Organizations

gates array[ChangeGate] required
List of change gates
↳ id string required
Unique identifier of the change gate
↳ name string required
Name of the change gate
↳ enabled boolean required
Whether the change gate is enabled
↳ rule ChangeGateRuleOutput required
Rule configuration for the gate
↳ target ChangeGateTargetOutput required
Target configuration for the gate
continuationToken string required
Continuation token for pagination. If null, there are no more results available.

Errors: 400 invalid query parameter 404 not found

Create Change Gate

▼

POST /api/change-gates/{orgName}

Creates a new change gate for an entity in the organization. Change gates enforce approval workflows by requiring one or more approvals before infrastructure changes can be applied to the protected resource.

Request Parameters

orgName string path required
The organization name

Request Body

Schema: CreateChangeGateRequest

name string required
Name of the change gate
enabled boolean required
Whether the change gate is enabled
rule ChangeGateRuleInput required
Rule configuration for the gate
↳ ruleType string required
target ChangeGateTargetInput required
Target configuration for the gate
↳ entityType enum required
The entity type this gate targets
Values: environment
↳ qualifiedName string optional
The qualified name of the entity this gate targets (e.g., ‘project/env’)
↳ actionTypes array[string] required
The action types this gate targets (currently only supports single action)

Responses

201 created

Schema: ChangeGate

id string required
Unique identifier of the change gate
name string required
Name of the change gate
enabled boolean required
Whether the change gate is enabled
rule ChangeGateRuleOutput required
Rule configuration for the gate
↳ ruleType string required
target ChangeGateTargetOutput required
Target configuration for the gate
↳ entityType enum required
The entity type this gate targets
Values: environment
↳ qualifiedName string optional
The qualified name of the entity this gate targets (e.g., ‘project/env’)
↳ actionTypes array[string] required
The action types this gate targets
↳ entityInfo TargetEntity optional
Populated details about the target entity

Errors: 400 bad request 404 not found

Read Change Gate

▼

GET /api/change-gates/{orgName}/{gateID}

Retrieves the configuration and status of a specific change gate, including its approval requirements and the entity it protects.

Request Parameters

orgName string path required
The organization name
gateID string path required
The change gate identifier

Responses

200 OK

Schema: ChangeGate

id string required
Unique identifier of the change gate
name string required
Name of the change gate
enabled boolean required
Whether the change gate is enabled
rule ChangeGateRuleOutput required
Rule configuration for the gate
↳ ruleType string required
target ChangeGateTargetOutput required
Target configuration for the gate
↳ entityType enum required
The entity type this gate targets
Values: environment
↳ qualifiedName string optional
The qualified name of the entity this gate targets (e.g., ‘project/env’)
↳ actionTypes array[string] required
The action types this gate targets
↳ entityInfo TargetEntity optional
Populated details about the target entity

Errors: 400 bad request 404 not found

Update Change Gate

▼

PUT /api/change-gates/{orgName}/{gateID}

Updates the configuration of an existing change gate, such as modifying its approval requirements or protected entity.

Request Parameters

orgName string path required
The organization name
gateID string path required
The change gate identifier

Request Body

Schema: UpdateChangeGateRequest

name string required
Name of the change gate
enabled boolean required
Whether the change gate is enabled
target ChangeGateTargetInput required
Target configuration for the gate
↳ entityType enum required
The entity type this gate targets
Values: environment
↳ qualifiedName string optional
The qualified name of the entity this gate targets (e.g., ‘project/env’)
↳ actionTypes array[string] required
The action types this gate targets (currently only supports single action)
rule ChangeGateRuleInput required
Rule configuration for the gate
↳ ruleType string required

Responses

200 OK

Schema: ChangeGate

id string required
Unique identifier of the change gate
name string required
Name of the change gate
enabled boolean required
Whether the change gate is enabled
rule ChangeGateRuleOutput required
Rule configuration for the gate
↳ ruleType string required
target ChangeGateTargetOutput required
Target configuration for the gate
↳ entityType enum required
The entity type this gate targets
Values: environment
↳ qualifiedName string optional
The qualified name of the entity this gate targets (e.g., ‘project/env’)
↳ actionTypes array[string] required
The action types this gate targets
↳ entityInfo TargetEntity optional
Populated details about the target entity

Errors: 400 bad request 404 not found

Delete Change Gate

▼

DELETE /api/change-gates/{orgName}/{gateID}

Deletes a change gate, removing the approval requirement from the protected entity. Changes to the entity will no longer require approval.

Request Parameters

orgName string path required
The organization name
gateID string path required
The change gate identifier

Responses

204 No Content

Errors: 400 bad request 404 not found

List Change Requests

▼

GET /api/change-requests/{orgName}

Lists change requests for an organization with support for pagination and filtering by entity type and entity ID. Change requests represent proposed infrastructure modifications that require approval before being applied.

Request Parameters

orgName string path required
The organization name
continuationToken string query optional
Continuation token for paginated results
count integer query optional
Number of items to return
entityId string query optional
The entity identifier to filter by
entityType string query optional
The entity type to filter by

Responses

200 OK

Schema: ListChangeRequestsResponse

changeRequests array[ChangeRequest] required
The list of change requests
↳ id string required
The change request ID
↳ status string required
The current status of the change request
↳ orgID string required
The organization ID
↳ createdBy UserInfo required
The user who created this change request
↳ description string required
The description/justification for this change request
↳ createdAt string required
When this change request was created
↳ entity TargetEntity required
The entity this change request targets
↳ action enum required
The type of action this change request will perform
Values: update, open
↳ latestRevisionNumber integer required
The current revision number
continuationToken string required
Continuation token for pagination. If null, there are no more results available.

Errors: 400 bad request 404 not found

Read Change Request

▼

GET /api/change-requests/{orgName}/{changeRequestID}

Retrieves the details of a specific change request, including its current status, description, approvals, and the proposed infrastructure changes.

Request Parameters

orgName string path required
The organization name
changeRequestID string path required
The change request identifier

Responses

200 OK

Schema: GetChangeRequestResponse

gateEvaluation ChangeRequestGateEvaluation required
The gate evaluation results for this change request
↳ satisfied boolean required
Indicates if all applicable gates are satisfied and the change request is ready for application
↳ applicableGates array[ChangeGateEvaluation] required
Lists all gates that apply to this change request
id string required
The change request ID
status string required
The current status of the change request
orgID string required
The organization ID
createdBy UserInfo required
The user who created this change request
↳ name string required
The user’s display name.
↳ githubLogin string required
The user’s login name.
↳ avatarUrl string required
The URL of the user’s avatar image.
↳ email string optional
IMPORTANT: The email address of the user is only included on a few admin-only APIs. For nearly all APIs that return a UserInfo object, this will not be provided. considered sensitive information.
description string required
The description/justification for this change request
createdAt string required
When this change request was created
entity TargetEntity required
The entity this change request targets
↳ entityType string required
action enum required
The type of action this change request will perform
Values: update, open
latestRevisionNumber integer required
The current revision number

Errors: 400 bad request 404 not found

Update Change Request

▼

PATCH /api/change-requests/{orgName}/{changeRequestID}

Updates a change request’s metadata. Currently only the description field can be modified after creation.

Request Parameters

orgName string path required
The organization name
changeRequestID string path required
The change request identifier

Request Body

Schema: UpdateChangeRequestRequest

description string required
Updated description/justification for the change request

Responses

204 No Content

Errors: 400 bad request 404 not found

Apply Change Request

▼

POST /api/change-requests/{orgName}/{changeRequestID}/apply

Applies an approved change request, triggering the execution of the proposed infrastructure changes. The change request must have received the required number of approvals before it can be applied. Returns 409 if there is a conflict preventing application.

Request Parameters

orgName string path required
The organization name
changeRequestID string path required
The change request identifier

Responses

200 OK

Schema: ChangeRequestApplyResult

entityUrl string required
API endpoint for fetching the updated entity
message string optional
Optional details about the apply operation

Errors: 400 bad request 404 not found 409 conflict

Approve Change Request

▼

POST /api/change-requests/{orgName}/{changeRequestID}/approve

Records an approval for a change request from the authenticated user. Once the required number of approvals is met, the change request can be applied.

Request Parameters

orgName string path required
The organization name
changeRequestID string path required
The change request identifier

Request Body

Schema: ApproveChangeRequestRequest

revisionNumber integer required
Which revision to approve.
comment string optional
Optional note accompanying the approval

Responses

204 No Content

Errors: 400 bad request 404 not found

Unapprove Change Request

▼

DELETE /api/change-requests/{orgName}/{changeRequestID}/approve

Withdraws a previously given approval for a change request. If the change request no longer has the required number of approvals after withdrawal, it cannot be applied until additional approvals are granted.

Request Parameters

orgName string path required
The organization name
changeRequestID string path required
The change request identifier

Request Body

Schema: UnapproveChangeRequestRequest

comment string optional
Optional note clarifying the reason for revoking approval

Responses

204 No Content

Errors: 400 bad request 404 not found

Close Change Request

▼

POST /api/change-requests/{orgName}/{changeRequestID}/close

Closes a change request without applying it. The proposed infrastructure changes are discarded and the request is marked as closed.

Request Parameters

orgName string path required
The organization name
changeRequestID string path required
The change request identifier

Request Body

Schema: CloseChangeRequestRequest

comment string optional
Optional comment explaining why the change request is being closed

Responses

204 No Content

Errors: 400 bad request 404 not found

Add Change Request Comment

▼

POST /api/change-requests/{orgName}/{changeRequestID}/comments

Adds a comment to a change request without approving or closing it. This allows reviewers to provide feedback or ask questions before making a decision.

Request Parameters

orgName string path required
The organization name
changeRequestID string path required
The change request identifier

Request Body

Schema: AddChangeRequestCommentRequest

comment string required
The comment text to add to the change request.

Responses

204 No Content

Errors: 400 bad request 404 not found

List Change Request Events

▼

GET /api/change-requests/{orgName}/{changeRequestID}/events

Lists the event log for a change request, including approvals, status changes, and other lifecycle events. Supports pagination via continuation token.

Request Parameters

orgName string path required
The organization name
changeRequestID string path required
The change request identifier
continuationToken string query optional
Continuation token for paginated results

Responses

200 OK

Schema: ListChangeRequestEventsResponse

events array[ChangeRequestEvent] required
The list of events for this page.
↳ id string required
The event ID
↳ replacedBy string optional
ID of event that replaces this one (for event updates)
↳ changeRequestId string required
The change request this event belongs to
↳ revisionNumber integer required
The revision number that was latest when this event occurred
↳ createdBy UserInfo required
The user who triggered this event
↳ createdAt string required
When this event occurred
↳ comment string optional
Optional comment associated with this event
↳ eventType string required
continuationToken string required
Continuation token for pagination. If null, there are no more results available.

Errors: 400 invalid query parameter 404 change request events

Submit Change Request

▼

POST /api/change-requests/{orgName}/{changeRequestID}/submit

Submits a draft change request for approval. Once submitted, the request enters the review workflow and requires the configured number of approvals before it can be applied.

Request Parameters

orgName string path required
The organization name
changeRequestID string path required
The change request identifier

Request Body

Schema: SubmitChangeRequestRequest

description string optional
Description/justification for the change request

Responses

204 No Content

Errors: 400 bad request 404 not found

Get Organization

▼

GET /api/orgs/{orgName}

Returns detailed information about the specified organization, including its name, display name, avatar URL, enabled features, subscription tier, and access control settings. The response includes member count, team availability, and other configuration relevant to the caller’s role within the organization.

Request Parameters

orgName string path required
The organization name

Responses

200 OK

Schema: Organization

githubLogin string required
The GitHub login associated with the organization.
name string required
The name of the organization.
avatarUrl string required
The URL of the organization’s avatar image.
repos array[PulumiRepository] required
The repositories belonging to the organization.
↳ orgName string required
The name of the organization that owns this repository.
↳ name string required
The name of the repository.
↳ vcsInfo VCSInfo optional
Version control system information for the repository.
↳ projects array[PulumiProject] required
The projects within this repository.

