
summarystring optionalA summary of the diagnostic message. - ↳
pathstring optionalThe path within the environment definition where the diagnostic occurred. - ↳
severitystring optionalThe severity of the diagnostic: “error” or “warning”.
Delete Environment
DeleteEnvironment_esc_environments instead./api/preview/environments/{orgName}/{envName}Permanently deletes a Pulumi ESC environment and all of its revision history, tags, and associated configuration. This operation is blocked if deletion protection is enabled on the environment (see PatchEnvironmentSettings). Enterprise and Business Critical edition organizations may be able to restore deleted environments within a retention window. Returns 409 if the environment is deletion-protected or has been modified since it was last read.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment name
Responses
Head Environment
HeadEnvironment_esc_environments instead./api/preview/environments/{orgName}/{envName}Returns the ETag header for a Pulumi ESC environment without returning the full definition body. This is used for lightweight existence checks and for obtaining the current ETag value for optimistic concurrency control. The ETag should be included in subsequent update requests via the If-Match header to prevent concurrent modification conflicts. Returns 404 if the environment does not exist.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment name
Responses
Check Environment
CheckEnvironment_esc_environments instead./api/preview/environments/{orgName}/{envName}/checkChecks a Pulumi ESC environment definition for errors without applying changes. This validates the YAML definition including imports, provider configurations, function invocations (fn::open, fn::secret, etc.), and interpolation expressions. When the showSecrets query parameter is set to true, secret values are returned in plaintext in the response. The response includes any diagnostics or validation errors found in the environment definition. Supports optimistic concurrency control via ETag headers.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment nameshowSecretsboolean query optionalWhether to show secret values in plaintext
Responses
- List of diagnostics
- The source range where the diagnostic occurred.
- ↳
summarystring optionalA summary of the diagnostic message. - ↳
pathstring optionalThe path within the environment definition where the diagnostic occurred. - ↳
severitystring optionalThe severity of the diagnostic: “error” or “warning”. - Exprs contains the AST for each expression in the environment definition.
- The environment function summary
- ↳
funcCountsmap[string]integer requiredA map of function names to the number of times they are used. - ↳
rotationPathsarray[string] requiredThe list of paths that have rotation configured. - Properties contains the detailed values produced by the environment.
- Schema contains the schema for Properties.
- Schema definitions that can be referenced by $ref.
- ↳
_refstring optionalA JSON reference to a schema definition. - A list of schemas, any of which the value must match.
- A list of schemas, exactly one of which the value must match.
- Schemas for the leading items in an array.
- The schema for array items.
- The schema for additional object properties.
- Schemas for named object properties.
- ↳
typestring requiredThe type of the schema (e.g. string, number, object, array, boolean). - ↳
constobject optionalA constant value the instance must equal. - ↳
enumarray[object] optionalA list of allowed values. - ↳
multipleOfstring optionalThe value must be a multiple of this number. - ↳
maximumstring optionalThe maximum allowed value (inclusive). - ↳
exclusiveMaximumstring optionalThe maximum allowed value (exclusive). - ↳
minimumstring optionalThe minimum allowed value (inclusive). - ↳
exclusiveMinimumstring optionalThe minimum allowed value (exclusive). - ↳
maxLengthstring optionalThe maximum allowed string length. - ↳
minLengthstring optionalThe minimum allowed string length. - ↳
patternstring optionalA regular expression pattern the string must match. - ↳
maxItemsstring optionalThe maximum number of items in an array. - ↳
minItemsstring optionalThe minimum number of items in an array. - ↳
uniqueItemsboolean optionalWhether array items must be unique. - ↳
maxPropertiesstring optionalThe maximum number of properties in an object. - ↳
minPropertiesstring optionalThe minimum number of properties in an object. - ↳
requiredarray[string] optionalThe list of required property names. - ↳
dependentRequiredmap[string]array optionalA map of property names to lists of properties they depend on. - ↳
titlestring optionalA short human-readable label for the schema (JSON Schema annotation). - ↳
descriptionstring optionalA human-readable explanation of the schema’s purpose (JSON Schema annotation). - ↳
defaultobject optionalThe default value for the schema. - ↳
deprecatedboolean optionalWhether the schema is deprecated. - ↳
examplesarray[object] optionalExample values for the schema. - ↳
secretboolean optionalPulumi ESC extension: if true, the value should be treated as sensitive and masked in output. - ↳
rotateOnlyarray[string] optionalPulumi ESC extension: property paths within this schema that support rotation-only updates. - ExecutionContext contains the values + schema for the execution context passed to the root environment.
- Properties contains the detailed values produced by the execution context.
- Schema contains the schema for Properties.
Decrypt Environment
DecryptEnvironment_esc_environments instead./api/preview/environments/{orgName}/{envName}/decryptReads the YAML definition for a Pulumi ESC environment with all static secrets decrypted and shown in plaintext. Unlike the standard ReadEnvironment endpoint which returns secrets in their encrypted form, this endpoint resolves fn::secret values to their plaintext representations. The response is returned in application/x-yaml format. This does not resolve dynamic provider values (fn::open); use OpenEnvironment for full resolution. Requires environment open permission.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment name
Responses
List Webhooks
ListWebhooks_esc_environments instead./api/preview/environments/{orgName}/{envName}/hooksReturns a list of all webhooks configured for a Pulumi ESC environment. Each webhook entry includes its name, destination URL, event filters, format, and active status. Webhooks enable external services to be notified of environment events such as updates and opens.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment name
Responses
Create Webhook
CreateWebhook_esc_environments instead./api/preview/environments/{orgName}/{envName}/hooksCreates a new webhook for a Pulumi ESC environment. Webhooks allow external services to be notified when environment events occur, such as updates or opens. The request body specifies the webhook configuration including the destination URL, event filters, and format. Returns 400 if the organization name in the request body does not match the URL path parameter. Returns 409 if a webhook with the same name already exists.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment name
Request Body
organizationNamestring requiredThe organization that owns this webhook.projectNamestring optionalThe project name. Set when the webhook is scoped to a specific stack.stackNamestring optionalThe stack name. Set when the webhook is scoped to a specific stack.envNamestring optionalThe environment name. Set when the webhook is scoped to a specific environment.namestring requiredThe unique identifier name for the webhook within its scope.displayNamestring requiredThe human-readable display name shown in the UI.payloadUrlstring requiredThe URL to which webhook payloads are delivered.secretstring optionalSecret will be omitted when returned from the service.activeboolean requiredWhether the webhook is active and will receive deliveries.formatstring optionalThe format of the webhook payload (e.g., ‘raw’, ‘slack’, ‘ms_teams’).filtersarray[string] optionalSpecific event types this webhook subscribes to. If empty, all events are delivered.groupsarray[string] optionalEvent groups this webhook subscribes to (e.g., ‘stacks’, ‘deployments’).
