API Reference

Organizations

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Policies

GetOrganizationPolicies

client.Organizations.Policies.Get(ctx, body) (*OrganizationPolicyGetResponse, error)

POST/gitpod.v1.OrganizationService/GetOrganizationPolicies

UpdateOrganizationPolicies

client.Organizations.Policies.Update(ctx, body) (*OrganizationPolicyUpdateResponse, error)

POST/gitpod.v1.OrganizationService/UpdateOrganizationPolicies

ModelsExpand Collapse

type AgentPolicy struct{…}

AgentPolicy contains agent-specific policy settings for an organization

CommandDenyList []string

command_deny_list contains a list of commands that agents are not allowed to execute

McpDisabled bool

mcp_disabled controls whether MCP (Model Context Protocol) is disabled for agents

ScmToolsDisabled bool

scm_tools_disabled controls whether SCM (Source Control Management) tools are disabled for agents

ConversationSharingPolicy ConversationSharingPolicyOptional

conversation_sharing_policy controls whether agent conversations can be shared

One of the following:

const ConversationSharingPolicyUnspecified ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_UNSPECIFIED"

const ConversationSharingPolicyDisabled ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_DISABLED"

const ConversationSharingPolicyOrganization ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_ORGANIZATION"

MaxSubagentsPerEnvironment int64Optional

max_subagents_per_environment limits the number of non-terminal sub-agents a parent can have running simultaneously in the same environment. Valid range: 0-10. Zero means use the default (5).

formatint32

maximum10

ScmToolsAllowedGroupID stringOptional

scm_tools_allowed_group_id restricts SCM tools access to members of this group. Empty means no restriction (all users can use SCM tools if not disabled).

type ConversationSharingPolicy string

ConversationSharingPolicy controls how agent conversations can be shared.

One of the following:

const ConversationSharingPolicyUnspecified ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_UNSPECIFIED"

const ConversationSharingPolicyDisabled ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_DISABLED"

const ConversationSharingPolicyOrganization ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_ORGANIZATION"

type CrowdStrikeConfig struct{…}

CrowdStrikeConfig configures CrowdStrike Falcon sensor deployment

AdditionalOptions map[string, string]Optional

additional_options contains additional FALCONCTL_OPT_* options as key-value pairs. Keys should NOT include the FALCONCTL_OPT_ prefix.

CidSecretID stringOptional

cid_secret_id references an organization secret containing the Customer ID (CID).

formatuuid

Enabled boolOptional

enabled controls whether CrowdStrike Falcon is deployed to environments

Image stringOptional

image is the CrowdStrike Falcon sensor container image reference

Tags stringOptional

tags are optional tags to apply to the Falcon sensor (comma-separated)

type CustomAgentEnvMapping struct{…}

CustomAgentEnvMapping maps a script placeholder to an organization secret. The backend resolves the secret name to a UUID at runtime.

Name stringOptional

name is the environment variable name used as a placeholder in the start command.

SecretName stringOptional

secret_name is the name of the organization secret whose value populates this placeholder.

type CustomSecurityAgent struct{…}

CustomSecurityAgent defines a custom security agent configured by an organization admin.

ID stringOptional

id is a unique identifier for this custom agent within the organization. Server-generated at save time if empty.

Description stringOptional

description is a human-readable description of what this agent does

Enabled boolOptional

enabled controls whether this custom agent is deployed to environments

EnvMappings []CustomAgentEnvMappingOptional

env_mappings maps script placeholders to organization secret names, resolved to secret values at runtime.

Name stringOptional

name is the environment variable name used as a placeholder in the start command.

SecretName stringOptional

secret_name is the name of the organization secret whose value populates this placeholder.

Name stringOptional

name is the display name for this custom agent

StartCommand stringOptional

start_command is the shell script that starts the agent

type KernelControlsAction string

KernelControlsAction defines how a kernel-level policy violation is handled.