Update Organization Settings

▼

PATCH /api/orgs/{orgName}

Updates an organization’s settings, such as the default stack permission level for new members, whether members can create teams, and other organization-wide configuration options. Returns the updated organization metadata.

Request Parameters

orgName string path required
The organization name

Request Body

Schema: UpdateOrganizationRequest

setDefaultStackPermission enum optional
The new default stack permission for the organization.
Values: 0, 101, 102, 103, 104
setDefaultEnvironmentPermission enum optional
The new default environment permission for the organization.
Values: none, read, open, write, admin
setDefaultAccountPermission enum optional
The new default account permission for the organization.
Values: 0, 1, 2, 3
setMembersCanCreateStacks boolean optional
Whether members can create stacks.
setMembersCanInviteCollaborators boolean optional
Whether members can invite collaborators.
setMembersCanDeleteStacks boolean optional
Whether members can delete stacks.
setMembersCanTransferStacks boolean optional
Whether members can transfer stacks.
setMembersCanCreateAccounts boolean optional
Whether members can create accounts.
setMembersCanCreateTeams boolean optional
Whether members can create teams.
setAiEnablement string optional
The AI enablement setting for the organization.
setNeoEnabled boolean optional
Whether Neo is enabled for the organization.
setNeoApprovalMode enum optional
The default approval mode for Neo tasks.
Values: manual, auto, balanced
setNeoTaskSharingMode enum optional
The task sharing mode for Neo.
Values: none, org
setPreferredVCS enum optional
The preferred VCS provider for the organization.
Values: none, bitbucket, github, gitlab
setDefaultDeploymentRoleId string optional
The ID of the default deployment role. When set, this role is applied to all deployments that do not have a role explicitly configured in their stack deployment settings. Set to an empty string to clear the default.
setDefaultAgentPoolID string optional
The ID of the default agent pool for the organization. Set to empty string to revert to the Pulumi Hosted Pool.

Responses

200 OK

Schema: OrganizationMetadata

id string required
The unique identifier of the organization.
kind enum required
The kind of backing identity provider for the organization.
Values: single-user, bitbucket, github, gitlab, pulumi, saml
created string required
The time the organization was created.
backingOrgLogin string optional
The login name of the backing organization on the identity provider.
product enum optional
Subscription-related information if the organization has a Pulumi subscription. Otherwise, assume it is a grandfathered TeamPerStack org or in the Community Edition.
Values: team-per-stack, community, individual, team-starter, team-pro, enterprise, team-growth, enterprise-growth, business-critical
subscriptionStatus string optional
The Stripe subscription status (e.g. active, past_due, canceled), if applicable.
subscriptionTrialEnd integer optional
The Unix timestamp when the subscription trial ends.
subscriptionCancelAtPeriodEnd boolean optional
Whether the subscription will be canceled at the end of the current billing period.
subscriptionPeriodEnd string optional
The time when the current subscription or license period ends. For SaaS subscriptions this is the Stripe billing period end. For self-hosted installations this is the license expiry date.
userRole enum required
UserRole is the requesting user’s role in the organization.
Values: none, member, admin, potential-member, stack-collaborator, billing-manager
defaultStackPermission enum required
DefaultStackPermission is the default permission every member has for accessing the organization’s stacks.
Values: 0, 101, 102, 103, 104
defaultEnvironmentPermission enum required
DefaultEnvironmentPermission is the default permission every member has for accessing the organization’s environments.
Values: none, read, open, write, admin
defaultAccountPermission enum required
DefaultAccountPermission is the default permission every member has for accessing the organization’s insight accounts.
Values: 0, 1, 2, 3
membersCanCreateStacks boolean required
Whether organization members can create stacks.
membersCanDeleteStacks boolean required
Whether organization members can delete stacks.
membersCanTransferStacks boolean required
Whether organization members can transfer stacks.
membersCanCreateTeams boolean required
Whether organization members can create teams.
membersCanCreateAccounts boolean required
Whether organization members can create Insights accounts.
neoEnabled boolean required
Whether Neo AI agent features are enabled for the organization.
neoApprovalMode enum required
neoApprovalMode is the default approval mode for new Neo AI agent tasks.
Values: manual, auto, balanced
neoTaskSharingMode enum required
NeoTaskSharingMode is the task sharing mode for Neo AI agents in the organization.
Values: none, org
insightsTrialEnd integer optional
The Unix timestamp when the Insights trial ends.
insightsBillingAccepted boolean optional
true if accepted, false if denied, nil if no action taken
insightsTrialUsingPolicy boolean required
true if org needs to be upgraded to business critical
aiEnablement string required
The AI feature enablement status for the organization (e.g. enabled, disabled, opt-in).
preferredVCS enum required
The organization’s preferred VCS vendor.
Values: none, bitbucket, github, gitlab
auditLogsEnabled boolean required
Deprecated. Access the AuditLogsEnabled feature from the Features property.
webhooksEnabled boolean required
Deprecated. Access the WebhooksEnabled feature from the Features property.
features OrganizationFeatures required
The feature flags enabled for this organization, controlling access to specific functionality.
↳ auditLogsEnabled boolean required
Whether audit logs are enabled for the organization.
↳ crossGuardEnabled boolean required
Whether CrossGuard policy enforcement is enabled.
↳ webhooksEnabled boolean required
Whether webhooks are enabled for the organization.
↳ integrationAssistantEnabled boolean required
Whether the integration assistant is enabled.
↳ aleEnabled boolean required
Whether audit log export (ALE) is enabled.
↳ deployEnabled boolean required
Whether Pulumi Deployments is enabled.
↳ scimEnabled boolean required
Whether SCIM provisioning is enabled.
↳ resourceSearchEnabled boolean required
Whether resource search is enabled.
↳ resourceExportEnabled boolean required
Whether resource export is enabled.
↳ propertySearchUIEnabled boolean required
Whether the property search UI is enabled.
↳ nlpSearchEnabled boolean required
Whether natural language search is enabled.
↳ customTemplatesEnabled boolean required
Whether custom templates are enabled.
↳ restoreStacksEnabled boolean required
Whether restoring deleted stacks is enabled.
↳ environmentsEnabled boolean required
Whether Pulumi ESC environments are enabled.
↳ environmentRevisionTagsEnabled boolean required
Whether environment revision tags are enabled.
↳ legacyDeploymentsOrgToken boolean required
Whether the organization uses a legacy org token for deployments.
↳ gitHubEnterpriseIntegrationEnabled boolean required
Whether GitHub Enterprise integration is enabled.
↳ agentPoolRegistrationEnabled boolean required
Whether agent pool registration is enabled for self-hosted deployments.
↳ dashboardOnboardingUIEnabled boolean required
Whether the dashboard onboarding UI is enabled.
↳ driftDetectionEnabled boolean required
Whether drift detection is enabled.
↳ selfHostedDeploymentsEnabled boolean required
Whether self-hosted deployment agents are enabled.
↳ auditLogUIFilteringEnabled boolean required
Whether audit log UI filtering is enabled.
↳ dependencyCachingEnabled boolean required
Whether dependency caching for deployments is enabled.
↳ environmentsRestoreEnabled boolean required
Whether restoring deleted environments is enabled.
↳ pangeaAccountsScanPageEnabled boolean required
Whether the Pangea accounts scan page is enabled.
↳ customRolesEnabled boolean required
Whether custom RBAC roles are enabled.
↳ environmentSecretRotationEnabled boolean required
Whether environment secret rotation is enabled.
↳ insightsMonetizationEnabled boolean required
Whether Insights monetization features are enabled.
↳ selfServeIDPRemoval boolean required
Whether self-serve IDP removal is enabled.
↳ iacCloudImportEnabled boolean required
Whether IaC cloud import is enabled.
↳ bringYourOwnKeyEnabled boolean required
Whether bring-your-own-key encryption is enabled.
↳ approvalsEnabled boolean required
Whether change request approvals are enabled.
↳ escOnboardingEnabled boolean required
Whether ESC onboarding is enabled.
↳ escOnboardingV2Enabled boolean required
Whether ESC onboarding v2 is enabled.
↳ escEditorRevampEnabled boolean required
Whether the ESC editor revamp is enabled.
↳ escOnboardingAzureOAuthClientEnabled boolean required
Whether the Azure OAuth client for ESC onboarding is enabled.
↳ escOnboardingGcpOAuthClientEnabled boolean required
Whether the GCP OAuth client for ESC onboarding is enabled.
↳ policyManagementV2Enabled boolean required
Whether policy management v2 is enabled.
↳ policyIssueManagementEnabled boolean required
Whether policy issue management is enabled.
↳ aiAgentsEnabled boolean required
Whether AI agents (Pulumi Copilot) are enabled.
↳ themingEnabled boolean required
Whether UI theming is enabled.
↳ customRoleCondition boolean required
Whether custom role conditions are enabled.
↳ neoTaskSharingEnabled boolean required
Whether Copilot task sharing is enabled.
↳ ghAppDetailedDiffEnabled boolean required
Whether the GitHub App detailed diff view is enabled.
↳ neoServerSideApprovalsEnabled boolean required
Whether Neo server side approvals is enabled.
↳ neoPlanModeEnabled boolean required
Whether Neo plan mode is enabled.
↳ getStartedOnboardEnabled boolean required
Whether the getting started onboarding flow is enabled.
↳ neoReadOnlyEnabled boolean required
Whether Neo read-only permission mode is enabled.
↳ discoveredStacksEnabled boolean required
Whether discovered stacks are enabled.
↳ agentIntegrationCatalogEnabled boolean required
Whether the agent integration catalog is enabled.
↳ aiReviewCodeAccessEnabled boolean required
Whether AI review code access is enabled.
↳ genericVCSEnabled boolean required
Whether generic VCS integrations are enabled.
↳ bitbucketVCSEnabled boolean required
Whether Bitbucket VCS integration is enabled.
accountCount integer required
AccountCount is the current number of Insights Accounts in the organization. (May be more than the requesting user has permission to see.)
environmentCount integer required
EnvironmentCount is the current number of environments in the organization. (May be more than the requesting user has permission to see.)
stackCount integer required
StackCount is the current number of stacks in the organization. (May be more than the requesting user has permission to see.)
maxStacks integer optional
MaxStacks is the maximum number of stacks the organization can have based on its subscription. Will be nil/omitted if there is no limit.
memberCount integer required
MemberCount is the number of members the organization has. Will be incorrect for organizations on the TeamPerStack subscription plan.
maxMembers integer optional
MaxMembers is the maximum number of members the organization can have based on its subscription. (Only set for per-member billed orgs.)
locked enum optional
Locked is non-nil if an organization is locked, indicating the specific reason why it was locked. (Which may determine which actions are available in the Console.)
Values: bad-subscription, not-locked, read-only, rename-in-progress, transfer-in-progress
defaultRoleId string optional
DefaultRoleID is the ID of the default role for new users added to the organization. If unset, defaults to the “Member” role.
defaultDeploymentRoleId string optional
DefaultDeploymentRoleID is the ID of the default role used for deployments when no specific role is configured in the stack’s deployment settings. If unset, deployments run using the triggering user’s own permissions.

Errors: 400 Invalid organization settings

Update Auth Policy

▼

PATCH /api/orgs/{orgName}/auth/policies/{policyId}

Updates an authentication policy for an organization. Authentication policies define rules for how OIDC tokens are validated and what access they grant, including claim mappings, trust conditions, and role assignments. The policy definition cannot be empty.