Responses
hasSecretboolean requiredHasSecret is true if the webhook has a secret. This is used to determine whether to show that there is a secret in the UI.organizationNamestring requiredThe organization that owns this webhook.projectNamestring optionalThe project name. Set when the webhook is scoped to a specific stack.secretCiphertextstring requiredSecretCiphertext is the ciphertext value of the webhook’s secret. It’s used to check whether the secret was changed by the PSPstackNamestring optionalThe stack name. Set when the webhook is scoped to a specific stack.envNamestring optionalThe environment name. Set when the webhook is scoped to a specific environment.namestring requiredThe unique identifier name for the webhook within its scope.displayNamestring requiredThe human-readable display name shown in the UI.payloadUrlstring requiredThe URL to which webhook payloads are delivered.secretstring optionalSecret will be omitted when returned from the service.activeboolean requiredWhether the webhook is active and will receive deliveries.formatstring optionalThe format of the webhook payload (e.g., ‘raw’, ‘slack’, ‘ms_teams’).filtersarray[string] optionalSpecific event types this webhook subscribes to. If empty, all events are delivered.groupsarray[string] optionalEvent groups this webhook subscribes to (e.g., ‘stacks’, ‘deployments’).
Get Webhook
GetWebhook_esc_environments instead./api/preview/environments/{orgName}/{envName}/hooks/{hookName}Returns the configuration and status of a single webhook for a Pulumi ESC environment. The webhook is identified by its name in the URL path. The response includes the webhook’s destination URL, event filters, format, and active status. Returns 404 if the webhook does not exist.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment namehookNamestring path requiredThe webhook name
Responses
hasSecretboolean requiredHasSecret is true if the webhook has a secret. This is used to determine whether to show that there is a secret in the UI.organizationNamestring requiredThe organization that owns this webhook.projectNamestring optionalThe project name. Set when the webhook is scoped to a specific stack.secretCiphertextstring requiredSecretCiphertext is the ciphertext value of the webhook’s secret. It’s used to check whether the secret was changed by the PSPstackNamestring optionalThe stack name. Set when the webhook is scoped to a specific stack.envNamestring optionalThe environment name. Set when the webhook is scoped to a specific environment.namestring requiredThe unique identifier name for the webhook within its scope.displayNamestring requiredThe human-readable display name shown in the UI.payloadUrlstring requiredThe URL to which webhook payloads are delivered.secretstring optionalSecret will be omitted when returned from the service.activeboolean requiredWhether the webhook is active and will receive deliveries.formatstring optionalThe format of the webhook payload (e.g., ‘raw’, ‘slack’, ‘ms_teams’).filtersarray[string] optionalSpecific event types this webhook subscribes to. If empty, all events are delivered.groupsarray[string] optionalEvent groups this webhook subscribes to (e.g., ‘stacks’, ‘deployments’).
Update Webhook
UpdateWebhook_esc_environments instead./api/preview/environments/{orgName}/{envName}/hooks/{hookName}Updates the configuration of an existing webhook on a Pulumi ESC environment. The webhook is identified by its name in the URL path. The request body contains the updated webhook configuration including destination URL, event filters, format, and active status. Returns the updated WebhookResponse on success. Returns 400 if an invalid format is specified.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment namehookNamestring path requiredThe webhook name
Request Body
organizationNamestring requiredThe organization that owns this webhook.projectNamestring optionalThe project name. Set when the webhook is scoped to a specific stack.stackNamestring optionalThe stack name. Set when the webhook is scoped to a specific stack.envNamestring optionalThe environment name. Set when the webhook is scoped to a specific environment.namestring requiredThe unique identifier name for the webhook within its scope.displayNamestring requiredThe human-readable display name shown in the UI.payloadUrlstring requiredThe URL to which webhook payloads are delivered.secretstring optionalSecret will be omitted when returned from the service.activeboolean requiredWhether the webhook is active and will receive deliveries.formatstring optionalThe format of the webhook payload (e.g., ‘raw’, ‘slack’, ‘ms_teams’).filtersarray[string] optionalSpecific event types this webhook subscribes to. If empty, all events are delivered.groupsarray[string] optionalEvent groups this webhook subscribes to (e.g., ‘stacks’, ‘deployments’).
Responses
hasSecretboolean requiredHasSecret is true if the webhook has a secret. This is used to determine whether to show that there is a secret in the UI.organizationNamestring requiredThe organization that owns this webhook.projectNamestring optionalThe project name. Set when the webhook is scoped to a specific stack.secretCiphertextstring requiredSecretCiphertext is the ciphertext value of the webhook’s secret. It’s used to check whether the secret was changed by the PSPstackNamestring optionalThe stack name. Set when the webhook is scoped to a specific stack.envNamestring optionalThe environment name. Set when the webhook is scoped to a specific environment.namestring requiredThe unique identifier name for the webhook within its scope.displayNamestring requiredThe human-readable display name shown in the UI.payloadUrlstring requiredThe URL to which webhook payloads are delivered.secretstring optionalSecret will be omitted when returned from the service.activeboolean requiredWhether the webhook is active and will receive deliveries.formatstring optionalThe format of the webhook payload (e.g., ‘raw’, ‘slack’, ‘ms_teams’).filtersarray[string] optionalSpecific event types this webhook subscribes to. If empty, all events are delivered.groupsarray[string] optionalEvent groups this webhook subscribes to (e.g., ‘stacks’, ‘deployments’).