One of the following:

const KernelControlsActionUnspecified KernelControlsAction = "KERNEL_CONTROLS_ACTION_UNSPECIFIED"

const KernelControlsActionBlock KernelControlsAction = "KERNEL_CONTROLS_ACTION_BLOCK"

const KernelControlsActionAudit KernelControlsAction = "KERNEL_CONTROLS_ACTION_AUDIT"

type OrganizationPolicies struct{…}

AgentPolicy AgentPolicy

agent_policy contains agent-specific policy settings

CommandDenyList []string

command_deny_list contains a list of commands that agents are not allowed to execute

McpDisabled bool

mcp_disabled controls whether MCP (Model Context Protocol) is disabled for agents

ScmToolsDisabled bool

scm_tools_disabled controls whether SCM (Source Control Management) tools are disabled for agents

ConversationSharingPolicy ConversationSharingPolicyOptional

conversation_sharing_policy controls whether agent conversations can be shared

One of the following:

const ConversationSharingPolicyUnspecified ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_UNSPECIFIED"

const ConversationSharingPolicyDisabled ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_DISABLED"

const ConversationSharingPolicyOrganization ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_ORGANIZATION"

MaxSubagentsPerEnvironment int64Optional

max_subagents_per_environment limits the number of non-terminal sub-agents a parent can have running simultaneously in the same environment. Valid range: 0-10. Zero means use the default (5).

formatint32

maximum10

ScmToolsAllowedGroupID stringOptional

scm_tools_allowed_group_id restricts SCM tools access to members of this group. Empty means no restriction (all users can use SCM tools if not disabled).

AllowedEditorIDs []string

allowed_editor_ids is the list of editor IDs that are allowed to be used in the organization

AllowLocalRunners bool

allow_local_runners controls whether local runners are allowed to be used in the organization

DefaultEditorID string

default_editor_id is the default editor ID to be used when a user doesn’t specify one

DefaultEnvironmentImage string

default_environment_image is the default container image when none is defined in repo

DisableFromScratch bool

disable_from_scratch controls whether non-admin users can create blank environments without a Git or URL initializer.

MaximumEnvironmentsPerUser string

maximum_environments_per_user limits total environments (running or stopped) per user

MaximumRunningEnvironmentsPerUser string

maximum_running_environments_per_user limits simultaneously running environments per user

MembersCreateProjects bool

members_create_projects controls whether members can create projects

MembersRequireProjects bool

members_require_projects controls whether environments can only be created from projects by non-admin users

OrganizationID string

organization_id is the ID of the organization

formatuuid

PortSharingDisabled bool

port_sharing_disabled controls whether user-initiated port sharing is disabled in the organization. System ports (VS Code Browser, agents) are always exempt from this policy.

RequireCustomDomainAccess bool

require_custom_domain_access controls whether users must access via custom domain when one is configured. When true, access via app.gitpod.io is blocked.

RestrictAccountCreationToScim bool

restrict_account_creation_to_scim controls whether account creation is restricted to SCIM-provisioned users only. When true and SCIM is configured for the organization, only users provisioned via SCIM can create accounts.

WebBrowserDisabled bool

web_browser_disabled controls whether users can open the built-in web browser from environment pages. This does not affect VS Code Browser.

DeleteArchivedEnvironmentsAfter stringOptional

delete_archived_environments_after controls how long archived environments are kept before automatic deletion. 0 means no automatic deletion. Maximum duration is 4 weeks (2419200 seconds).

formatregex

EditorVersionRestrictions map[string, OrganizationPoliciesEditorVersionRestriction]Optional

editor_version_restrictions restricts which editor versions can be used. Maps editor ID to version policy, editor_version_restrictions not set means no restrictions. If empty or not set for an editor, we will use the latest version of the editor

AllowedVersions []stringOptional

allowed_versions lists the versions that are allowed If empty, we will use the latest version of the editor

Examples for JetBrains: ["2025.2", "2025.1", "2024.3"]

MaximumEnvironmentLifetime stringOptional

maximum_environment_lifetime controls for how long environments are allowed to be reused. 0 means no maximum lifetime. Maximum duration is 180 days (15552000 seconds).

formatregex

MaximumEnvironmentTimeout stringOptional

maximum_environment_timeout controls the maximum timeout allowed for environments in seconds. 0 means no limit (never). Minimum duration is 30 minutes (1800 seconds). value must be 0s (no limit) or at least 1800s (30 minutes):

this == duration('0s') || this >= duration('1800s')

formatregex

ProjectCreationDefaults ProjectCreationDefaultsOptional

project_creation_defaults contains default settings applied to newly created projects.