The request body contains a policies array where each policy object includes:

decision: allow or deny
tokenType: organization, team, personal, or runner
teamName: required when tokenType is team
userLogin: required when tokenType is personal
runnerID: required when tokenType is runner
authorizedPermissions: array of permissions (only admin is supported for organization tokens)
rules: object defining claim-matching rules for the token

For more information about authorization rules, refer to the OIDC authorization policies documentation.

Request Parameters

orgName string path required
The organization name
policyId string path required
The policy identifier

Request Body

Schema: AuthPolicyUpdateRequest

policies array[AuthPolicyDefinition] required
List of policies
↳ decision string required
The access decision for matching tokens (e.g. ‘allow’, ‘deny’).
↳ tokenType string required
The type of token this rule applies to (e.g. ‘personal’, ‘org’, ’team’).
↳ teamName string optional
Team name filter. When set, this rule only applies to tokens belonging to this team.
↳ userLogin string optional
User login filter. When set, this rule only applies to tokens belonging to this user.
↳ runnerID string optional
Runner ID filter. When set, this rule only applies to tokens for this deployment runner.
↳ roleID string optional
Role ID filter. When set, this rule only applies to tokens with this role.
↳ authorizedPermissions array[string] required
The set of permissions granted when this rule matches.
↳ rules map[string]object required
Additional rule conditions as key-value pairs.

Responses

200 OK

Schema: AuthPolicy

id string required
The unique identifier
version integer required
The version number
created string optional
The creation timestamp
modified string optional
The last modification timestamp
policies array[AuthPolicyDefinition] required
List of policies
↳ decision string required
The access decision for matching tokens (e.g. ‘allow’, ‘deny’).
↳ tokenType string required
The type of token this rule applies to (e.g. ‘personal’, ‘org’, ’team’).
↳ teamName string optional
Team name filter. When set, this rule only applies to tokens belonging to this team.
↳ userLogin string optional
User login filter. When set, this rule only applies to tokens belonging to this user.
↳ runnerID string optional
Runner ID filter. When set, this rule only applies to tokens for this deployment runner.
↳ roleID string optional
Role ID filter. When set, this rule only applies to tokens with this role.
↳ authorizedPermissions array[string] required
The set of permissions granted when this rule matches.
↳ rules map[string]object required
Additional rule conditions as key-value pairs.

Errors: 400 policy definition can not be empty

Transfer All Stacks

▼

POST /api/orgs/{orgName}/bulk-transfer/stacks

TransferAllStacks transfers all active stacks from one org to another, where deleted stacks will be skipped/ignored. We are currently constraining usage of this function to organizations with less than or equal to TransferAllStacksMax stacks.

NOTE: This operation will lock the organization while the transfer is in-progress, to rewrite all checkpoint files that use service-managed secrets. This means that the organization will be read-only and no stack updates can begin until the rename process has completed.

Request Parameters

orgName string path required
The organization name

Request Body

Schema: TransferAllStacksRequest

fromOrg string required
The source organization to transfer stacks from. Must match the organization in the URL route.
toOrg string required
The destination organization to transfer stacks to.

Responses

200 OK

List Organization Keys

▼

GET /api/orgs/{orgName}/cmk

Returns all customer managed keys (CMK) configured for an organization, including their key identifiers, cloud provider details, enabled status, and which key is set as the default for new stacks.

Request Parameters

orgName string path required
The organization name

Responses

200 successful operation

Create Organization Key

▼

POST /api/orgs/{orgName}/cmk

Creates a new customer managed key (CMK) for an organization, allowing the organization to use their own encryption keys for securing secrets stored in Pulumi Cloud. The key must be a valid cloud provider key (e.g., AWS KMS). Once created, the key can be set as the default encryption key for all new stacks in the organization.

Request Parameters

orgName string path required
The organization name

Request Body

Schema: CustomerManagedKeyInput

name string required
The name
keyType enum required
The key type
Values: aws_kms, service
awsKms AwsKmsConfig optional
The aws kms
↳ roleArn string required
ARN of the IAM role to assume for KMS operations.
↳ keyArn string required
ARN of the KMS key to use for encrypting/decrypting secrets.

Responses

201 Created

Schema: CustomerManagedKey

id string required
The unique identifier
name string required
The name
keyType enum required
The key type
Values: aws_kms, service
awsKms AwsKmsConfig optional
The aws kms
↳ roleArn string required
ARN of the IAM role to assume for KMS operations.
↳ keyArn string required
ARN of the KMS key to use for encrypting/decrypting secrets.
state string optional
The current state

Errors: 400 Invalid key provided

Set Default Organization Key

▼

POST /api/orgs/{orgName}/cmk/{keyID}/default

Sets a customer managed key as the default encryption key for the organization. New stacks created in the organization will use this key for encrypting secrets by default. The key must already be created and enabled for the organization.

Request Parameters

orgName string path required
The organization name
keyID string path required
The key identifier

Responses

200 OK

Errors: 404 Organization or Key not found

Disable Organization Key

▼

POST /api/orgs/{orgName}/cmk/{keyID}/disable

Disables a specific customer managed key (CMK) for an organization. The key can no longer be used for encrypting new secrets, but existing secrets encrypted with this key remain accessible.

Request Parameters

orgName string path required
The organization name
keyID string path required
The key identifier

Request Body

Schema: DisableCustomerManagedKeyRequest

destID string required
The destination identifier for the customer-managed key to disable.

Responses

200 OK

Errors: 400 Invalid key provided 404 Organization or Key not found

Disable All Organization Keys

▼

POST /api/orgs/{orgName}/cmk/disable

Disables all customer managed keys (CMK) for an organization, reverting to Pulumi-managed encryption for secrets. After disabling, new stacks will use the default Pulumi-managed encryption rather than customer-provided keys.

Request Parameters

orgName string path required
The organization name

Responses

200 OK

Errors: 400 Organization does not have customer managed keys

List Organization Key Migrations

▼

GET /api/orgs/{orgName}/cmk/migration

Returns all key encryption key (KEK) migrations for an organization. KEK migrations track the process of re-encrypting secrets when rotating customer managed keys. Each migration record includes the source and destination keys, status, and any errors encountered during the migration process.

Request Parameters

orgName string path required
The organization name

Responses

200 successful operation

Retry Organization Key Migrations

▼

POST /api/orgs/{orgName}/cmk/migration/retry

Retries any failed key encryption key (KEK) migrations for an organization. KEK migrations can fail due to transient errors when re-encrypting secrets during customer managed key rotation. This endpoint re-attempts the failed migrations without restarting the entire process.

Request Parameters

orgName string path required
The organization name

Responses

200 OK

List Organization Members

▼

GET /api/orgs/{orgName}/members

ListOrganizationMembers lists the members of an organization. This API unfortunately has two different “modes”, returning either the organization’s “frontend members” or “backend members”.

A “frontend member” is data stored in the Pulumi Service’s database. For organizations billed per-member, this is the set of members that are counted against the organization’s seat cap.
A “backend member” is data stored in the organization’s backend. (e.g. GitHub, GitLab, or for SAML orgs, also the Pulumi Service database.)

This isn’t ideal, but is required so that the APIs can be paginated correctly while not returning any users twice. (Which would be impossible in some cases.)

Request Parameters

orgName string path required
The organization name
continuationToken string query optional
Token for paginated result retrieval
type string query optional
Member type to list: ‘frontend’ for Pulumi Service members or ‘backend’ for organization backend members

Responses

200 OK

Schema: ListOrganizationMembersResponse

members array[OrganizationMember] required
The list of organization members
↳ role enum required
Deprecated: Use fgaRole instead. The member’s built-in role within the organization. For members assigned a custom role, this is the closest built-in projection (member, admin, or billingManager) and may lose detail; fgaRole is authoritative.
Values: none, member, admin, potential-member, stack-collaborator, billing-manager
↳ user UserInfo required
The user information for this organization member.
↳ created string required
When the member joined the organization.
↳ knownToPulumi boolean required
KnownToPulumi returns if the organization member has a Pulumi account.
↳ virtualAdmin boolean required
VirtualAdmin indicates that the member does not have admin access on the backing identity provider, but does have admin access to the Pulumi organization.
↳ links MemberLinks optional
Links to the member in the Pulumi Console
↳ fgaRole FGARole required
The role currently assigned to this member — either a built-in role (member, admin, billingManager) or a custom role. Falls back to the organization’s default role if no role is assigned directly.
continuationToken string optional
An opaque token for fetching the next page of members

Errors: 400 invalid query parameter

Add Organization Member

▼

POST /api/orgs/{orgName}/members/{userLogin}

Adds an existing Pulumi user to an organization with a built-in role. Important: The user must have already signed up for a Pulumi account before they can be added to an organization.

This endpoint only assigns built-in roles. To onboard a user with a custom role, use the organization invite flow (BatchCreateOrgInviteEmail) and set roleId on the invite — the custom role is applied when the user accepts. Alternatively, add the user here with a built-in role and then call UpdateOrganizationMember with fgaRoleId to reassign.

Returns the newly created organization member record. Returns 409 if the user is already a member of the organization.

Request Parameters

orgName string path required
The organization name
userLogin string path required
The user login name

Request Body

Schema: AddOrganizationMemberRequest

role enum required
The built-in role assigned to the new member. Must be member, admin, or billingManager.
Values: none, member, admin, potential-member, stack-collaborator, billing-manager

Responses

200 OK

Schema: OrganizationMember

role enum required
Deprecated: Use fgaRole instead. The member’s built-in role within the organization. For members assigned a custom role, this is the closest built-in projection (member, admin, or billingManager) and may lose detail; fgaRole is authoritative.
Values: none, member, admin, potential-member, stack-collaborator, billing-manager
user UserInfo required
The user information for this organization member.
↳ name string required
The user’s display name.
↳ githubLogin string required
The user’s login name.
↳ avatarUrl string required
The URL of the user’s avatar image.
↳ email string optional
IMPORTANT: The email address of the user is only included on a few admin-only APIs. For nearly all APIs that return a UserInfo object, this will not be provided. considered sensitive information.
created string required
When the member joined the organization.
knownToPulumi boolean required
KnownToPulumi returns if the organization member has a Pulumi account.
virtualAdmin boolean required
VirtualAdmin indicates that the member does not have admin access on the backing identity provider, but does have admin access to the Pulumi organization.
links MemberLinks optional
Links to the member in the Pulumi Console
↳ self string optional
A self-referencing hypermedia link (URL) to this member resource.
fgaRole FGARole required
The role currently assigned to this member — either a built-in role (member, admin, billingManager) or a custom role. Falls back to the organization’s default role if no role is assigned directly.
↳ id string required
The unique identifier of the role.
↳ name string required
The name of the role.
↳ modifiedAt string required
The timestamp when the role was last modified.

Errors: 400 Invalid organization role. 404 User 409 User is already an organization member.

Update Organization Member

▼

PATCH /api/orgs/{orgName}/members/{userLogin}

Modifies a user’s role within an organization. Set role to assign a built-in role (member, admin, or billingManager), or set fgaRoleId to assign a custom role. If both are provided, fgaRoleId takes precedence.

Request Parameters

orgName string path required
The organization name
userLogin string path required
The user login name

Request Body

Schema: UpdateOrganizationMemberRequest

role enum optional
The built-in role to assign to the member. Must be member, admin, or billing-manager. Ignored if fgaRoleId is also set.
Values: none, member, admin, potential-member, stack-collaborator, billing-manager
fgaRoleId string optional
The ID of a custom role to assign to the member. If both role and fgaRoleId are provided, fgaRoleId takes precedence.

Responses

204 No Content

Errors: 400 Invalid parameter 'roleID'. 404 User

Delete Organization Member

▼

DELETE /api/orgs/{orgName}/members/{userLogin}

Removes a user from an organization. The removed user loses access to all organization resources including stacks, teams, and projects. The caller cannot remove themselves from the organization. The user is also removed from all teams they belong to within the organization.