Delete Webhook
DeleteWebhook_esc_environments instead./api/preview/environments/{orgName}/{envName}/hooks/{hookName}Deletes a webhook from a Pulumi ESC environment. The webhook is identified by its name in the URL path. After deletion, the external service will no longer receive notifications for environment events. Returns 204 on success with no response body.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment namehookNamestring path requiredThe webhook name
Responses
Get Webhook Deliveries
GetWebhookDeliveries_esc_environments instead./api/preview/environments/{orgName}/{envName}/hooks/{hookName}/deliveriesReturns a list of recent delivery attempts for a specific webhook on a Pulumi ESC environment. Each delivery record includes the HTTP status code, response body, timestamp, and whether the delivery was successful. This is useful for debugging webhook integration issues and verifying that events are being received.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment namehookNamestring path requiredThe webhook name
Responses
Redeliver Webhook Event
RedeliverWebhookEvent_esc_environments instead./api/preview/environments/{orgName}/{envName}/hooks/{hookName}/deliveries/{event}/redeliverTriggers the Pulumi Service to redeliver a specific event to a webhook on a Pulumi ESC environment. This is useful for resending events that the webhook endpoint failed to process on the initial delivery attempt (e.g., due to temporary downtime or errors). The event is identified by its delivery event ID in the URL path. Returns the new WebhookDelivery record for the redelivery.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment namehookNamestring path requiredThe webhook nameeventstring path requiredThe webhook delivery event ID to redeliver
Responses
idstring requiredThe unique identifier of the delivery.kindstring requiredThe kind of webhook event.payloadstring requiredThe JSON payload that was sent.timestampinteger requiredThe time the delivery was sent, as a Unix epoch timestamp.durationinteger requiredThe duration of the delivery request in milliseconds.requestUrlstring requiredThe URL the webhook was delivered to.requestHeadersstring requiredThe HTTP headers sent with the request.responseCodeinteger requiredThe HTTP response status code.responseHeadersstring requiredThe HTTP response headers.responseBodystring requiredThe HTTP response body.
Ping Webhook
PingWebhook_esc_environments instead./api/preview/environments/{orgName}/{envName}/hooks/{hookName}/pingSends a test ping event to a webhook on a Pulumi ESC environment to verify that the webhook endpoint is reachable and functioning correctly. This bypasses the normal message queue and issues the request directly to the webhook URL. Returns the WebhookDelivery record containing the HTTP status code and response from the target endpoint.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment namehookNamestring path requiredThe webhook name
Responses
idstring requiredThe unique identifier of the delivery.kindstring requiredThe kind of webhook event.payloadstring requiredThe JSON payload that was sent.timestampinteger requiredThe time the delivery was sent, as a Unix epoch timestamp.durationinteger requiredThe duration of the delivery request in milliseconds.requestUrlstring requiredThe URL the webhook was delivered to.requestHeadersstring requiredThe HTTP headers sent with the request.responseCodeinteger requiredThe HTTP response status code.responseHeadersstring requiredThe HTTP response headers.responseBodystring requiredThe HTTP response body.
Get Environment Metadata
GetEnvironmentMetadata_esc_environments instead./api/preview/environments/{orgName}/{envName}/metadataReturns metadata for a Pulumi ESC environment, including the calling user’s effective permission level (read, open, write, admin), creation and modification timestamps, the environment’s project, and other administrative information. This is useful for determining what actions the current user can perform on the environment before attempting those operations.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment name
Responses
idstring requiredEnvironment metadata follows other Pulumi Cloud “Metadata” fields and contains read-only information about the environment- The user with ownership of this environment
- ↳
namestring requiredThe user’s display name. - ↳
githubLoginstring requiredThe user’s login name. - ↳
avatarUrlstring requiredThe URL of the user’s avatar image. - ↳
emailstring optionalIMPORTANT: The email address of the user is only included on a few admin-only APIs. For nearly all APIs that return a UserInfo object, this will not be provided. considered sensitive information. - ActiveChangeRequest contains information about any active change request for this environment. Will be nil if there is no active change request.
- ↳
changeRequestIdstring optionalThe change request identifier - ↳
latestRevisionNumberinteger optionalThe latest revision number gatedActionsarray[string] optionalGatedActions indicates which actions on this environment require change request approval.openRequestNeededboolean optionalOpenRequestNeeded indicates whether an open request is currently needed in order to open the environment.
Open Environment
OpenEnvironment_esc_environments instead./api/preview/environments/{orgName}/{envName}/openOpens a Pulumi ESC environment, fully resolving all dynamic values, provider integrations (fn::open), interpolation expressions, and secrets. This initiates an access session that evaluates the complete environment definition including all imports. The duration parameter specifies how long the session remains valid using Go duration format (e.g., ‘2h45m’, ‘300ms’). Returns an OpenEnvironmentResponse containing the session ID and any diagnostics. Use the session ID with ReadOpenEnvironment to retrieve the resolved values.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment namedurationstring query optionalThe session duration, using Go time units: ns, us, ms, s, m, h (e.g. ‘2h’)
Responses
idstring requiredThe unique identifier of the opened environment session.- Any diagnostics generated when opening the environment.
- The source range where the diagnostic occurred.
- ↳
summarystring optionalA summary of the diagnostic message. - ↳
pathstring optionalThe path within the environment definition where the diagnostic occurred. - ↳
severitystring optionalThe severity of the diagnostic: “error” or “warning”.