EnvironmentClasses []ProjectCreationDefaultEnvironmentClassOptional

environment_classes specifies default environment classes and their per-class settings (order, prebuild, warm pool) for newly created projects. Each entry must reference an existing, enabled, non-local-runner environment class in the organization.

EnvironmentClassID stringOptional

environment_class_id is the ID of the environment class.

formatuuid

Order int64Optional

order is the priority of this entry (lower = higher priority).

formatint32

Prebuild boolOptional

prebuild controls whether prebuilds are enabled for this environment class on newly created projects.

WarmPool ProjectCreationDefaultEnvironmentClassWarmPoolOptional

warm_pool configures the warm pool for this environment class on newly created projects. Only meaningful when prebuild is true.

Enabled boolOptional

enabled controls whether a warm pool is created for this environment class.

MaxSize int64Optional

max_size is the maximum number of warm instances. Must be >= min_size and <= 20.

formatint32

maximum20

MinSize int64Optional

min_size is the minimum number of warm instances. Must be >= 0 and <= max_size.

formatint32

maximum20

InsightsEnabled boolOptional

insights_enabled controls whether Insights (co-author attribution) is automatically enabled on newly created projects.

Prebuilds ProjectCreationDefaultsPrebuildsOptional

prebuilds configures default prebuild settings for newly created projects. When set, prebuilds can be enabled per environment class via the environment_classes entries. When absent, prebuilds are not enabled by default.

EnableJetbrainsWarmup boolOptional

enable_jetbrains_warmup controls whether JetBrains IDE warmup runs during prebuilds on newly created projects.

PrebuildExecutor SubjectOptional

prebuild_executor is the service account used to run prebuilds on newly created projects. Must be a service account (not a user).

ID stringOptional

id is the UUID of the subject

formatuuid

Principal PrincipalOptional

Principal is the principal of the subject

One of the following:

const PrincipalUnspecified Principal = "PRINCIPAL_UNSPECIFIED"

const PrincipalAccount Principal = "PRINCIPAL_ACCOUNT"

const PrincipalUser Principal = "PRINCIPAL_USER"

const PrincipalRunner Principal = "PRINCIPAL_RUNNER"

const PrincipalEnvironment Principal = "PRINCIPAL_ENVIRONMENT"

const PrincipalServiceAccount Principal = "PRINCIPAL_SERVICE_ACCOUNT"

const PrincipalRunnerManager Principal = "PRINCIPAL_RUNNER_MANAGER"

Timeout stringOptional

timeout is the maximum duration allowed for a prebuild to complete. If not specified, defaults to 1 hour. Must be between 5 minutes and 2 hours.

formatregex

Trigger ProjectCreationDefaultsPrebuildsTriggerOptional

trigger defines when prebuilds should be created on newly created projects.

DailySchedule ProjectCreationDefaultsPrebuildsTriggerDailySchedule

daily_schedule triggers a prebuild once per day at the specified hour (UTC). The actual start time may vary slightly to distribute system load.

HourUtc int64Optional

hour_utc is the hour of day (0-23) in UTC when the prebuild should start. The actual start time may be adjusted by a few minutes to balance system load.

formatint32

maximum23

SecurityAgentPolicy SecurityAgentPolicyOptional

security_agent_policy contains security agent configuration for the organization. When configured, security agents are automatically deployed to all environments.

Crowdstrike CrowdStrikeConfigOptional

crowdstrike contains CrowdStrike Falcon configuration

AdditionalOptions map[string, string]Optional

additional_options contains additional FALCONCTL_OPT_* options as key-value pairs. Keys should NOT include the FALCONCTL_OPT_ prefix.

CidSecretID stringOptional

cid_secret_id references an organization secret containing the Customer ID (CID).

formatuuid

Enabled boolOptional

enabled controls whether CrowdStrike Falcon is deployed to environments

Image stringOptional

image is the CrowdStrike Falcon sensor container image reference

Tags stringOptional

tags are optional tags to apply to the Falcon sensor (comma-separated)

VetoExecPolicy VetoExecPolicyOptional

veto_exec_policy contains the veto exec policy for environments.

