GitHub Enterprise API
GitHub Enterprise API
GitHub Enterprise (Cloud + Server) REST v3 and GraphQL v4 APIs: audit log, SAML SSO, Enterprise Managed Users, and rate limits that scale with users and repositories
Rate limits tiered by auth path: PAT 5K/hour, OAuth App 5K/hour/app, GitHub Apps 5K-15K/hour scaling linearly with repos and users. Enterprise workloads using GitHub Apps reach the maximum 12,500 (GHES) or 15,000 (GHEC) per hour
GHEC and GHES are two distinct API surfaces with non-identical endpoint coverage. GHES versions (3.0-3.8) carry feature differences that require version-aware code and an X-GitHub-Api-Version header pinned to the target instance
Start a GHEC trial at github.com/enterprise or request a GHES quote at enterprise.github.com. Prefer GitHub Apps over PATs: create an App in enterprise settings, install it on the target organization, and use installation tokens to call the API — rate limits jump to 15,000/hour on GHEC. Include `X-GitHub-Api-Version: 2026-03-10` on REST calls, or omit it to use the 2022-11-28 default.
Uptime · 30-day window
About this API
GitHub Enterprise is GitHub's enterprise product line in two shapes: Enterprise Cloud (GHEC), a github.com tenant at $21/user/month introductory pricing, and Enterprise Server (GHES), a self-hosted distribution sold via quote. The API surface is REST v3 (api.github.com or your GHES domain) plus GraphQL v4. REST uses the X-GitHub-Api-Version date header for routing; current active versions are 2026-03-10 and 2022-11-28, with a 24-month minimum support window. Authentication has five paths: unauthenticated (60/hour/IP), PAT (5,000/hour), OAuth App (5,000/hour/app), GitHub Apps installation tokens (5,000/hour baseline, 15,000/hour on GHEC, scaling linearly per repo and per user up to 12,500 on GHES or 15,000 on GHEC), and the built-in GITHUB_TOKEN in Actions (1,000/hour/repo standard, 15,000/hour/repo on GHEC). Enterprise-exclusive endpoints include audit log API, SAML SSO config, SCIM provisioning, and enterprise-level webhooks. Pair with Enterprise Managed Users (EMU) for IdP-owned identity lifecycle. GraphQL bills point-based: reads cost 1 point, mutations cost 5, with a ceiling of 900 points per minute per endpoint. Secondary limits to know: 100 concurrent requests, 80 content-creating requests per minute (500 per hour), and 90 seconds of CPU per 60-second wall window. SDK coverage is comprehensive: Octokit (JavaScript, Ruby, .NET), PyGithub, go-github, hub4j are the actively maintained official or community SDKs.
What you can build
- 1Enterprise permission governance: pull SSO logins, repository permission changes, and token creation events from the audit log API into a SIEM for compliance alerting
- 2Large-scale CI/CD: use a GitHub Apps installation token for 15,000 req/hour on Enterprise Cloud to cover automation across hundreds of repositories
- 3EMU identity governance: SCIM-sync users and groups from your IdP so all GitHub account lifecycle is owned upstream
Strengths & limitations
Strengths
- Rate limits tiered by auth path: PAT 5K/hour, OAuth App 5K/hour/app, GitHub Apps 5K-15K/hour scaling linearly with repos and users. Enterprise workloads using GitHub Apps reach the maximum 12,500 (GHES) or 15,000 (GHEC) per hour
- REST v3 plus GraphQL v4. GraphQL bills point-based (1 for reads, 5 for mutations) and aggregates queries to reduce round trips; REST uses the X-GitHub-Api-Version date header for routing
- Enterprise-exclusive endpoints: audit log API, SAML SSO config, SCIM, and Enterprise-level webhooks tie together a full identity lifecycle when paired with an IdP
Limitations
- GHEC and GHES are two distinct API surfaces with non-identical endpoint coverage. GHES versions (3.0-3.8) carry feature differences that require version-aware code and an X-GitHub-Api-Version header pinned to the target instance
- EMU accounts have structural limits: no personal repositories, no forks outside the enterprise, no commenting or starring on other orgs. Application designs need to account for these boundaries up front
- Secondary rate limits (80 content-creating req/min, 500/hour) and OAuth token requests (2,000/hour) trip up integrations and are easy to miss in the docs. Retries should use exponential backoff, not a fixed interval
Official quickstart
Read the official quickstart at docs.github.com.