Read Open Environment
ReadOpenEnvironment_esc_environments instead./api/preview/environments/{orgName}/{envName}/open/{openSessionID}Reads the fully resolved values from an open environment session that was created via the OpenEnvironment endpoint. The openSessionID path parameter must match a valid, non-expired session. The optional property query parameter accepts a dot-separated path to retrieve a specific nested value instead of the entire resolved environment (e.g., ‘aws.credentials.accessKeyId’). The response contains all resolved configuration values with secrets decrypted and provider-sourced values fully evaluated.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment nameopenSessionIDstring path requiredThe session ID returned from the open environment operationpropertystring query optionalA dot-separated path to a specific property to retrieve from the environment
Responses
List Environment Tags
ListEnvironmentTags_esc_environments instead./api/preview/environments/{orgName}/{envName}/tagsReturns a paginated list of user-defined tags for a Pulumi ESC environment. Tags are key-value pairs used for organizing and categorizing environments. Use the after parameter for cursor-based pagination and count to limit the number of results returned.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment nameafterinteger query optionalOnly return results after this valuecountinteger query optionalMaximum number of results to return
Responses
- Map of tag names to their tag details
nextTokenstring requiredToken for fetching the next page of results
Create Environment Tag
CreateEnvironmentTag_esc_environments instead./api/preview/environments/{orgName}/{envName}/tagsAdds a new user-defined tag to a Pulumi ESC environment. Tags are key-value pairs that provide contextual metadata for organizing and searching environments (e.g., region=us-east-1, team=platform). The tag name and value are provided in the request body. Returns the created EnvironmentTag on success. Returns 409 if a tag with the same name already exists on the environment.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment name
Request Body
namestring requiredThe namevaluestring requiredThe value
Responses
namestring requiredThe name of the tag.valuestring requiredThe value of the tag.createdstring requiredThe timestamp when the tag was created.modifiedstring requiredThe timestamp when the tag was last modified.editorLoginstring requiredThe login name of the user who last edited the tag.editorNamestring requiredThe display name of the user who last edited the tag.
Get Environment Tag
GetEnvironmentTag_esc_environments instead./api/preview/environments/{orgName}/{envName}/tags/{tagName}Returns a single user-defined tag for a Pulumi ESC environment, identified by the tag name in the URL path. The response includes the tag name, value, and metadata. Returns 404 if the tag does not exist on the environment.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment nametagNamestring path requiredThe environment tag name
Responses
namestring requiredThe name of the tag.valuestring requiredThe value of the tag.createdstring requiredThe timestamp when the tag was created.modifiedstring requiredThe timestamp when the tag was last modified.editorLoginstring requiredThe login name of the user who last edited the tag.editorNamestring requiredThe display name of the user who last edited the tag.
Update Environment Tag
UpdateEnvironmentTag_esc_environments instead./api/preview/environments/{orgName}/{envName}/tags/{tagName}Modifies the value of an existing user-defined tag on a Pulumi ESC environment. The tag is identified by its name in the URL path. The request body contains the new value for the tag. Returns the updated EnvironmentTag on success. Returns 404 if the tag does not exist on the environment.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment nametagNamestring path requiredThe environment tag name
Request Body
- The current tag value to match for optimistic concurrency control.
- ↳
valuestring requiredThe current tag value. - The new tag name and value to set.
- ↳
namestring optionalThe new tag name. - ↳
valuestring optionalThe new tag value.
Responses
namestring requiredThe name of the tag.valuestring requiredThe value of the tag.createdstring requiredThe timestamp when the tag was created.modifiedstring requiredThe timestamp when the tag was last modified.editorLoginstring requiredThe login name of the user who last edited the tag.editorNamestring requiredThe display name of the user who last edited the tag.
Delete Environment Tag
DeleteEnvironmentTag_esc_environments instead./api/preview/environments/{orgName}/{envName}/tags/{tagName}Removes a user-defined tag from a Pulumi ESC environment. The tag is identified by its name in the URL path. Returns 204 on success with no response body. Returns 404 if the tag does not exist on the environment.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment nametagNamestring path requiredThe environment tag name
Responses
List Environment Revisions
ListEnvironmentRevisions_esc_environments instead./api/preview/environments/{orgName}/{envName}/versionsReturns a paginated list of revisions for a Pulumi ESC environment. Each revision represents an immutable snapshot of the environment definition created when the environment is updated. The response includes revision numbers, timestamps, and the identity of the user who made each change. Use the before parameter to fetch revisions before a specific revision number, and count to limit the number of results returned.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment namebeforeinteger query optionalOnly return results before this revisioncountinteger query optionalMaximum number of results to return
Responses
Read Environment
ReadEnvironment_esc_environments_versions instead./api/preview/environments/{orgName}/{envName}/versions/{version}Returns the YAML definition of a Pulumi ESC environment. The response is in application/x-yaml format and includes the environment’s imports, values, provider configurations, and function invocations. Secrets remain in their encrypted form (use DecryptEnvironment to see plaintext secrets, or OpenEnvironment to fully resolve all dynamic values). When a version path parameter is provided, returns the definition for that specific revision.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment nameversionstring path requiredThe revision version number
Responses
Check Environment
CheckEnvironment_esc_environments_versions instead./api/preview/environments/{orgName}/{envName}/versions/{version}/checkChecks a Pulumi ESC environment definition for errors without applying changes. This validates the YAML definition including imports, provider configurations, function invocations (fn::open, fn::secret, etc.), and interpolation expressions. When the showSecrets query parameter is set to true, secret values are returned in plaintext in the response. The response includes any diagnostics or validation errors found in the environment definition. Supports optimistic concurrency control via ETag headers.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment nameversionstring path requiredThe revision version numbershowSecretsboolean query optionalWhether to show secret values in plaintext
Responses
- List of diagnostics
- The source range where the diagnostic occurred.
- ↳
summarystring optionalA summary of the diagnostic message. - ↳
pathstring optionalThe path within the environment definition where the diagnostic occurred. - ↳
severitystring optionalThe severity of the diagnostic: “error” or “warning”. - Exprs contains the AST for each expression in the environment definition.
- The environment function summary
- ↳
funcCountsmap[string]integer requiredA map of function names to the number of times they are used. - ↳
rotationPathsarray[string] requiredThe list of paths that have rotation configured. - Properties contains the detailed values produced by the environment.
- Schema contains the schema for Properties.
- Schema definitions that can be referenced by $ref.