Action KernelControlsActionOptional

action specifies what action kernel-level controls take on policy violations

One of the following:

const KernelControlsActionUnspecified KernelControlsAction = "KERNEL_CONTROLS_ACTION_UNSPECIFIED"

const KernelControlsActionBlock KernelControlsAction = "KERNEL_CONTROLS_ACTION_BLOCK"

const KernelControlsActionAudit KernelControlsAction = "KERNEL_CONTROLS_ACTION_AUDIT"

Enabled boolOptional

enabled controls whether executable blocking is active

Executables []stringOptional

executables is the list of executable paths or names to block

type ProjectCreationDefaultEnvironmentClass struct{…}

ProjectCreationDefaultEnvironmentClass configures a single environment class in the project creation defaults.

EnvironmentClassID stringOptional

environment_class_id is the ID of the environment class.

formatuuid

Order int64Optional

order is the priority of this entry (lower = higher priority).

formatint32

Prebuild boolOptional

prebuild controls whether prebuilds are enabled for this environment class on newly created projects.

WarmPool ProjectCreationDefaultEnvironmentClassWarmPoolOptional

warm_pool configures the warm pool for this environment class on newly created projects. Only meaningful when prebuild is true.

Enabled boolOptional

enabled controls whether a warm pool is created for this environment class.

MaxSize int64Optional

max_size is the maximum number of warm instances. Must be >= min_size and <= 20.

formatint32

maximum20

MinSize int64Optional

min_size is the minimum number of warm instances. Must be >= 0 and <= max_size.

formatint32

maximum20

type ProjectCreationDefaultEnvironmentClassWarmPool struct{…}

ProjectCreationDefaultEnvironmentClassWarmPool configures warm pool defaults for an environment class in the project creation defaults.

Enabled boolOptional

enabled controls whether a warm pool is created for this environment class.

MaxSize int64Optional

max_size is the maximum number of warm instances. Must be >= min_size and <= 20.

formatint32

maximum20

MinSize int64Optional

min_size is the minimum number of warm instances. Must be >= 0 and <= max_size.

formatint32

maximum20

type ProjectCreationDefaults struct{…}

ProjectCreationDefaults contains default settings applied to newly created projects.

EnvironmentClasses []ProjectCreationDefaultEnvironmentClassOptional

environment_classes specifies default environment classes and their per-class settings (order, prebuild, warm pool) for newly created projects. Each entry must reference an existing, enabled, non-local-runner environment class in the organization.

EnvironmentClassID stringOptional

environment_class_id is the ID of the environment class.

formatuuid

Order int64Optional

order is the priority of this entry (lower = higher priority).

formatint32

Prebuild boolOptional

prebuild controls whether prebuilds are enabled for this environment class on newly created projects.

WarmPool ProjectCreationDefaultEnvironmentClassWarmPoolOptional

warm_pool configures the warm pool for this environment class on newly created projects. Only meaningful when prebuild is true.

Enabled boolOptional

enabled controls whether a warm pool is created for this environment class.

MaxSize int64Optional

max_size is the maximum number of warm instances. Must be >= min_size and <= 20.

formatint32

maximum20

MinSize int64Optional

min_size is the minimum number of warm instances. Must be >= 0 and <= max_size.

formatint32

maximum20

InsightsEnabled boolOptional

insights_enabled controls whether Insights (co-author attribution) is automatically enabled on newly created projects.

Prebuilds ProjectCreationDefaultsPrebuildsOptional

prebuilds configures default prebuild settings for newly created projects. When set, prebuilds can be enabled per environment class via the environment_classes entries. When absent, prebuilds are not enabled by default.

EnableJetbrainsWarmup boolOptional

enable_jetbrains_warmup controls whether JetBrains IDE warmup runs during prebuilds on newly created projects.

PrebuildExecutor SubjectOptional

prebuild_executor is the service account used to run prebuilds on newly created projects. Must be a service account (not a user).

ID stringOptional

id is the UUID of the subject

formatuuid

Principal PrincipalOptional

Principal is the principal of the subject

One of the following:

const PrincipalUnspecified Principal = "PRINCIPAL_UNSPECIFIED"

const PrincipalAccount Principal = "PRINCIPAL_ACCOUNT"

const PrincipalUser Principal = "PRINCIPAL_USER"

const PrincipalRunner Principal = "PRINCIPAL_RUNNER"

const PrincipalEnvironment Principal = "PRINCIPAL_ENVIRONMENT"

const PrincipalServiceAccount Principal = "PRINCIPAL_SERVICE_ACCOUNT"

const PrincipalRunnerManager Principal = "PRINCIPAL_RUNNER_MANAGER"

Timeout stringOptional

timeout is the maximum duration allowed for a prebuild to complete. If not specified, defaults to 1 hour. Must be between 5 minutes and 2 hours.

formatregex

Trigger ProjectCreationDefaultsPrebuildsTriggerOptional

trigger defines when prebuilds should be created on newly created projects.

