API Reference

Organizations

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Policies

GetOrganizationPolicies

client.Organizations.Policies.Get(ctx, body) (*OrganizationPolicyGetResponse, error)

POST/gitpod.v1.OrganizationService/GetOrganizationPolicies

UpdateOrganizationPolicies

client.Organizations.Policies.Update(ctx, body) (*OrganizationPolicyUpdateResponse, error)

POST/gitpod.v1.OrganizationService/UpdateOrganizationPolicies

ModelsExpand Collapse

type AgentPolicy struct{…}

AgentPolicy contains agent-specific policy settings for an organization

CommandDenyList []string

command_deny_list contains a list of commands that agents are not allowed to execute

McpDisabled bool

mcp_disabled controls whether MCP (Model Context Protocol) is disabled for agents

ScmToolsDisabled bool

scm_tools_disabled controls whether SCM (Source Control Management) tools are disabled for agents

ConversationSharingPolicy ConversationSharingPolicyOptional

conversation_sharing_policy controls whether agent conversations can be shared

One of the following:

const ConversationSharingPolicyUnspecified ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_UNSPECIFIED"

const ConversationSharingPolicyDisabled ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_DISABLED"

const ConversationSharingPolicyOrganization ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_ORGANIZATION"

MaxSubagentsPerEnvironment int64Optional

max_subagents_per_environment limits the number of non-terminal sub-agents a parent can have running simultaneously in the same environment. Valid range: 0-10. Zero means use the default (5).

formatint32

maximum10

ScmToolsAllowedGroupID stringOptional

scm_tools_allowed_group_id restricts SCM tools access to members of this group. Empty means no restriction (all users can use SCM tools if not disabled).

type ConversationSharingPolicy string

ConversationSharingPolicy controls how agent conversations can be shared.

One of the following:

const ConversationSharingPolicyUnspecified ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_UNSPECIFIED"

const ConversationSharingPolicyDisabled ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_DISABLED"

const ConversationSharingPolicyOrganization ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_ORGANIZATION"

type CrowdStrikeConfig struct{…}

CrowdStrikeConfig configures CrowdStrike Falcon sensor deployment

AdditionalOptions map[string, string]Optional

additional_options contains additional FALCONCTL_OPT_* options as key-value pairs. Keys should NOT include the FALCONCTL_OPT_ prefix.

CidSecretID stringOptional

cid_secret_id references an organization secret containing the Customer ID (CID).

formatuuid

Enabled boolOptional

enabled controls whether CrowdStrike Falcon is deployed to environments

Image stringOptional

image is the CrowdStrike Falcon sensor container image reference

Tags stringOptional

tags are optional tags to apply to the Falcon sensor (comma-separated)

type CustomAgentEnvMapping struct{…}

CustomAgentEnvMapping maps a script placeholder to an organization secret. The backend resolves the secret name to a UUID at runtime.

Name stringOptional

name is the environment variable name used as a placeholder in the start command.

SecretName stringOptional

secret_name is the name of the organization secret whose value populates this placeholder.

type CustomSecurityAgent struct{…}

CustomSecurityAgent defines a custom security agent configured by an organization admin.

ID stringOptional

id is a unique identifier for this custom agent within the organization. Server-generated at save time if empty.

Description stringOptional

description is a human-readable description of what this agent does

Enabled boolOptional

enabled controls whether this custom agent is deployed to environments

EnvMappings []CustomAgentEnvMappingOptional

env_mappings maps script placeholders to organization secret names, resolved to secret values at runtime.

Name stringOptional

name is the environment variable name used as a placeholder in the start command.

SecretName stringOptional

secret_name is the name of the organization secret whose value populates this placeholder.

Name stringOptional

name is the display name for this custom agent

StartCommand stringOptional

start_command is the shell script that starts the agent

type KernelControlsAction string

KernelControlsAction defines how a kernel-level policy violation is handled.

One of the following:

const KernelControlsActionUnspecified KernelControlsAction = "KERNEL_CONTROLS_ACTION_UNSPECIFIED"

const KernelControlsActionBlock KernelControlsAction = "KERNEL_CONTROLS_ACTION_BLOCK"

const KernelControlsActionAudit KernelControlsAction = "KERNEL_CONTROLS_ACTION_AUDIT"

type OrganizationPolicies struct{…}

AgentPolicy AgentPolicy

agent_policy contains agent-specific policy settings

CommandDenyList []string

command_deny_list contains a list of commands that agents are not allowed to execute

McpDisabled bool

mcp_disabled controls whether MCP (Model Context Protocol) is disabled for agents

ScmToolsDisabled bool

scm_tools_disabled controls whether SCM (Source Control Management) tools are disabled for agents

ConversationSharingPolicy ConversationSharingPolicyOptional

conversation_sharing_policy controls whether agent conversations can be shared

One of the following:

const ConversationSharingPolicyUnspecified ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_UNSPECIFIED"

const ConversationSharingPolicyDisabled ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_DISABLED"

const ConversationSharingPolicyOrganization ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_ORGANIZATION"

MaxSubagentsPerEnvironment int64Optional

max_subagents_per_environment limits the number of non-terminal sub-agents a parent can have running simultaneously in the same environment. Valid range: 0-10. Zero means use the default (5).

formatint32

maximum10

ScmToolsAllowedGroupID stringOptional

scm_tools_allowed_group_id restricts SCM tools access to members of this group. Empty means no restriction (all users can use SCM tools if not disabled).