- ↳
_refstring optionalA JSON reference to a schema definition. - A list of schemas, any of which the value must match.
- A list of schemas, exactly one of which the value must match.
- Schemas for the leading items in an array.
- The schema for array items.
- The schema for additional object properties.
- Schemas for named object properties.
- ↳
typestring requiredThe type of the schema (e.g. string, number, object, array, boolean). - ↳
constobject optionalA constant value the instance must equal. - ↳
enumarray[object] optionalA list of allowed values. - ↳
multipleOfstring optionalThe value must be a multiple of this number. - ↳
maximumstring optionalThe maximum allowed value (inclusive). - ↳
exclusiveMaximumstring optionalThe maximum allowed value (exclusive). - ↳
minimumstring optionalThe minimum allowed value (inclusive). - ↳
exclusiveMinimumstring optionalThe minimum allowed value (exclusive). - ↳
maxLengthstring optionalThe maximum allowed string length. - ↳
minLengthstring optionalThe minimum allowed string length. - ↳
patternstring optionalA regular expression pattern the string must match. - ↳
maxItemsstring optionalThe maximum number of items in an array. - ↳
minItemsstring optionalThe minimum number of items in an array. - ↳
uniqueItemsboolean optionalWhether array items must be unique. - ↳
maxPropertiesstring optionalThe maximum number of properties in an object. - ↳
minPropertiesstring optionalThe minimum number of properties in an object. - ↳
requiredarray[string] optionalThe list of required property names. - ↳
dependentRequiredmap[string]array optionalA map of property names to lists of properties they depend on. - ↳
titlestring optionalA short human-readable label for the schema (JSON Schema annotation). - ↳
descriptionstring optionalA human-readable explanation of the schema’s purpose (JSON Schema annotation). - ↳
defaultobject optionalThe default value for the schema. - ↳
deprecatedboolean optionalWhether the schema is deprecated. - ↳
examplesarray[object] optionalExample values for the schema. - ↳
secretboolean optionalPulumi ESC extension: if true, the value should be treated as sensitive and masked in output. - ↳
rotateOnlyarray[string] optionalPulumi ESC extension: property paths within this schema that support rotation-only updates. - ExecutionContext contains the values + schema for the execution context passed to the root environment.
- Properties contains the detailed values produced by the execution context.
- Schema contains the schema for Properties.
Decrypt Environment
DecryptEnvironment_esc_environments_versions instead./api/preview/environments/{orgName}/{envName}/versions/{version}/decryptReads the YAML definition for a Pulumi ESC environment with all static secrets decrypted and shown in plaintext. Unlike the standard ReadEnvironment endpoint which returns secrets in their encrypted form, this endpoint resolves fn::secret values to their plaintext representations. The response is returned in application/x-yaml format. This does not resolve dynamic provider values (fn::open); use OpenEnvironment for full resolution. Requires environment open permission.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment nameversionstring path requiredThe revision version number
Responses
Open Environment
OpenEnvironment_esc_environments_versions instead./api/preview/environments/{orgName}/{envName}/versions/{version}/openOpens a Pulumi ESC environment, fully resolving all dynamic values, provider integrations (fn::open), interpolation expressions, and secrets. This initiates an access session that evaluates the complete environment definition including all imports. The duration parameter specifies how long the session remains valid using Go duration format (e.g., ‘2h45m’, ‘300ms’). Returns an OpenEnvironmentResponse containing the session ID and any diagnostics. Use the session ID with ReadOpenEnvironment to retrieve the resolved values.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment nameversionstring path requiredThe revision version numberdurationstring query optionalThe session duration, using Go time units: ns, us, ms, s, m, h (e.g. ‘2h’)
Responses
idstring requiredThe unique identifier of the opened environment session.- Any diagnostics generated when opening the environment.
- The source range where the diagnostic occurred.
- ↳
summarystring optionalA summary of the diagnostic message. - ↳
pathstring optionalThe path within the environment definition where the diagnostic occurred. - ↳
severitystring optionalThe severity of the diagnostic: “error” or “warning”.
List Environment Referrers
ListEnvironmentReferrers_esc_environments_versions instead./api/preview/environments/{orgName}/{envName}/versions/{version}/referrersReturns a paginated list of entities that reference a Pulumi ESC environment, including other environments that import it and Pulumi stacks that use it in their configuration. The count parameter limits results (range 1-500). Set allRevisions to true to include references across all revisions, and latestStackVersionOnly to true to return only the latest stack version for each referring stack. Use continuationToken for pagination.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment nameversionstring path requiredThe revision version numberallRevisionsboolean query optionalWhether to include all revisionscontinuationTokenstring query optionalContinuation token for paginated resultscountinteger query optionalMaximum number of results to returnlatestStackVersionOnlyboolean query optionalWhether to return only the latest stack version
Responses
referrersmap[string]array requiredMap of referrer types to their referrer detailscontinuationTokenstring optionalContinuation token for pagination
Retract Environment Revision
RetractEnvironmentRevision_esc_environments instead./api/preview/environments/{orgName}/{envName}/versions/{version}/retractRetracts a specific revision of a Pulumi ESC environment, marking it as withdrawn. A retracted revision remains in the history but is no longer considered a valid version for use. The request body may include a reason for the retraction. The revision is identified by the version path parameter. Returns 204 on success with no response body.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment nameversionstring path requiredThe revision version number
Request Body
replacementinteger optionalThe revision number to use as a replacement, if any.reasonstring optionalThe reason for retracting the revision.