Request Parameters

orgName string path required
The organization name
userLogin string path required
The user login name

Responses

204 No Content

Errors: 400 You cannot remove yourself from the organization. 404 User

Set Sole Organization Admin

▼

POST /api/orgs/{orgName}/members/{userLogin}/set-admin

Promotes a member to administrator on organizations that are limited to a single admin. This endpoint is only valid for Team subscriptions (Team Starter and Team Growth) — it returns 400 on any other plan. On these plans, UpdateOrganizationMember cannot promote a member to admin, because doing so would require simultaneously demoting the current admin. This endpoint performs both changes atomically: the caller (who must be the current sole admin) is demoted to member and the target user is promoted to admin.

Note: This endpoint operates on built-in roles only and does not integrate with custom roles.

Request Parameters

orgName string path required
The organization name
userLogin string path required
The user login name

Responses

204 No Content

Errors: 400 Wrong API. Use the regular update Pulumi organization member endpoint instead. 404 User

Get Organization Metadata

▼

GET /api/orgs/{orgName}/metadata

GetOrganizationMetadata returns metadata about the given organization. This is designed to be an inexpensive call.

Request Parameters

orgName string path required
The organization name

Responses

200 OK

Schema: OrganizationMetadata

id string required
The unique identifier of the organization.
kind enum required
The kind of backing identity provider for the organization.
Values: single-user, bitbucket, github, gitlab, pulumi, saml
created string required
The time the organization was created.
backingOrgLogin string optional
The login name of the backing organization on the identity provider.
product enum optional
Subscription-related information if the organization has a Pulumi subscription. Otherwise, assume it is a grandfathered TeamPerStack org or in the Community Edition.
Values: team-per-stack, community, individual, team-starter, team-pro, enterprise, team-growth, enterprise-growth, business-critical
subscriptionStatus string optional
The Stripe subscription status (e.g. active, past_due, canceled), if applicable.
subscriptionTrialEnd integer optional
The Unix timestamp when the subscription trial ends.
subscriptionCancelAtPeriodEnd boolean optional
Whether the subscription will be canceled at the end of the current billing period.
subscriptionPeriodEnd string optional
The time when the current subscription or license period ends. For SaaS subscriptions this is the Stripe billing period end. For self-hosted installations this is the license expiry date.
userRole enum required
UserRole is the requesting user’s role in the organization.
Values: none, member, admin, potential-member, stack-collaborator, billing-manager
defaultStackPermission enum required
DefaultStackPermission is the default permission every member has for accessing the organization’s stacks.
Values: 0, 101, 102, 103, 104
defaultEnvironmentPermission enum required
DefaultEnvironmentPermission is the default permission every member has for accessing the organization’s environments.
Values: none, read, open, write, admin
defaultAccountPermission enum required
DefaultAccountPermission is the default permission every member has for accessing the organization’s insight accounts.
Values: 0, 1, 2, 3
membersCanCreateStacks boolean required
Whether organization members can create stacks.
membersCanDeleteStacks boolean required
Whether organization members can delete stacks.
membersCanTransferStacks boolean required
Whether organization members can transfer stacks.
membersCanCreateTeams boolean required
Whether organization members can create teams.
membersCanCreateAccounts boolean required
Whether organization members can create Insights accounts.
neoEnabled boolean required
Whether Neo AI agent features are enabled for the organization.
neoApprovalMode enum required
neoApprovalMode is the default approval mode for new Neo AI agent tasks.
Values: manual, auto, balanced
neoTaskSharingMode enum required
NeoTaskSharingMode is the task sharing mode for Neo AI agents in the organization.
Values: none, org
insightsTrialEnd integer optional
The Unix timestamp when the Insights trial ends.
insightsBillingAccepted boolean optional
true if accepted, false if denied, nil if no action taken
insightsTrialUsingPolicy boolean required
true if org needs to be upgraded to business critical
aiEnablement string required
The AI feature enablement status for the organization (e.g. enabled, disabled, opt-in).
preferredVCS enum required
The organization’s preferred VCS vendor.
Values: none, bitbucket, github, gitlab
auditLogsEnabled boolean required
Deprecated. Access the AuditLogsEnabled feature from the Features property.
webhooksEnabled boolean required
Deprecated. Access the WebhooksEnabled feature from the Features property.
features OrganizationFeatures required
The feature flags enabled for this organization, controlling access to specific functionality.
↳ auditLogsEnabled boolean required
Whether audit logs are enabled for the organization.
↳ crossGuardEnabled boolean required
Whether CrossGuard policy enforcement is enabled.
↳ webhooksEnabled boolean required
Whether webhooks are enabled for the organization.
↳ integrationAssistantEnabled boolean required
Whether the integration assistant is enabled.
↳ aleEnabled boolean required
Whether audit log export (ALE) is enabled.
↳ deployEnabled boolean required
Whether Pulumi Deployments is enabled.
↳ scimEnabled boolean required
Whether SCIM provisioning is enabled.
↳ resourceSearchEnabled boolean required
Whether resource search is enabled.
↳ resourceExportEnabled boolean required
Whether resource export is enabled.
↳ propertySearchUIEnabled boolean required
Whether the property search UI is enabled.
↳ nlpSearchEnabled boolean required
Whether natural language search is enabled.
↳ customTemplatesEnabled boolean required
Whether custom templates are enabled.
↳ restoreStacksEnabled boolean required
Whether restoring deleted stacks is enabled.
↳ environmentsEnabled boolean required
Whether Pulumi ESC environments are enabled.
↳ environmentRevisionTagsEnabled boolean required
Whether environment revision tags are enabled.
↳ legacyDeploymentsOrgToken boolean required
Whether the organization uses a legacy org token for deployments.
↳ gitHubEnterpriseIntegrationEnabled boolean required
Whether GitHub Enterprise integration is enabled.
↳ agentPoolRegistrationEnabled boolean required
Whether agent pool registration is enabled for self-hosted deployments.
↳ dashboardOnboardingUIEnabled boolean required
Whether the dashboard onboarding UI is enabled.
↳ driftDetectionEnabled boolean required
Whether drift detection is enabled.
↳ selfHostedDeploymentsEnabled boolean required
Whether self-hosted deployment agents are enabled.
↳ auditLogUIFilteringEnabled boolean required
Whether audit log UI filtering is enabled.
↳ dependencyCachingEnabled boolean required
Whether dependency caching for deployments is enabled.
↳ environmentsRestoreEnabled boolean required
Whether restoring deleted environments is enabled.
↳ pangeaAccountsScanPageEnabled boolean required
Whether the Pangea accounts scan page is enabled.
↳ customRolesEnabled boolean required
Whether custom RBAC roles are enabled.
↳ environmentSecretRotationEnabled boolean required
Whether environment secret rotation is enabled.
↳ insightsMonetizationEnabled boolean required
Whether Insights monetization features are enabled.
↳ selfServeIDPRemoval boolean required
Whether self-serve IDP removal is enabled.
↳ iacCloudImportEnabled boolean required
Whether IaC cloud import is enabled.
↳ bringYourOwnKeyEnabled boolean required
Whether bring-your-own-key encryption is enabled.
↳ approvalsEnabled boolean required
Whether change request approvals are enabled.
↳ escOnboardingEnabled boolean required
Whether ESC onboarding is enabled.
↳ escOnboardingV2Enabled boolean required
Whether ESC onboarding v2 is enabled.
↳ escEditorRevampEnabled boolean required
Whether the ESC editor revamp is enabled.
↳ escOnboardingAzureOAuthClientEnabled boolean required
Whether the Azure OAuth client for ESC onboarding is enabled.
↳ escOnboardingGcpOAuthClientEnabled boolean required
Whether the GCP OAuth client for ESC onboarding is enabled.
↳ policyManagementV2Enabled boolean required
Whether policy management v2 is enabled.
↳ policyIssueManagementEnabled boolean required
Whether policy issue management is enabled.
↳ aiAgentsEnabled boolean required
Whether AI agents (Pulumi Copilot) are enabled.
↳ themingEnabled boolean required
Whether UI theming is enabled.
↳ customRoleCondition boolean required
Whether custom role conditions are enabled.
↳ neoTaskSharingEnabled boolean required
Whether Copilot task sharing is enabled.
↳ ghAppDetailedDiffEnabled boolean required
Whether the GitHub App detailed diff view is enabled.
↳ neoServerSideApprovalsEnabled boolean required
Whether Neo server side approvals is enabled.
↳ neoPlanModeEnabled boolean required
Whether Neo plan mode is enabled.
↳ getStartedOnboardEnabled boolean required
Whether the getting started onboarding flow is enabled.
↳ neoReadOnlyEnabled boolean required
Whether Neo read-only permission mode is enabled.
↳ discoveredStacksEnabled boolean required
Whether discovered stacks are enabled.
↳ agentIntegrationCatalogEnabled boolean required
Whether the agent integration catalog is enabled.
↳ aiReviewCodeAccessEnabled boolean required
Whether AI review code access is enabled.
↳ genericVCSEnabled boolean required
Whether generic VCS integrations are enabled.
↳ bitbucketVCSEnabled boolean required
Whether Bitbucket VCS integration is enabled.
accountCount integer required
AccountCount is the current number of Insights Accounts in the organization. (May be more than the requesting user has permission to see.)
environmentCount integer required
EnvironmentCount is the current number of environments in the organization. (May be more than the requesting user has permission to see.)
stackCount integer required
StackCount is the current number of stacks in the organization. (May be more than the requesting user has permission to see.)
maxStacks integer optional
MaxStacks is the maximum number of stacks the organization can have based on its subscription. Will be nil/omitted if there is no limit.
memberCount integer required
MemberCount is the number of members the organization has. Will be incorrect for organizations on the TeamPerStack subscription plan.
maxMembers integer optional
MaxMembers is the maximum number of members the organization can have based on its subscription. (Only set for per-member billed orgs.)
locked enum optional
Locked is non-nil if an organization is locked, indicating the specific reason why it was locked. (Which may determine which actions are available in the Console.)
Values: bad-subscription, not-locked, read-only, rename-in-progress, transfer-in-progress
defaultRoleId string optional
DefaultRoleID is the ID of the default role for new users added to the organization. If unset, defaults to the “Member” role.
defaultDeploymentRoleId string optional
DefaultDeploymentRoleID is the ID of the default role used for deployments when no specific role is configured in the stack’s deployment settings. If unset, deployments run using the triggering user’s own permissions.

Get Package Used By Stacks

▼

GET /api/orgs/{orgName}/packages/usage

Returns the stacks within an organization that use a specific Pulumi package, helping track package adoption and identify affected stacks when planning package upgrades or deprecations.

Request Parameters

orgName string path required
The organization name
continuationToken string query optional
The continuation token
limit integer query optional
Maximum number of results to return per page. Defaults to 100, maximum 500.
packageName string query optional
The package name
version string query optional
Filter to stacks using this specific version. If omitted, returns stacks using any version.

Responses

200 OK

Schema: PackageUsageResponse

packageName string optional
The package name that was queried.
totalStacks integer optional
The total number of stacks using this package.
stacks array[StackUsage] optional
The list of stacks using this package.
↳ stackName string optional
The name of the stack.
↳ stackId string optional
The unique identifier of the stack.
↳ projectName string optional
The name of the project containing this stack.
↳ version string optional
The parsed semantic version of the package used, if available.
↳ providerUrn string optional
The full provider URN for this stack.
↳ lastUpdate StackUpdate optional
Information about the most recent stack update, if available.
continuationToken string optional
Token for fetching the next page of results. Null if there are no more results.

Errors: 400 missing required query param: packageName 404 Package or organization not found

List Deleted Stacks

▼

GET /api/orgs/{orgName}/restore-stack

ListDeletedStacks returns the last 25 deleted stacks for a given org. It would be incredible to one day merge this function with ListOrganizationProjects – but that function is very bloated and not performant, so implementing a lighter-weight handler focusing only on the most recently deleted stacks.