Getting started
Start a GHEC trial at github.com/enterprise or request a GHES quote at enterprise.github.com. Prefer GitHub Apps over PATs: create an App in enterprise settings, install it on the target organization, and use installation tokens to call the API — rate limits jump to 15,000/hour on GHEC. Include `X-GitHub-Api-Version: 2026-03-10` on REST calls, or omit it to use the 2022-11-28 default.
FAQ
Are the GHEC and GHES APIs the same?+
Not exactly. GHEC uses api.github.com with the most current endpoint coverage and supports Cloud-only features like audit log, EMU, and SCIM. GHES uses your instance domain ({host}/api/v3 and {host}/api/graphql) with feature differences by GHES version (3.0-3.8); some endpoints lag GHEC. Code needs to target the instance version and pin REST calls with an X-GitHub-Api-Version header.
PAT or GitHub Apps for enterprise use cases?+
GitHub Apps. Three reasons: higher rate limits (15,000/hour baseline on GHEC, scaling linearly per repo and per user up to 15,000 capped; PATs are stuck at 5,000/hour), finer-grained permissions (installation-level rather than user-level), and no user lifecycle risk (PATs die when the user offboards; Apps are unaffected). Reserve PATs for one-off scripts or personal tooling.
Which plan has the audit log API?+
Only GHEC ($21/seat/month introductory) and GHES. Free ($0) and Team ($4/seat/month) do not include the audit log API. On GHEC, the /enterprises/{enterprise}/audit-log endpoint returns SSO logins, repository permission changes, token creation, and similar events that can be piped into a SIEM.
How do I use the X-GitHub-Api-Version header?+
Pass the version as a date string, e.g., X-GitHub-Api-Version: 2026-03-10. Omitting the header defaults to 2022-11-28. GitHub guarantees at least a 24-month support window. Before retirement, responses carry a deprecation header noting the sunset date. After sunset, the version returns 410 Gone and unversioned requests fall back to the next-oldest active version.
What can an EMU account actually do?+
EMU (Enterprise Managed Users) accounts are fully IdP-controlled and confined to the enterprise. They can: commit, review, file issues, use Actions, and call APIs inside the enterprise organizations. They cannot: own personal repositories, fork outside the enterprise, comment or star on other orgs, or participate in open-source outside the enterprise. Integrations that rely on cross-org operations need to design around the EMU boundary.
Technical details
- Auth type
- oauth
- Pricing
- paid
- Rate limit
- Unauthenticated 60/hour per IP. PAT 5,000/hour. OAuth App 5,000/hour per app. GitHub Apps installation token: 5,000/hour minimum, 15,000/hour on Enterprise Cloud; scales +50/hour per repo and +50/hour per user beyond 20 of each, capped at 12,500/hour (or 15,000 on GHEC). GITHUB_TOKEN in Actions: 1,000/hour/repo (standard), 15,000/hour/repo (GHEC). Secondary limits: 100 concurrent requests, 900 points/min/endpoint, 90s CPU per 60s wall, 80 content-creating req/min (500/hour), 2,000 OAuth token requests/hour. GraphQL: 1 point read, 5 points mutation
- Free tier quota
- Enterprise features (audit log API, SAML SSO, EMU, advanced security) require GHEC ($21/user/mo first 12mo) or GHES (custom pricing). Free and Team tiers ($0 and $4/user/mo) do not unlock enterprise endpoints. github.com REST and GraphQL APIs themselves remain accessible on all tiers; the difference is the additional endpoints and the elevated rate limits
- Protocols
- REST, GraphQL
- SDKs
- Octokit (JavaScript / TypeScript), Octokit (Ruby), Octokit (.NET), PyGithub (Python), go-github (Go), hub4j (Java)