Responses
List Revision Tags
ListRevisionTags_esc_environments_versions2 instead./api/preview/environments/{orgName}/{envName}/versions/{version}/tagsReturns a paginated list of revision tags for a Pulumi ESC environment. Revision tags are named references pointing to specific revision numbers (e.g., ’latest’, ‘prod’, ‘stable’). They can be used in environment imports and Pulumi stack configuration to pin to a specific version. Use the after parameter for cursor-based pagination and count to limit results.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment nameversionstring path requiredThe revision version numberafterstring query optionalOnly return results after this valuecountinteger query optionalMaximum number of results to return
Responses
- The list of revision tags
- ↳
namestring requiredThe name of the tag. - ↳
revisioninteger requiredThe revision number this tag points to. - ↳
createdstring requiredThe timestamp when the tag was created. - ↳
modifiedstring requiredThe timestamp when the tag was last modified. - ↳
editorLoginstring optionalThe login name of the user who last edited the tag. - ↳
editorNamestring optionalThe display name of the user who last edited the tag. nextTokenstring requiredToken for fetching the next page of results
List Revision Tags
ListRevisionTags_esc_environments_versions instead./api/preview/environments/{orgName}/{envName}/versions/tagsReturns a paginated list of revision tags for a Pulumi ESC environment. Revision tags are named references pointing to specific revision numbers (e.g., ’latest’, ‘prod’, ‘stable’). They can be used in environment imports and Pulumi stack configuration to pin to a specific version. Use the after parameter for cursor-based pagination and count to limit results.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment nameafterstring query optionalOnly return results after this valuecountinteger query optionalMaximum number of results to return
Responses
- The list of revision tags
- ↳
namestring requiredThe name of the tag. - ↳
revisioninteger requiredThe revision number this tag points to. - ↳
createdstring requiredThe timestamp when the tag was created. - ↳
modifiedstring requiredThe timestamp when the tag was last modified. - ↳
editorLoginstring optionalThe login name of the user who last edited the tag. - ↳
editorNamestring optionalThe display name of the user who last edited the tag. nextTokenstring requiredToken for fetching the next page of results
Read Revision Tag
ReadRevisionTag_esc_environments instead./api/preview/environments/{orgName}/{envName}/versions/tags/{tagName}Returns the details of a specific revision tag for a Pulumi ESC environment. The tag is identified by its name in the URL path. The response includes the tag name and the revision number it points to. Returns 404 if the tag does not exist.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment nametagNamestring path requiredThe revision tag name
Responses
namestring requiredThe name of the tag.revisioninteger requiredThe revision number this tag points to.createdstring requiredThe timestamp when the tag was created.modifiedstring requiredThe timestamp when the tag was last modified.editorLoginstring optionalThe login name of the user who last edited the tag.editorNamestring optionalThe display name of the user who last edited the tag.
Create Revision Tag
CreateRevisionTag_esc_environments_versions_tags instead./api/preview/environments/{orgName}/{envName}/versions/tags/{tagName}Creates a new revision tag for a Pulumi ESC environment. Revision tags are named references that point to specific revision numbers, similar to Git tags. They allow pinning a stable reference to a known-good version of an environment. Tagged versions can be used in imports and Pulumi stack configuration (e.g., myproject/env@prod) to ensure stable references unaffected by subsequent changes. The built-in ’latest’ tag always points to the most recent revision.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment nametagNamestring path requiredThe revision tag name
Request Body
namestring requiredThe namerevisioninteger optionalThe revision
Responses
Update Revision Tag
UpdateRevisionTag_esc_environments instead./api/preview/environments/{orgName}/{envName}/versions/tags/{tagName}Updates an existing revision tag for a Pulumi ESC environment to point to a different revision number. The tag is identified by its name in the URL path. The request body specifies the new revision number. This allows advancing or rolling back a named reference (e.g., moving the ‘prod’ tag to a newer or older revision). Returns 204 on success with no response body.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment nametagNamestring path requiredThe revision tag name
Request Body
revisioninteger optionalThe revision number to associate with the tag.
Responses
Delete Revision Tag
DeleteRevisionTag_esc_environments instead./api/preview/environments/{orgName}/{envName}/versions/tags/{tagName}Deletes a named revision tag from a Pulumi ESC environment. The tag is identified by its name in the URL path. After deletion, any imports or stack configurations referencing this tag will fail to resolve. The built-in ’latest’ tag cannot be deleted. Returns 204 on success with no response body.
Request Parameters
orgNamestring path requiredThe organization nameenvNamestring path requiredThe environment nametagNamestring path requiredThe revision tag name
Responses
List All Environment Tags
ListAllEnvironmentTags_esc instead./api/preview/environments/{orgName}/tagsReturns a map of all unique tag names and their distinct values across all Pulumi ESC environments in the organization. The response is a map where each key is a tag name and the value is a list of all distinct values for that tag across all environments. This is useful for building tag-based filtering or discovery UIs.
Request Parameters
orgNamestring path requiredThe organization name
Responses
Check YAML
CheckYAML_esc instead./api/preview/environments/{orgName}/yaml/checkChecks a raw YAML environment definition for errors without creating or modifying any environment. The YAML definition is provided in the request body and validated for correctness, including imports, provider configurations, function invocations, and interpolation expressions. When the showSecrets query parameter is set to true, secret values are returned in plaintext in the response. This is useful for validating environment definitions before applying them.
Request Parameters
orgNamestring path requiredThe organization nameshowSecretsboolean query optionalWhether to show secret values in plaintext
Responses
- The list of diagnostics produced during environment evaluation.
- The source range where the diagnostic occurred.
- ↳
summarystring optionalA summary of the diagnostic message. - ↳
pathstring optionalThe path within the environment definition where the diagnostic occurred. - ↳
severitystring optionalThe severity of the diagnostic: “error” or “warning”. - Exprs contains the AST for each expression in the environment definition.
- A summary of the functions used in the environment.
- ↳
funcCountsmap[string]integer requiredA map of function names to the number of times they are used. - ↳
rotationPathsarray[string] requiredThe list of paths that have rotation configured. - Properties contains the detailed values produced by the environment.
- Schema contains the schema for Properties.
- Schema definitions that can be referenced by $ref.
- ↳
_refstring optionalA JSON reference to a schema definition. - A list of schemas, any of which the value must match.
- A list of schemas, exactly one of which the value must match.
- Schemas for the leading items in an array.
- The schema for array items.
- The schema for additional object properties.
- Schemas for named object properties.