Request Parameters

orgName string path required
The organization name

Responses

200 OK

Schema: ListDeletedStacksResponse

deletedStacks array[DeletedStack] required
The list of deleted stacks
↳ id string required
The unique identifier of the deleted stack.
↳ programId string required
The program identifier associated with the stack.
↳ projectName string required
The name of the project the stack belonged to.
↳ stackName string required
The name of the stack.
↳ version integer required
The version number of the stack.
↳ deletedAt integer required
The Unix timestamp when the stack was deleted.
↳ lastUpdate UpdateSummary required
The last update summary for the stack before deletion.

Restore Deleted Stack

▼

POST /api/orgs/{orgName}/restore-stack/{programID}

RestoreDeletedStack un-deletes a soft-deleted stack for the given programID if the organization has the restore stacks feature enabled.

Request Parameters

orgName string path required
The organization name
programID string path required
The program identifier

Request Body

Schema: RestoreDeletedStackRequest

stackName string required
The name of the stack to restore.

Responses

204 No Content

Errors: 404 program 409 Stack with this name already exists

List Roles By Org ID And UX Purpose

▼

GET /api/orgs/{orgName}/roles

Returns custom roles for an organization filtered by their UX purpose (e.g., ‘organization’, ’team’, or ’token’). This allows the UI to display only the roles relevant to the current context, such as showing only organization-level roles when managing member access.

Request Parameters

orgName string path required
The organization name
uxPurpose string query optional
Filter roles by their UX purpose (e.g., ‘organization’, ’team’, ’token’)

Responses

200 OK

Schema: ListRolesResponse

roles array[PermissionDescriptorRecord] required
The list of roles
↳ created string required
When the role was created.
↳ name string optional
The name of the permission descriptor.
↳ description string optional
A human-readable description of the permission descriptor.
↳ modified string required
When the role was last modified.
↳ id string required
The unique identifier for this role.
↳ resourceType string optional
The resource type this permission descriptor applies to.
↳ orgId string required
The ID of the organization this role belongs to.
↳ uxPurpose enum optional
The UX purpose of this permission descriptor (e.g. role, policy, set).
Values: role, role_private, role_temporary, policy, set
↳ defaultIdentifier string optional
The identifier for default roles. Empty for custom roles.
↳ details PermissionDescriptor optional
The detailed permission descriptor tree.
↳ version integer required
The version of this role.
↳ isOrgDefault boolean required
Whether this role is the organization default.

Errors: 400 Role purpose is not valid

Create Role

▼

POST /api/orgs/{orgName}/roles

Creates a new custom role for an organization. Custom roles define fine-grained permission sets that can be assigned to organization members and teams, enabling precise access control beyond the built-in admin and member roles. Optionally, an associated policy and role binding can be created alongside the role.

Request Parameters

orgName string path required
The organization name
createPolicyAndRole boolean query optional
Also create an associated policy and role binding alongside the role

Request Body

Schema: PermissionDescriptorBase

name string optional
The name of the permission descriptor.
description string optional
A human-readable description of the permission descriptor.
resourceType string optional
The resource type this permission descriptor applies to.
uxPurpose enum optional
The UX purpose of this permission descriptor (e.g. role, policy, set).
Values: role, role_private, role_temporary, policy, set
details PermissionDescriptor optional
The detailed permission descriptor tree.
↳ __type string required

Responses

200 OK

Schema: PermissionDescriptorRecord

created string required
When the role was created.
name string optional
The name of the permission descriptor.
description string optional
A human-readable description of the permission descriptor.
modified string required
When the role was last modified.
id string required
The unique identifier for this role.
resourceType string optional
The resource type this permission descriptor applies to.
orgId string required
The ID of the organization this role belongs to.
uxPurpose enum optional
The UX purpose of this permission descriptor (e.g. role, policy, set).
Values: role, role_private, role_temporary, policy, set
defaultIdentifier string optional
The identifier for default roles. Empty for custom roles.
details PermissionDescriptor optional
The detailed permission descriptor tree.
↳ __type string required
version integer required
The version of this role.
isOrgDefault boolean required
Whether this role is the organization default.

Errors: 400 Invalid role references: referenced role or permission set ID does not exist or is empty 409 Role with this name already exists

Get Role

▼

GET /api/orgs/{orgName}/roles/{roleID}

Returns the details of a specific custom role, including its name, description, and the set of permission scopes it grants. Custom roles enable fine-grained access control beyond the built-in admin and member roles.

Request Parameters

orgName string path required
The organization name
roleID string path required
The role identifier

Responses

200 OK

Schema: PermissionDescriptorRecord

created string required
When the role was created.
name string optional
The name of the permission descriptor.
description string optional
A human-readable description of the permission descriptor.
modified string required
When the role was last modified.
id string required
The unique identifier for this role.
resourceType string optional
The resource type this permission descriptor applies to.
orgId string required
The ID of the organization this role belongs to.
uxPurpose enum optional
The UX purpose of this permission descriptor (e.g. role, policy, set).
Values: role, role_private, role_temporary, policy, set
defaultIdentifier string optional
The identifier for default roles. Empty for custom roles.
details PermissionDescriptor optional
The detailed permission descriptor tree.
↳ __type string required
version integer required
The version of this role.
isOrgDefault boolean required
Whether this role is the organization default.

Update Role

▼

PATCH /api/orgs/{orgName}/roles/{roleID}

Updates an existing custom role’s name, description, or permission scopes. Changes take effect immediately for all members and teams assigned to the role.

Request Parameters

orgName string path required
The organization name
roleID string path required
The role identifier

Request Body

Schema: UpdateRoleRequest

Name string required
The new name for the role.
Description string required
The new description for the role.
Details PermissionDescriptor required
The permission details for the role.
↳ __type string required

Responses

200 OK

Schema: PermissionDescriptorRecord

created string required
When the role was created.
name string optional
The name of the permission descriptor.
description string optional
A human-readable description of the permission descriptor.
modified string required
When the role was last modified.
id string required
The unique identifier for this role.
resourceType string optional
The resource type this permission descriptor applies to.
orgId string required
The ID of the organization this role belongs to.
uxPurpose enum optional
The UX purpose of this permission descriptor (e.g. role, policy, set).
Values: role, role_private, role_temporary, policy, set
defaultIdentifier string optional
The identifier for default roles. Empty for custom roles.
details PermissionDescriptor optional
The detailed permission descriptor tree.
↳ __type string required
version integer required
The version of this role.
isOrgDefault boolean required
Whether this role is the organization default.

Errors: 400 Invalid role references: referenced role or permission set ID does not exist or is empty 409 Role with this name already exists

Delete Role

▼

DELETE /api/orgs/{orgName}/roles/{roleID}

Deletes a custom role from an organization. If the role is currently assigned to members or teams, deletion requires the force parameter. Deleting a role revokes the permissions it granted to any assigned members or teams.

Request Parameters

orgName string path required
The organization name
roleID string path required
The role identifier
force boolean query optional
Force deletion even if the role is currently assigned to members or teams

Responses

204 No Content

Errors: 400 invalid query parameter 404 Role

Update Organization Default Role

▼

PATCH /api/orgs/{orgName}/roles/{roleID}/default

Sets the default custom role for the organization. New members who join the organization will be automatically assigned this role unless a different role is specified during the invitation process.

Request Parameters

orgName string path required
The organization name
roleID string path required
The role identifier

Responses

204 No Content

Errors: 400 Invalid role type

List Teams With Role

▼

GET /api/orgs/{orgName}/roles/{roleID}/teams

Request Parameters

orgName string path required
The organization name
roleID string path required
The role identifier

Responses

200 OK

Schema: ListTeamsWithRoleResponse

teams array[Team] required
Teams that are backed by the given role.
↳ kind enum required
The kind of team (e.g., pulumi or GitHub-backed).
Values: github, pulumi, scim
↳ name string required
The unique identifier name of the team within the organization.
↳ displayName string required
The human-readable display name shown in the UI.
↳ description string required
A free-form text description of the team’s purpose.
↳ members array[TeamMemberInfo] optional
The list of team members.
↳ stacks array[TeamStackPermission] optional
The list of stack permissions granted to the team.
↳ environments array[TeamEnvironmentSettings] optional
The list of environment settings for the team.
↳ accounts array[TeamAccountPermission] optional
The list of account permissions granted to the team.
↳ listMembersError string optional
ListMembersError is the error message if an error was encountered whilst trying to contact the team’s backend (eg. GitHub). The UI will only show this error if it is non-nil and if Members itself is an empty slice.
↳ userRole enum optional
UserRole is the calling user’s role on the given team.
Values: none, member, admin
↳ roleIds array[string] optional
RoleIDs are the IDs of the FGA roles assigned to the team, if any. Currently only one role per team is supported.

List Org Tokens With Role

▼

GET /api/orgs/{orgName}/roles/{roleID}/tokens

Returns all organization tokens that have been assigned to a specific custom role. This helps administrators audit which tokens have particular permission levels and manage token-to-role assignments for least-privilege access.

Request Parameters

orgName string path required
The organization name
roleID string path required
The role identifier

Responses

200 OK

Schema: ListAccessTokensResponse

tokens array[AccessToken] required
The list of access tokens
↳ id string required
Unique identifier for this access token.
↳ name string required
Human-readable name assigned to this access token.
↳ description string required
User-provided description of the token’s purpose.
↳ created string required
Timestamp when the token was created, in ISO 8601 format.
↳ lastUsed integer required
Unix epoch timestamp (seconds) when the token was last used. Zero if never used.
↳ expires integer required
Unix epoch timestamp (seconds) when the token expires. Zero if it never expires.
↳ admin boolean required
Whether this token has Pulumi Cloud admin privileges.
↳ createdBy string required
User.GitHubLogin of the user that created the access token
↳ role AccessTokenRole optional
Role associated with the token, if applicable

List Users With Role

▼

GET /api/orgs/{orgName}/roles/{roleID}/users

Request Parameters

orgName string path required
The organization name
roleID string path required
The role identifier

Responses

200 OK

Schema: ListUsersWithRoleResponse

users array[UserInfo] required
Users that have been explicitly configured to the given role (ie, not configured via default role).
↳ name string required
The user’s display name.
↳ githubLogin string required
The user’s login name.
↳ avatarUrl string required
The URL of the user’s avatar image.
↳ email string optional
IMPORTANT: The email address of the user is only included on a few admin-only APIs. For nearly all APIs that return a UserInfo object, this will not be provided. considered sensitive information.

List Available Scopes

▼

GET /api/orgs/{orgName}/roles/scopes

Returns all available permission scopes that can be assigned to custom roles, organized by category (e.g., stacks, teams, organization settings). Each scope represents a specific action or capability that can be granted or denied.

Request Parameters

orgName string path required
The organization name

Responses

200 successful operation

Get SAML Organization

▼

GET /api/orgs/{orgName}/saml

Returns the SAML configuration data for an organization, including the SSO endpoint URL, identity provider metadata, and SAML attribute mappings. SAML-backed organizations use an external identity provider for user authentication and can enforce single sign-on for all members.

Request Parameters

orgName string path required
The organization name

Responses

200 OK

Schema: SAMLOrganization

organization Organization required
The Pulumi organization.
↳ githubLogin string required
The GitHub login associated with the organization.
↳ name string required
The name of the organization.
↳ avatarUrl string required
The URL of the organization’s avatar image.
↳ repos array[PulumiRepository] required
The repositories belonging to the organization.
idpSsoDescriptor string required
The SAML Identity Provider SSO descriptor XML.
entityId string optional
The following fields can be empty if the metadata (IDPSSODescriptor) itself is empty for the organization.
ssoUrl string optional
The SSO URL for the identity provider.
validUntil string optional
ValidUntil is the date until which the X.509 Certificate issued to the organization by the identity provider is valid.
nameIdFormat string optional
The SAML NameID format used by the identity provider.
validationError string optional
ValidationError will be set only if there is an error validating the SAML org’s metadata XML.