DailySchedule ProjectCreationDefaultsPrebuildsTriggerDailySchedule

daily_schedule triggers a prebuild once per day at the specified hour (UTC). The actual start time may vary slightly to distribute system load.

HourUtc int64Optional

hour_utc is the hour of day (0-23) in UTC when the prebuild should start. The actual start time may be adjusted by a few minutes to balance system load.

formatint32

maximum23

type ProjectCreationDefaultsPrebuilds struct{…}

ProjectCreationDefaultsPrebuilds configures default prebuild settings. Presence of this message means prebuilds can be enabled for the default environment classes.

EnableJetbrainsWarmup boolOptional

enable_jetbrains_warmup controls whether JetBrains IDE warmup runs during prebuilds on newly created projects.

PrebuildExecutor SubjectOptional

prebuild_executor is the service account used to run prebuilds on newly created projects. Must be a service account (not a user).

ID stringOptional

id is the UUID of the subject

formatuuid

Principal PrincipalOptional

Principal is the principal of the subject

One of the following:

const PrincipalUnspecified Principal = "PRINCIPAL_UNSPECIFIED"

const PrincipalAccount Principal = "PRINCIPAL_ACCOUNT"

const PrincipalUser Principal = "PRINCIPAL_USER"

const PrincipalRunner Principal = "PRINCIPAL_RUNNER"

const PrincipalEnvironment Principal = "PRINCIPAL_ENVIRONMENT"

const PrincipalServiceAccount Principal = "PRINCIPAL_SERVICE_ACCOUNT"

const PrincipalRunnerManager Principal = "PRINCIPAL_RUNNER_MANAGER"

Timeout stringOptional

timeout is the maximum duration allowed for a prebuild to complete. If not specified, defaults to 1 hour. Must be between 5 minutes and 2 hours.

formatregex

Trigger ProjectCreationDefaultsPrebuildsTriggerOptional

trigger defines when prebuilds should be created on newly created projects.

DailySchedule ProjectCreationDefaultsPrebuildsTriggerDailySchedule

daily_schedule triggers a prebuild once per day at the specified hour (UTC). The actual start time may vary slightly to distribute system load.

HourUtc int64Optional

hour_utc is the hour of day (0-23) in UTC when the prebuild should start. The actual start time may be adjusted by a few minutes to balance system load.

formatint32

maximum23

type SecurityAgentPolicy struct{…}

SecurityAgentPolicy contains security agent configuration for an organization. When enabled, security agents are automatically deployed to all environments.

Crowdstrike CrowdStrikeConfigOptional

crowdstrike contains CrowdStrike Falcon configuration

AdditionalOptions map[string, string]Optional

additional_options contains additional FALCONCTL_OPT_* options as key-value pairs. Keys should NOT include the FALCONCTL_OPT_ prefix.

CidSecretID stringOptional

cid_secret_id references an organization secret containing the Customer ID (CID).

formatuuid

Enabled boolOptional

enabled controls whether CrowdStrike Falcon is deployed to environments

Image stringOptional

image is the CrowdStrike Falcon sensor container image reference

Tags stringOptional

tags are optional tags to apply to the Falcon sensor (comma-separated)

type VetoExecPolicy struct{…}

VetoExecPolicy defines the policy for blocking or auditing executable execution in environments.

Action KernelControlsActionOptional

action specifies what action kernel-level controls take on policy violations

One of the following:

const KernelControlsActionUnspecified KernelControlsAction = "KERNEL_CONTROLS_ACTION_UNSPECIFIED"

const KernelControlsActionBlock KernelControlsAction = "KERNEL_CONTROLS_ACTION_BLOCK"

const KernelControlsActionAudit KernelControlsAction = "KERNEL_CONTROLS_ACTION_AUDIT"

Enabled boolOptional

enabled controls whether executable blocking is active

Executables []stringOptional

executables is the list of executable paths or names to block