- ↳
typestring requiredThe type of the schema (e.g. string, number, object, array, boolean). - ↳
constobject optionalA constant value the instance must equal. - ↳
enumarray[object] optionalA list of allowed values. - ↳
multipleOfstring optionalThe value must be a multiple of this number. - ↳
maximumstring optionalThe maximum allowed value (inclusive). - ↳
exclusiveMaximumstring optionalThe maximum allowed value (exclusive). - ↳
minimumstring optionalThe minimum allowed value (inclusive). - ↳
exclusiveMinimumstring optionalThe minimum allowed value (exclusive). - ↳
maxLengthstring optionalThe maximum allowed string length. - ↳
minLengthstring optionalThe minimum allowed string length. - ↳
patternstring optionalA regular expression pattern the string must match. - ↳
maxItemsstring optionalThe maximum number of items in an array. - ↳
minItemsstring optionalThe minimum number of items in an array. - ↳
uniqueItemsboolean optionalWhether array items must be unique. - ↳
maxPropertiesstring optionalThe maximum number of properties in an object. - ↳
minPropertiesstring optionalThe minimum number of properties in an object. - ↳
requiredarray[string] optionalThe list of required property names. - ↳
dependentRequiredmap[string]array optionalA map of property names to lists of properties they depend on. - ↳
titlestring optionalA short human-readable label for the schema (JSON Schema annotation). - ↳
descriptionstring optionalA human-readable explanation of the schema’s purpose (JSON Schema annotation). - ↳
defaultobject optionalThe default value for the schema. - ↳
deprecatedboolean optionalWhether the schema is deprecated. - ↳
examplesarray[object] optionalExample values for the schema. - ↳
secretboolean optionalPulumi ESC extension: if true, the value should be treated as sensitive and masked in output. - ↳
rotateOnlyarray[string] optionalPulumi ESC extension: property paths within this schema that support rotation-only updates. - ExecutionContext contains the values + schema for the execution context passed to the root environment.
- Properties contains the detailed values produced by the execution context.
- Schema contains the schema for Properties.
Open YAML
OpenYAML_esc instead./api/preview/environments/{orgName}/yaml/openOpens an anonymous Pulumi ESC environment from a raw YAML definition provided in the request body, fully resolving all dynamic values, provider integrations, and secrets. Unlike OpenEnvironment, this does not require a pre-existing environment to be stored. The duration parameter specifies how long the session remains valid using Go duration format. Returns an OpenEnvironmentResponse containing the session ID. Use the session ID with ReadAnonymousOpenEnvironment to retrieve the resolved values.
Request Parameters
orgNamestring path requiredThe organization namedurationstring query optionalThe session duration, using Go time units: ns, us, ms, s, m, h (e.g. ‘2h’)
Responses
idstring requiredThe unique identifier of the opened environment session.- Any diagnostics generated when opening the environment.
- The source range where the diagnostic occurred.
- ↳
summarystring optionalA summary of the diagnostic message. - ↳
pathstring optionalThe path within the environment definition where the diagnostic occurred. - ↳
severitystring optionalThe severity of the diagnostic: “error” or “warning”.
Read Anonymous Open Environment
ReadAnonymousOpenEnvironment_esc instead./api/preview/environments/{orgName}/yaml/open/{openSessionID}Reads the fully resolved values from an anonymous open environment session that was created via the OpenYAML endpoint. The openSessionID path parameter must match a valid, non-expired session. The optional property query parameter accepts a dot-separated path to retrieve a specific nested value instead of the entire resolved environment (e.g., ‘aws.credentials.accessKeyId’). The response contains the resolved configuration values with secrets decrypted.
Request Parameters
orgNamestring path requiredThe organization nameopenSessionIDstring path requiredThe session ID returned from the open environment operationpropertystring query optionalA dot-separated path to a specific property to retrieve from the environment
Responses
List Providers
ListProviders_esc instead./api/preview/environments/providersReturns a list of all available Pulumi ESC providers. Providers are integrations that dynamically retrieve configuration and secrets from external sources (e.g., AWS, Azure, Google Cloud, HashiCorp Vault, 1Password) via the fn::open function in environment definitions. Optionally filter by organization using the orgName query parameter to see only providers available to that organization.
Request Parameters
orgNamestring query optionalFilter providers available to this organization
Responses
Get Provider Schema
GetProviderSchema_esc instead./api/preview/environments/providers/{providerName}/schemaReturns the JSON schema for a Pulumi ESC provider. Providers are integrations that dynamically retrieve configuration and secrets from external sources such as AWS, Azure, Google Cloud, HashiCorp Vault, and others via fn::open. The schema describes the provider’s input parameters, output structure, and configuration options. The provider is identified by name in the URL path.
Request Parameters
providerNamestring path requiredThe provider name
Responses
namestring requiredThe name of the provider.descriptionstring requiredA description of the provider.- The input schema for the provider.
- Schema definitions that can be referenced by $ref.
- ↳
_refstring optionalA JSON reference to a schema definition. - A list of schemas, any of which the value must match.
- A list of schemas, exactly one of which the value must match.
- Schemas for the leading items in an array.
- The schema for array items.
- The schema for additional object properties.
- Schemas for named object properties.