Update SAML Organization

▼

PATCH /api/orgs/{orgName}/saml

Updates the SAML configuration for a SAML-backed organization, including the identity provider SSO descriptor, attribute mappings, and other SAML settings. The new IDP SSO descriptor is required in the update request.

Request Parameters

orgName string path required
The organization name

Request Body

Schema: UpdateSAMLOrganizationRequest

newIdpSsoDescriptor string optional
The new IDP SSO descriptor XML for the SAML configuration.

Responses

200 OK

Schema: SAMLOrganization

organization Organization required
The Pulumi organization.
↳ githubLogin string required
The GitHub login associated with the organization.
↳ name string required
The name of the organization.
↳ avatarUrl string required
The URL of the organization’s avatar image.
↳ repos array[PulumiRepository] required
The repositories belonging to the organization.
idpSsoDescriptor string required
The SAML Identity Provider SSO descriptor XML.
entityId string optional
The following fields can be empty if the metadata (IDPSSODescriptor) itself is empty for the organization.
ssoUrl string optional
The SSO URL for the identity provider.
validUntil string optional
ValidUntil is the date until which the X.509 Certificate issued to the organization by the identity provider is valid.
nameIdFormat string optional
The SAML NameID format used by the identity provider.
validationError string optional
ValidationError will be set only if there is an error validating the SAML org’s metadata XML.

Errors: 400 NewIDPSSODescriptor is required. 404 SAML Organization

List SAML Organization Admins

▼

GET /api/orgs/{orgName}/saml/admins

ListSAMLOrganizationAdmins returns the list of SAML admins for an organization. We currently only support one SAML admin per organization, where the SAML admin is the user who onboarded the organization to SAML.

Request Parameters

orgName string path required
The organization name

Responses

200 OK

Schema: ListSAMLOrganizationAdminsResponse

samlAdmins array[UserInfo] required
The list of SAML administrators
↳ name string required
The user’s display name.
↳ githubLogin string required
The user’s login name.
↳ avatarUrl string required
The URL of the user’s avatar image.
↳ email string optional
IMPORTANT: The email address of the user is only included on a few admin-only APIs. For nearly all APIs that return a UserInfo object, this will not be provided. considered sensitive information.

Update SAML Organization Admins

▼

POST /api/orgs/{orgName}/saml/admins/{userLogin}

Updates the SAML admin for an organization. The SAML admin is the user who manages the SAML SSO configuration. Currently, each organization supports only one SAML admin (typically the user who onboarded the organization to SAML). The new admin must not belong to other organizations.

Request Parameters

orgName string path required
The organization name
userLogin string path required
The user login name

Responses

204 No Content

Errors: 400 Requesting user belongs to other organizations

Search Cluster Available

▼

HEAD /api/orgs/{orgName}/search

Returns a 200 response if the search cluster is available and healthy, 404 otherwise. This is a lightweight health check used to determine whether resource search functionality is operational for the organization.

Request Parameters

orgName string path required
The organization name

Responses

200 OK

Errors: 404 search cluster

Get Resource Column Filter Set

▼

GET /api/orgs/{orgName}/search/column-set

Returns aggregation results for a given field in resource search, providing the unique values and counts for a specific field like ’type’, ‘package’, or ‘project’. This is used to populate filter dropdowns and faceted navigation in the resource search UI.

Request Parameters

orgName string path required
The organization name
field string query optional
The resource field to aggregate (e.g., ’type’, ‘package’, ‘project’)
query string query optional
Search query string

Responses

200 successful operation

Errors: 400 missing field parameter 422 search cluster is unreachable

Get Usage Summary Environment Secrets

▼

GET /api/orgs/{orgName}/secrets/summary

GetUsageSummaryEnvironmentSecrets handles request to fetch the summary of ESC secret hours for an organization.

Request Parameters

orgName string path required
The organization name
granularity string query optional
Time granularity for aggregation (e.g., ‘hourly’, ‘daily’, ‘monthly’)
lookbackDays integer query optional
Number of days to look back from the current time or lookbackStart
lookbackStart integer query optional
Unix timestamp for the start of the lookback period (defaults to current time if omitted)

Responses

200 OK

Schema: GetResourceCountSummaryResponse

summary array[ResourceCountSummary] required
The list of resource count summaries
↳ year integer required
The 4-digit year.
↳ month integer optional
The month of the year. Ranges from 1 to 12.
↳ day integer optional
The day of month. Ranges from 1 to 31.
↳ weekNumber integer optional
The week number in the year with Sunday marking the start of the week. Ranges from 0-53.
↳ hour integer optional
The hour of the day. Ranges from 0 to 23.
↳ resources integer required
The RUM (total number of resources under management at a given time). Calculated by getting the average of the all the resources for the given time frame.
↳ resourceHours integer required
The RHUM, which is the number of hours the resources under management have been running. Calculated by getting the sum of all the resources for the given time frame. 1 resource hour = 1 Pulumi credit.

204 No Content

List Teams

▼

GET /api/orgs/{orgName}/teams

Retrieves all teams within an organization. Teams provide a centralized way to manage stack access permissions for groups of users. The response includes each team’s name, type (Pulumi-managed, GitHub-backed, or GitLab-backed), member count, and summary of stack permissions. Teams are available to organizations on Enterprise and Business Critical editions.

Request Parameters

orgName string path required
The organization name

Responses

200 OK

Schema: ListTeamsResponse

teams array[Team] required
The list of teams
↳ kind enum required
The kind of team (e.g., pulumi or GitHub-backed).
Values: github, pulumi, scim
↳ name string required
The unique identifier name of the team within the organization.
↳ displayName string required
The human-readable display name shown in the UI.
↳ description string required
A free-form text description of the team’s purpose.
↳ members array[TeamMemberInfo] optional
The list of team members.
↳ stacks array[TeamStackPermission] optional
The list of stack permissions granted to the team.
↳ environments array[TeamEnvironmentSettings] optional
The list of environment settings for the team.
↳ accounts array[TeamAccountPermission] optional
The list of account permissions granted to the team.
↳ listMembersError string optional
ListMembersError is the error message if an error was encountered whilst trying to contact the team’s backend (eg. GitHub). The UI will only show this error if it is non-nil and if Members itself is an empty slice.
↳ userRole enum optional
UserRole is the calling user’s role on the given team.
Values: none, member, admin
↳ roleIds array[string] optional
RoleIDs are the IDs of the FGA roles assigned to the team, if any. Currently only one role per team is supported.

Get Team

▼

GET /api/orgs/{orgName}/teams/{teamName}

Retrieves detailed information about a specific team within an organization. The response includes the team name, display name, description, team type (Pulumi-managed, GitHub-backed, or GitLab-backed), list of members with their roles (team admin or team member), and the stack permissions granted to the team. Teams provide a centralized way to manage stack access for groups of users.

Request Parameters

orgName string path required
The organization name
teamName string path required
The team name

Responses

200 OK

Schema: Team

kind enum required
The kind of team (e.g., pulumi or GitHub-backed).
Values: github, pulumi, scim
name string required
The unique identifier name of the team within the organization.
displayName string required
The human-readable display name shown in the UI.
description string required
A free-form text description of the team’s purpose.
members array[TeamMemberInfo] optional
The list of team members.
↳ name string required
The user’s display name.
↳ role enum required
The member’s role within the team.
Values: none, member, admin
↳ githubLogin string required
The user’s login name.
↳ avatarUrl string required
The URL of the user’s avatar image.
↳ email string optional
IMPORTANT: The email address of the user is only included on a few admin-only APIs. For nearly all APIs that return a UserInfo object, this will not be provided. considered sensitive information.
stacks array[TeamStackPermission] optional
The list of stack permissions granted to the team.
↳ projectName string required
The project containing the stack.
↳ stackName string required
The stack within the project.
↳ permission enum required
The permission level the team has on this stack (e.g., read, write, admin).
Values: 0, 101, 102, 103, 104
↳ permissionSetName string optional
Display name of the permission set for this stack, when available. Enables read-only entity access UI without requiring RoleRead.
environments array[TeamEnvironmentSettings] optional
The list of environment settings for the team.
↳ projectName string required
The project containing the environment.
↳ envName string required
The environment within the project.
↳ permission enum required
The permission level the team has on this environment.
Values: none, read, open, write, admin
↳ maxOpenDuration string optional
The maximum duration an environment session can remain open, as a Go duration string (e.g. “1h30m”).
↳ permissionSetName string optional
Display name of the permission set for this environment, when available. Enables read-only entity access UI without requiring RoleRead.
accounts array[TeamAccountPermission] optional
The list of account permissions granted to the team.
↳ accountName string required
The Insights account name.
↳ permission enum required
The permission level the team has on this Insights account.
Values: 0, 1, 2, 3
↳ permissionSetName string optional
Display name of the permission set for this account, when available. Enables read-only entity access UI without requiring RoleRead.
listMembersError string optional
ListMembersError is the error message if an error was encountered whilst trying to contact the team’s backend (eg. GitHub). The UI will only show this error if it is non-nil and if Members itself is an empty slice.
userRole enum optional
UserRole is the calling user’s role on the given team.
Values: none, member, admin
roleIds array[string] optional
RoleIDs are the IDs of the FGA roles assigned to the team, if any. Currently only one role per team is supported.

Update Team

▼

PATCH /api/orgs/{orgName}/teams/{teamName}

Updates a team’s membership and configuration. This multi-purpose endpoint supports several operations:

Update membership: Use member (username) and memberAction (add or remove) to manage team members.

Grant stack access: Use addStackPermission with projectName, stackName, and permission (integer: 101 = read, 102 = edit, 103 = admin).

Remove stack access: Use removeStack with projectName and stackName.

Members added to a team inherit the team’s stack permissions. Teams are not available to individual (single-user) organizations.

Request Parameters

orgName string path required
The organization name
teamName string path required
The team name

Request Body

Schema: UpdateTeamRequest

newDisplayName string optional
The new display name for the team.
newDescription string optional
The new description for the team.
memberAction enum optional
MemberAction is the action to perform.
Values: add, remove, promote, demote
member string optional
Member to be added or removed based on MemberAction.
addStackPermission TeamStackPermission optional
A stack permission to add to the team.
↳ projectName string required
The project containing the stack.
↳ stackName string required
The stack within the project.
↳ permission enum required
The permission level the team has on this stack (e.g., read, write, admin).
Values: 0, 101, 102, 103, 104
↳ permissionSetName string optional
Display name of the permission set for this stack, when available. Enables read-only entity access UI without requiring RoleRead.
editStackPermission TeamStackPermission optional
A stack permission to edit on the team.
↳ projectName string required
The project containing the stack.
↳ stackName string required
The stack within the project.
↳ permission enum required
The permission level the team has on this stack (e.g., read, write, admin).
Values: 0, 101, 102, 103, 104
↳ permissionSetName string optional
Display name of the permission set for this stack, when available. Enables read-only entity access UI without requiring RoleRead.
removeStack RemoveStackIdentifier optional
A stack to remove from the team.
↳ projectName string required
The name of the project containing the stack.
↳ stackName string required
The name of the stack to remove.
addEnvironmentPermission TeamEnvironmentSettings optional
An environment permission to add to the team.
↳ projectName string required
The project containing the environment.
↳ envName string required
The environment within the project.
↳ permission enum required
The permission level the team has on this environment.
Values: none, read, open, write, admin
↳ maxOpenDuration string optional
The maximum duration an environment session can remain open, as a Go duration string (e.g. “1h30m”).
↳ permissionSetName string optional
Display name of the permission set for this environment, when available. Enables read-only entity access UI without requiring RoleRead.
editEnvironmentPermission TeamEnvironmentSettings optional
An environment permission to edit on the team.
↳ projectName string required
The project containing the environment.
↳ envName string required
The environment within the project.
↳ permission enum required
The permission level the team has on this environment.
Values: none, read, open, write, admin
↳ maxOpenDuration string optional
The maximum duration an environment session can remain open, as a Go duration string (e.g. “1h30m”).
↳ permissionSetName string optional
Display name of the permission set for this environment, when available. Enables read-only entity access UI without requiring RoleRead.
removeEnvironment RemoveEnvironmentIdentifier optional
An environment to remove from the team.
↳ projectName string required
The name of the project containing the environment.
↳ envName string required
The name of the environment to remove.