AllowedEditorIDs []string

allowed_editor_ids is the list of editor IDs that are allowed to be used in the organization

AllowLocalRunners bool

allow_local_runners controls whether local runners are allowed to be used in the organization

DefaultEditorID string

default_editor_id is the default editor ID to be used when a user doesn’t specify one

DefaultEnvironmentImage string

default_environment_image is the default container image when none is defined in repo

MaximumEnvironmentsPerUser string

maximum_environments_per_user limits total environments (running or stopped) per user

MaximumRunningEnvironmentsPerUser string

maximum_running_environments_per_user limits simultaneously running environments per user

MembersCreateProjects bool

members_create_projects controls whether members can create projects

MembersRequireProjects bool

members_require_projects controls whether environments can only be created from projects by non-admin users

OrganizationID string

organization_id is the ID of the organization

formatuuid

PortSharingDisabled bool

port_sharing_disabled controls whether user-initiated port sharing is disabled in the organization. System ports (VS Code Browser, agents) are always exempt from this policy.

RequireCustomDomainAccess bool

require_custom_domain_access controls whether users must access via custom domain when one is configured. When true, access via app.gitpod.io is blocked.

RestrictAccountCreationToScim bool

restrict_account_creation_to_scim controls whether account creation is restricted to SCIM-provisioned users only. When true and SCIM is configured for the organization, only users provisioned via SCIM can create accounts.

DeleteArchivedEnvironmentsAfter stringOptional

delete_archived_environments_after controls how long archived environments are kept before automatic deletion. 0 means no automatic deletion. Maximum duration is 4 weeks (2419200 seconds).

formatregex

EditorVersionRestrictions map[string, OrganizationPoliciesEditorVersionRestriction]Optional

editor_version_restrictions restricts which editor versions can be used. Maps editor ID to version policy, editor_version_restrictions not set means no restrictions. If empty or not set for an editor, we will use the latest version of the editor

AllowedVersions []stringOptional

allowed_versions lists the versions that are allowed If empty, we will use the latest version of the editor

Examples for JetBrains: ["2025.2", "2025.1", "2024.3"]

MaximumEnvironmentLifetime stringOptional

maximum_environment_lifetime controls for how long environments are allowed to be reused. 0 means no maximum lifetime. Maximum duration is 180 days (15552000 seconds).

formatregex

MaximumEnvironmentTimeout stringOptional

maximum_environment_timeout controls the maximum timeout allowed for environments in seconds. 0 means no limit (never). Minimum duration is 30 minutes (1800 seconds). value must be 0s (no limit) or at least 1800s (30 minutes):

this == duration('0s') || this >= duration('1800s')

formatregex

SecurityAgentPolicy SecurityAgentPolicyOptional

security_agent_policy contains security agent configuration for the organization. When configured, security agents are automatically deployed to all environments.

Crowdstrike CrowdStrikeConfigOptional

crowdstrike contains CrowdStrike Falcon configuration

AdditionalOptions map[string, string]Optional

additional_options contains additional FALCONCTL_OPT_* options as key-value pairs. Keys should NOT include the FALCONCTL_OPT_ prefix.

CidSecretID stringOptional

cid_secret_id references an organization secret containing the Customer ID (CID).

formatuuid

Enabled boolOptional

enabled controls whether CrowdStrike Falcon is deployed to environments

Image stringOptional

image is the CrowdStrike Falcon sensor container image reference

Tags stringOptional

tags are optional tags to apply to the Falcon sensor (comma-separated)

VetoExecPolicy VetoExecPolicyOptional

veto_exec_policy contains the veto exec policy for environments.

Action KernelControlsActionOptional

action specifies what action kernel-level controls take on policy violations

One of the following:

const KernelControlsActionUnspecified KernelControlsAction = "KERNEL_CONTROLS_ACTION_UNSPECIFIED"

const KernelControlsActionBlock KernelControlsAction = "KERNEL_CONTROLS_ACTION_BLOCK"

const KernelControlsActionAudit KernelControlsAction = "KERNEL_CONTROLS_ACTION_AUDIT"

Enabled boolOptional

enabled controls whether executable blocking is active

Executables []stringOptional

executables is the list of executable paths or names to block

type SecurityAgentPolicy struct{…}

SecurityAgentPolicy contains security agent configuration for an organization. When enabled, security agents are automatically deployed to all environments.

Crowdstrike CrowdStrikeConfigOptional

crowdstrike contains CrowdStrike Falcon configuration

AdditionalOptions map[string, string]Optional

additional_options contains additional FALCONCTL_OPT_* options as key-value pairs. Keys should NOT include the FALCONCTL_OPT_ prefix.

CidSecretID stringOptional

cid_secret_id references an organization secret containing the Customer ID (CID).

formatuuid

Enabled boolOptional

enabled controls whether CrowdStrike Falcon is deployed to environments

Image stringOptional

image is the CrowdStrike Falcon sensor container image reference

Tags stringOptional

tags are optional tags to apply to the Falcon sensor (comma-separated)

type VetoExecPolicy struct{…}

VetoExecPolicy defines the policy for blocking or auditing executable execution in environments.

Action KernelControlsActionOptional

action specifies what action kernel-level controls take on policy violations

One of the following:

const KernelControlsActionUnspecified KernelControlsAction = "KERNEL_CONTROLS_ACTION_UNSPECIFIED"

const KernelControlsActionBlock KernelControlsAction = "KERNEL_CONTROLS_ACTION_BLOCK"

const KernelControlsActionAudit KernelControlsAction = "KERNEL_CONTROLS_ACTION_AUDIT"

Enabled boolOptional

enabled controls whether executable blocking is active

Executables []stringOptional

executables is the list of executable paths or names to block