- ↳
typestring requiredThe type of the schema (e.g. string, number, object, array, boolean). - ↳
constobject optionalA constant value the instance must equal. - ↳
enumarray[object] optionalA list of allowed values. - ↳
multipleOfstring optionalThe value must be a multiple of this number. - ↳
maximumstring optionalThe maximum allowed value (inclusive). - ↳
exclusiveMaximumstring optionalThe maximum allowed value (exclusive). - ↳
minimumstring optionalThe minimum allowed value (inclusive). - ↳
exclusiveMinimumstring optionalThe minimum allowed value (exclusive). - ↳
maxLengthstring optionalThe maximum allowed string length. - ↳
minLengthstring optionalThe minimum allowed string length. - ↳
patternstring optionalA regular expression pattern the string must match. - ↳
maxItemsstring optionalThe maximum number of items in an array. - ↳
minItemsstring optionalThe minimum number of items in an array. - ↳
uniqueItemsboolean optionalWhether array items must be unique. - ↳
maxPropertiesstring optionalThe maximum number of properties in an object. - ↳
minPropertiesstring optionalThe minimum number of properties in an object. - ↳
requiredarray[string] optionalThe list of required property names. - ↳
dependentRequiredmap[string]array optionalA map of property names to lists of properties they depend on. - ↳
titlestring optionalA short human-readable label for the schema (JSON Schema annotation). - ↳
descriptionstring optionalA human-readable explanation of the schema’s purpose (JSON Schema annotation). - ↳
defaultobject optionalThe default value for the schema. - ↳
deprecatedboolean optionalWhether the schema is deprecated. - ↳
examplesarray[object] optionalExample values for the schema. - ↳
secretboolean optionalPulumi ESC extension: if true, the value should be treated as sensitive and masked in output. - ↳
rotateOnlyarray[string] optionalPulumi ESC extension: property paths within this schema that support rotation-only updates. - The output schema for the provider.
- Schema definitions that can be referenced by $ref.
- ↳
_refstring optionalA JSON reference to a schema definition. - A list of schemas, any of which the value must match.
- A list of schemas, exactly one of which the value must match.
- Schemas for the leading items in an array.
- The schema for array items.
- The schema for additional object properties.
- Schemas for named object properties.
- ↳
typestring requiredThe type of the schema (e.g. string, number, object, array, boolean). - ↳
constobject optionalA constant value the instance must equal. - ↳
enumarray[object] optionalA list of allowed values. - ↳
multipleOfstring optionalThe value must be a multiple of this number. - ↳
maximumstring optionalThe maximum allowed value (inclusive). - ↳
exclusiveMaximumstring optionalThe maximum allowed value (exclusive). - ↳
minimumstring optionalThe minimum allowed value (inclusive). - ↳
exclusiveMinimumstring optionalThe minimum allowed value (exclusive). - ↳
maxLengthstring optionalThe maximum allowed string length. - ↳
minLengthstring optionalThe minimum allowed string length. - ↳
patternstring optionalA regular expression pattern the string must match. - ↳
maxItemsstring optionalThe maximum number of items in an array. - ↳
minItemsstring optionalThe minimum number of items in an array. - ↳
uniqueItemsboolean optionalWhether array items must be unique. - ↳
maxPropertiesstring optionalThe maximum number of properties in an object. - ↳
minPropertiesstring optionalThe minimum number of properties in an object. - ↳
requiredarray[string] optionalThe list of required property names. - ↳
dependentRequiredmap[string]array optionalA map of property names to lists of properties they depend on. - ↳
titlestring optionalA short human-readable label for the schema (JSON Schema annotation). - ↳
descriptionstring optionalA human-readable explanation of the schema’s purpose (JSON Schema annotation). - ↳
defaultobject optionalThe default value for the schema. - ↳
deprecatedboolean optionalWhether the schema is deprecated. - ↳
examplesarray[object] optionalExample values for the schema. - ↳
secretboolean optionalPulumi ESC extension: if true, the value should be treated as sensitive and masked in output. - ↳
rotateOnlyarray[string] optionalPulumi ESC extension: property paths within this schema that support rotation-only updates.
Create Environment Draft
/api/preview/esc/environments/{orgName}/{projectName}/{envName}/draftsCreates a new draft change request for a Pulumi ESC environment. Drafts allow proposing changes to an environment definition that can be reviewed and approved before being applied. This is part of the approvals workflow for environments. Returns a ChangeRequestRef containing the draft identifier. Requires the Approvals feature to be enabled for the organization.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment name
Responses
changeRequestIdstring optionalThe change request identifierlatestRevisionNumberinteger optionalThe latest revision number
Read Environment Draft
/api/preview/esc/environments/{orgName}/{projectName}/{envName}/drafts/{changeRequestID}Reads the YAML definition for a draft version of a Pulumi ESC environment. Drafts are proposed changes created as part of the approvals workflow. The draft is identified by the changeRequestID path parameter. An optional revision query parameter can target a specific base revision. The response is returned in application/x-yaml format. Requires the Approvals feature to be enabled.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment namechangeRequestIDstring path requiredThe change request IDrevisioninteger query optionalThe environment revision number to target
Responses
Update Environment Draft
/api/preview/esc/environments/{orgName}/{projectName}/{envName}/drafts/{changeRequestID}Updates the YAML definition of an existing draft change request for a Pulumi ESC environment. The draft is identified by the changeRequestID path parameter. The request body contains the updated YAML definition. Returns a ChangeRequestRef on success. Requires the Approvals feature to be enabled for the organization.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment namechangeRequestIDstring path requiredThe change request ID
Responses
changeRequestIdstring optionalThe change request identifierlatestRevisionNumberinteger optionalThe latest revision number
Open Environment Draft
/api/preview/esc/environments/{orgName}/{projectName}/{envName}/drafts/{changeRequestID}/openOpens a draft version of a Pulumi ESC environment, fully resolving all dynamic values, provider integrations, and secrets for the proposed changes. The duration parameter specifies how long the open session remains valid using Go duration format (e.g., ‘2h’, ‘30m’). An optional revision parameter can target a specific base revision. Returns an OpenEnvironmentResponse containing the session ID for subsequent reads. Requires the Approvals feature.
Request Parameters
orgNamestring path requiredThe organization nameprojectNamestring path requiredThe project nameenvNamestring path requiredThe environment namechangeRequestIDstring path requiredThe change request IDdurationstring query optionalThe session duration, using Go time units: ns, us, ms, s, m, h (e.g. ‘2h’)revisioninteger query optionalThe environment revision number to target
Responses
idstring requiredThe unique identifier of the opened environment session.- Any diagnostics generated when opening the environment.
- The source range where the diagnostic occurred.
- ↳
summarystring optionalA summary of the diagnostic message. - ↳
pathstring optionalThe path within the environment definition where the diagnostic occurred. - ↳
severitystring optionalThe severity of the diagnostic: “error” or “warning”.
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.