Responses

204 No Content

Errors: 400 Teams are not available to individual orgs.

Delete Team

▼

DELETE /api/orgs/{orgName}/teams/{teamName}

Permanently removes a team from an organization. All stack permission grants assigned to the team are revoked, and team members lose any access that was granted solely through team membership. Team tokens associated with the team are also invalidated. This action cannot be undone.

Request Parameters

orgName string path required
The organization name
teamName string path required
The team name

Responses

204 No Content

Errors: 404 Team

Enable Team Roles

▼

POST /api/orgs/{orgName}/teams/{teamName}/enable-team-roles

Enables custom role-based access control for a team. Once enabled, the team can be assigned custom roles that define fine-grained permissions beyond the default team admin and team member roles. Returns the created role descriptor.

Request Parameters

orgName string path required
The organization name
teamName string path required
The team name

Responses

200 OK

Schema: PermissionDescriptorRecord

created string required
When the role was created.
name string optional
The name of the permission descriptor.
description string optional
A human-readable description of the permission descriptor.
modified string required
When the role was last modified.
id string required
The unique identifier for this role.
resourceType string optional
The resource type this permission descriptor applies to.
orgId string required
The ID of the organization this role belongs to.
uxPurpose enum optional
The UX purpose of this permission descriptor (e.g. role, policy, set).
Values: role, role_private, role_temporary, policy, set
defaultIdentifier string optional
The identifier for default roles. Empty for custom roles.
details PermissionDescriptor optional
The detailed permission descriptor tree.
↳ __type string required
version integer required
The version of this role.
isOrgDefault boolean required
Whether this role is the organization default.

Errors: 400 Role with this name already exists

List Team Roles

▼

GET /api/orgs/{orgName}/teams/{teamName}/roles

ListTeamRoles will list the roles for a team. For now, this will always be a list of one, since we currently only support one role per team.

Request Parameters

orgName string path required
The organization name
teamName string path required
The team name

Responses

200 OK

Schema: ListTeamRolesResponse

roles array[PermissionDescriptorRecord] required
The list of roles assigned to the team
↳ created string required
When the role was created.
↳ name string optional
The name of the permission descriptor.
↳ description string optional
A human-readable description of the permission descriptor.
↳ modified string required
When the role was last modified.
↳ id string required
The unique identifier for this role.
↳ resourceType string optional
The resource type this permission descriptor applies to.
↳ orgId string required
The ID of the organization this role belongs to.
↳ uxPurpose enum optional
The UX purpose of this permission descriptor (e.g. role, policy, set).
Values: role, role_private, role_temporary, policy, set
↳ defaultIdentifier string optional
The identifier for default roles. Empty for custom roles.
↳ details PermissionDescriptor optional
The detailed permission descriptor tree.
↳ version integer required
The version of this role.
↳ isOrgDefault boolean required
Whether this role is the organization default.

Errors: 404 Role

Update Team Roles

▼

POST /api/orgs/{orgName}/teams/{teamName}/roles/{roleID}

UpdateTeamRoles upserts the role assigned to a team since we currently only support a 1:1 mapping of teams to roles.

Request Parameters

orgName string path required
The organization name
teamName string path required
The team name
roleID string path required
The role identifier

Responses

204 No Content

Errors: 400 Role with this name already exists

Delete Team Role

▼

DELETE /api/orgs/{orgName}/teams/{teamName}/roles/{roleID}

Removes a custom role assignment from a team. This revokes the permissions that were granted to team members through the role. Currently only one role can be assigned per team.

Request Parameters

orgName string path required
The organization name
teamName string path required
The team name
roleID string path required
The role identifier

Responses

204 No Content

Errors: 404 Role

List Team Tokens

▼

GET /api/orgs/{orgName}/teams/{teamName}/tokens

Retrieves all access tokens for a specific team. Team tokens inherit the stack permissions assigned to the team, providing scoped CI/CD automation access. The response includes token metadata such as name, description, creation date, last used date, and expiration status. The actual token values are never returned after initial creation. An optional filter parameter can include expired tokens.

Request Parameters

orgName string path required
The organization name
teamName string path required
The team name
filter string query optional
Filter tokens by status (e.g., include expired tokens)

Responses

200 OK

Schema: ListAccessTokensResponse

tokens array[AccessToken] required
The list of access tokens
↳ id string required
Unique identifier for this access token.
↳ name string required
Human-readable name assigned to this access token.
↳ description string required
User-provided description of the token’s purpose.
↳ created string required
Timestamp when the token was created, in ISO 8601 format.
↳ lastUsed integer required
Unix epoch timestamp (seconds) when the token was last used. Zero if never used.
↳ expires integer required
Unix epoch timestamp (seconds) when the token expires. Zero if it never expires.
↳ admin boolean required
Whether this token has Pulumi Cloud admin privileges.
↳ createdBy string required
User.GitHubLogin of the user that created the access token
↳ role AccessTokenRole optional
Role associated with the token, if applicable

Create Team Token

▼

POST /api/orgs/{orgName}/teams/{teamName}/tokens

Generates a new access token scoped to a specific team within an organization. Team tokens inherit the stack permissions assigned to the team, making them suitable for CI/CD pipelines that need access limited to a specific set of stacks.

The name field must be unique across the organization (including deleted tokens) and cannot exceed 40 characters. The expires field accepts a unix epoch timestamp up to two years from the present, or 0 for no expiry (default).

Important: The token value in the response is only returned once at creation time and cannot be retrieved later.

Request Parameters

orgName string path required
The organization name
teamName string path required
The team name
reason string query optional
Audit log reason for creating this token

Request Body

Schema: CreateTeamAccessTokenRequest

description string required
The description
name string required
The name
expires integer required
The expiration time

Responses

200 OK

Schema: CreateAccessTokenResponse

id string required
The unique identifier
tokenValue string required
The token value

Delete Team Token

▼

DELETE /api/orgs/{orgName}/teams/{teamName}/tokens/{tokenId}

Permanently revokes and deletes a team access token. Any CI/CD pipelines or automation using this token will immediately lose access to the stacks assigned to the team. This action cannot be undone.

Request Parameters

orgName string path required
The organization name
teamName string path required
The team name
tokenId string path required
The access token identifier
reason string query optional
Audit log reason for deleting this token

Responses

204 No Content

Errors: 400 the requested token is not a team token

Create GitHub Team

▼

POST /api/orgs/{orgName}/teams/github

Creates a new Pulumi team backed by a GitHub team. When an organization is backed by GitHub, existing GitHub teams can be imported into Pulumi to manage stack permissions. Membership is managed through GitHub while stack access permissions are controlled within Pulumi Cloud. The request must include the GitHub team ID. Returns 409 if a team with the same name already exists.

Request Parameters

orgName string path required
The organization name

Request Body

Schema: CreateGitHubTeamRequest

githubTeamID integer required
GitHubTeamID is the GitHub ID of the team to mirror. Must be in the same GitHub organization that the Pulumi org is backed by.

Responses

201 Created

Schema: Team

kind enum required
The kind of team (e.g., pulumi or GitHub-backed).
Values: github, pulumi, scim
name string required
The unique identifier name of the team within the organization.
displayName string required
The human-readable display name shown in the UI.
description string required
A free-form text description of the team’s purpose.
members array[TeamMemberInfo] optional
The list of team members.
↳ name string required
The user’s display name.
↳ role enum required
The member’s role within the team.
Values: none, member, admin
↳ githubLogin string required
The user’s login name.
↳ avatarUrl string required
The URL of the user’s avatar image.
↳ email string optional
IMPORTANT: The email address of the user is only included on a few admin-only APIs. For nearly all APIs that return a UserInfo object, this will not be provided. considered sensitive information.
stacks array[TeamStackPermission] optional
The list of stack permissions granted to the team.
↳ projectName string required
The project containing the stack.
↳ stackName string required
The stack within the project.
↳ permission enum required
The permission level the team has on this stack (e.g., read, write, admin).
Values: 0, 101, 102, 103, 104
↳ permissionSetName string optional
Display name of the permission set for this stack, when available. Enables read-only entity access UI without requiring RoleRead.
environments array[TeamEnvironmentSettings] optional
The list of environment settings for the team.
↳ projectName string required
The project containing the environment.
↳ envName string required
The environment within the project.
↳ permission enum required
The permission level the team has on this environment.
Values: none, read, open, write, admin
↳ maxOpenDuration string optional
The maximum duration an environment session can remain open, as a Go duration string (e.g. “1h30m”).
↳ permissionSetName string optional
Display name of the permission set for this environment, when available. Enables read-only entity access UI without requiring RoleRead.
accounts array[TeamAccountPermission] optional
The list of account permissions granted to the team.
↳ accountName string required
The Insights account name.
↳ permission enum required
The permission level the team has on this Insights account.
Values: 0, 1, 2, 3
↳ permissionSetName string optional
Display name of the permission set for this account, when available. Enables read-only entity access UI without requiring RoleRead.
listMembersError string optional
ListMembersError is the error message if an error was encountered whilst trying to contact the team’s backend (eg. GitHub). The UI will only show this error if it is non-nil and if Members itself is an empty slice.
userRole enum optional
UserRole is the calling user’s role on the given team.
Values: none, member, admin
roleIds array[string] optional
RoleIDs are the IDs of the FGA roles assigned to the team, if any. Currently only one role per team is supported.

Errors: 400 No TeamID provided. 404 GitHub Team 409 Team with this name already exists

Create Pulumi Team

▼

POST /api/orgs/{orgName}/teams/pulumi

CreatePulumiTeam creates a “Pulumi” team, i.e. one whose membership is managed by Pulumi. (As opposed to a GitHub or GitLab-based team.)

Request Parameters

orgName string path required
The organization name

Request Body

Schema: CreatePulumiTeamRequest

name string required
The name
displayName string required
The display name
description string required
The description

Responses

201 Created

Schema: Team

kind enum required
The kind of team (e.g., pulumi or GitHub-backed).
Values: github, pulumi, scim
name string required
The unique identifier name of the team within the organization.
displayName string required
The human-readable display name shown in the UI.
description string required
A free-form text description of the team’s purpose.
members array[TeamMemberInfo] optional
The list of team members.
↳ name string required
The user’s display name.
↳ role enum required
The member’s role within the team.
Values: none, member, admin
↳ githubLogin string required
The user’s login name.
↳ avatarUrl string required
The URL of the user’s avatar image.
↳ email string optional
IMPORTANT: The email address of the user is only included on a few admin-only APIs. For nearly all APIs that return a UserInfo object, this will not be provided. considered sensitive information.
stacks array[TeamStackPermission] optional
The list of stack permissions granted to the team.
↳ projectName string required
The project containing the stack.
↳ stackName string required
The stack within the project.
↳ permission enum required
The permission level the team has on this stack (e.g., read, write, admin).
Values: 0, 101, 102, 103, 104
↳ permissionSetName string optional
Display name of the permission set for this stack, when available. Enables read-only entity access UI without requiring RoleRead.
environments array[TeamEnvironmentSettings] optional
The list of environment settings for the team.
↳ projectName string required
The project containing the environment.
↳ envName string required
The environment within the project.
↳ permission enum required
The permission level the team has on this environment.
Values: none, read, open, write, admin
↳ maxOpenDuration string optional
The maximum duration an environment session can remain open, as a Go duration string (e.g. “1h30m”).
↳ permissionSetName string optional
Display name of the permission set for this environment, when available. Enables read-only entity access UI without requiring RoleRead.
accounts array[TeamAccountPermission] optional
The list of account permissions granted to the team.
↳ accountName string required
The Insights account name.
↳ permission enum required
The permission level the team has on this Insights account.
Values: 0, 1, 2, 3
↳ permissionSetName string optional
Display name of the permission set for this account, when available. Enables read-only entity access UI without requiring RoleRead.
listMembersError string optional
ListMembersError is the error message if an error was encountered whilst trying to contact the team’s backend (eg. GitHub). The UI will only show this error if it is non-nil and if Members itself is an empty slice.
userRole enum optional
UserRole is the calling user’s role on the given team.
Values: none, member, admin
roleIds array[string] optional
RoleIDs are the IDs of the FGA roles assigned to the team, if any. Currently only one role per team is supported.

Errors: 400 Display name too long. Max length 100 characters. 409 Team with this name already exists

Get Project Template

▼

GET /api/orgs/{orgName}/template

GetProjectTemplate attempts to fetch Pulumi.yaml from a template repository. If the repository represents a valid template, we return a response identical to the format we use for the public pulumi/templates repo.

This API accepts either a url or project query param to denote either where to fetch the project template from or which project’s pre-configured template to use respectively. If both are passed in project take precedence, falling back to url if there is no source configured on the project.

Request Parameters

orgName string path required
The organization name

Responses

200 OK

Errors: 400 missing required query param: oneof [url, project] 404 project 422 invalid template

Get Project Template Configuration

▼

GET /api/orgs/{orgName}/template/configuration

GetProjectTemplateConfiguration attempts to lookup any config we store for the template using the template query parameter passed in as a key into the org’s template sources.

Request Parameters

orgName string path required
The organization name

Responses

200 OK

Schema: GetTemplateConfigurationResponse

destination TemplateDestination optional
The template destination configuration
↳ url string required
The destination URL.

Errors: 400 missing required query param: url

Get Org Template Download

▼

GET /api/orgs/{orgName}/template/download

Downloads a template archive for an organization as an application/x-tar binary stream. The template is identified by a URL query parameter pointing to the template source. Returns the tar archive containing the template’s project files and configuration.

Request Parameters

orgName string path required
The organization name

Responses

200 OK

Errors: 400 missing required query param: url

Get Org Template Readme

▼

GET /api/orgs/{orgName}/template/readme

Returns the README content for an organization template as Markdown text. The template is identified by a URL query parameter. Returns 404 if the template does not contain a README.md file, or 422 if the README content is invalid.

Request Parameters

orgName string path required
The organization name

Responses

200 OK

Errors: 400 missing required query param: url 404 README.md 422 invalid readme

Get Org Templates

▼

GET /api/orgs/{orgName}/templates

Returns a combined list of all templates available to the organization and the current user. This includes templates from the organization’s configured template collections as well as Pulumi’s built-in public templates. Each template includes its name, description, language, and source URL.

Request Parameters

orgName string path required
The organization name

Responses

200 OK

Schema: GetOrgTemplatesResponse

templates map[string]array required
Map of template source names to their available templates
orgHasTemplates boolean required
Whether the organization has any templates configured
hasAccessError boolean required
Whether there was an access error retrieving templates
hasUpstreamError boolean required
Whether there was an upstream error retrieving templates
diagnostics array[string] optional
Diagnostic messages from template retrieval

Get Org Template Collections

▼

GET /api/orgs/{orgName}/templates/sources

Returns all template collections (sources) configured for an organization. Template collections define where project templates are sourced from, such as Git repositories. Each collection includes its name, URL, and the templates it provides.

Request Parameters

orgName string path required
The organization name

Responses

200 OK

Schema: GetOrgTemplateSourcesResponse

sources array[TemplateSource] required
The list of template sources
↳ id string required
The unique identifier of the template source.
↳ isValid boolean required
Whether the template source configuration is valid.
↳ error string optional
An error message if the template source is invalid. Omitted or empty when the source is valid.
↳ name string required
The human-readable name for this template source.
↳ sourceURL string required
The source URL to fetch templates from.
↳ destinationURL string optional
The destination URL for the template source.
↳ destination TemplateDestination optional
Deprecated - use destinationURL instead.

Create Org Template Collection

▼

POST /api/orgs/{orgName}/templates/sources

Creates a new template collection (source) for an organization. Template collections define where project templates are sourced from, such as a Git repository. Organization members can use these templates to create new stacks with pre-configured infrastructure code.

Request Parameters

orgName string path required
The organization name

Request Body

Schema: UpsertOrgTemplateSourceRequest

name string required
The name of the template source.
sourceURL string required
The source URL to fetch templates from.
destinationURL string optional
The destination URL for the template source.
destination TemplateDestination optional
deprecated - use DestinationURL instead
↳ url string required
The destination URL.

Responses

200 OK

Schema: TemplateSource

id string required
The unique identifier of the template source.
isValid boolean required
Whether the template source configuration is valid.
error string optional
An error message if the template source is invalid. Omitted or empty when the source is valid.
name string required
The human-readable name for this template source.
sourceURL string required
The source URL to fetch templates from.
destinationURL string optional
The destination URL for the template source.
destination TemplateDestination optional
Deprecated - use destinationURL instead.
↳ url string required
The destination URL.

Errors: 400 unsupported template source 404 template source 409 a template source with this name already exists in this organization

Update Org Template Collection

▼

PATCH /api/orgs/{orgName}/templates/sources/{templateID}

Updates an existing template collection for an organization, allowing modification of the template source URL, name, or other configuration. Template collections define where project templates are sourced from.

Request Parameters

orgName string path required
The organization name
templateID string path required
The template identifier

Request Body

Schema: UpsertOrgTemplateSourceRequest

name string required
The name of the template source.
sourceURL string required
The source URL to fetch templates from.
destinationURL string optional
The destination URL for the template source.
destination TemplateDestination optional
deprecated - use DestinationURL instead
↳ url string required
The destination URL.

Responses

200 OK

Schema: TemplateSource

id string required
The unique identifier of the template source.
isValid boolean required
Whether the template source configuration is valid.
error string optional
An error message if the template source is invalid. Omitted or empty when the source is valid.
name string required
The human-readable name for this template source.
sourceURL string required
The source URL to fetch templates from.
destinationURL string optional
The destination URL for the template source.
destination TemplateDestination optional
Deprecated - use destinationURL instead.
↳ url string required
The destination URL.

Errors: 400 invalid template ID 404 Template Source 409 a template source with this name already exists in this organization

Delete Org Template Collection

▼

DELETE /api/orgs/{orgName}/templates/sources/{templateID}

Removes a template collection (source) from an organization. Templates sourced from this collection will no longer be available to organization members when creating new stacks. Returns 400 if the template ID is invalid, or 404 if the template source does not exist.

Request Parameters

orgName string path required
The organization name
templateID string path required
The template identifier

Responses

200 OK

Errors: 400 invalid template ID 404 Template source

Batch Decrypt Project Value

▼

POST /api/projects/{orgName}/{projectName}/batch-decrypt

BatchDecryptProjectValue works just like BatchDecryptValueHandler, but using the project’s encryption key instead of the stack’s

Request Parameters

orgName string path required
The organization name
projectName string path required
The project name

Request Body

Responses

200 OK

Schema: AppBatchDecryptResponse

plaintexts map[string]array required
Map of plaintexts

Errors: 404 project

Decrypt Project Value

▼

POST /api/projects/{orgName}/{projectName}/decrypt

DecryptProjectValue works just like DecryptValueHandler, but using the project’s encryption key instead of the stack’s

Request Parameters

orgName string path required
The organization name
projectName string path required
The project name

Request Body

Responses

200 OK

Schema: AppDecryptValueResponse

plaintext array[string] required
The decrypted value.

Errors: 404 project

Encrypt Project Value

▼

POST /api/projects/{orgName}/{projectName}/encrypt

EncryptProjectValue encrypts a value using the project’s key. The request body contains the base64 encoded value to be encrypted.

Request Parameters

orgName string path required
The organization name
projectName string path required
The project name

Request Body

Responses

200 OK

Schema: AppEncryptValueResponse

ciphertext array[string] required
The encrypted value.

Errors: 404 project

Create Stack

▼

POST /api/stacks/{orgName}/{projectName}

Creates a new stack within a project in the organization. If the project does not exist, it will be created. A stack is an isolated, independently configurable instance of a Pulumi program, typically representing a deployment environment (e.g., development, staging, production). The stack name must be unique within the project.

The optional config object supports:

environment: reference to an ESC environment for storing stack configuration (must not already exist)
secretsProvider: the secrets provider for the stack
encryptedKey: KMS-encrypted ciphertext for the data key (cloud-based secrets providers only)
encryptionSalt: base64-encoded encryption salt (passphrase-based secrets providers only)

Request Parameters

orgName string path required
The organization name
projectName string path required
The project name

Request Body

Schema: AppCreateStackRequest

stackName string required
The name of the stack being created.
tags map[string]string optional
An optional set of tags to apply to the stack.
teams array[string] optional
An optional set of teams to assign to the stack.
state AppUntypedDeployment optional
An optional state to initialize the stack with.
↳ version integer optional
The schema version of the encoded deployment.
↳ features array[string] optional
An optional list of features used by this deployment. The CLI will error when reading a deployment that uses a feature that is not supported by that version of the CLI. Only honored when version is 4 or greater.
↳ deployment object optional
The opaque Pulumi deployment payload. Treated as a raw JSON value so the contents are preserved verbatim across client and server versions.
config AppStackConfig optional
The configuration for the new stack.
↳ environment string required
Reference to ESC environment to use as stack configuration.
↳ secretsProvider string optional
The stack’s secrets provider.
↳ encryptedKey string optional
The KMS-encrypted ciphertext for the data key used for secrets encryption. Only used for cloud-based secrets providers.
↳ encryptionSalt string optional
The stack’s base64-encoded encryption salt. Only used for passphrase-based secrets providers.

Responses

200 OK

Schema: AppCreateStackResponse

messages array[AppMessage] optional
Messages is a list of messages that should be displayed to the user.
↳ severity enum optional
Severity is the severity of the message.
Values: warning, error, info
↳ message string required
Message is the message to display to the user.

Project Exists

▼

HEAD /api/stacks/{orgName}/{projectName}

Checks whether a project exists within an organization. Returns 200 with the project name if it exists, or 404 if not found. This is a lightweight existence check useful for validating project names before creating stacks or performing other operations.

Request Parameters

orgName string path required
The organization name
projectName string path required
The project name

Responses

200 OK

Errors: 404 Project

Organizations

On this page

On this page

List Change Gates

Request Parameters

Responses

Create Change Gate

Request Parameters

Request Body

Responses

Read Change Gate

Request Parameters

Responses

Update Change Gate

Request Parameters

Request Body

Responses

Delete Change Gate

Request Parameters

Responses

List Change Requests

Request Parameters

Responses

Read Change Request

Request Parameters

Responses

Update Change Request

Request Parameters

Request Body

Responses

Apply Change Request

Request Parameters

Responses

Approve Change Request

Request Parameters

Request Body

Responses

Unapprove Change Request

Request Parameters

Request Body

Responses

Close Change Request

Request Parameters

Request Body

Responses

Add Change Request Comment

Request Parameters

Request Body

Responses

List Change Request Events

Request Parameters

Responses

Submit Change Request

Request Parameters

Request Body

Responses

Get Organization

Request Parameters

Responses

Update Organization Settings

Request Parameters

Request Body

Responses

Update Auth Policy

Request Parameters

Request Body

Responses

Transfer All Stacks

Request Parameters

Request Body

Responses

List Organization Keys

Request Parameters

Responses

Create Organization Key

Request Parameters

Request Body

Responses

Set Default Organization Key

Request Parameters