Session Revocation — GitHub

Session Revocation — GitHub

GitHub does not expose a dedicated “SSO session revoke” API. Challenge supports two mutually exclusive actions configured per integration:

1. Revoke SAML SSO credential authorizations (default) — invalidates SAML-authorized PATs and SSH keys for the org
2. Remove organization member — removes the user from the org (full cut-off; also removes SAML authorizations)

Credentials

1. Create a GitHub personal access token (classic) or fine-grained PAT owned by an organization owner.
2. Required scopes:
   • SAML revoke mode: read:org, admin:org
   • Remove member mode: admin:org
3. Enter the organization slug and token in Challenge under Integrations → Session Revocation → GitHub.

Revoke action setting

Mode	Behavior
Revoke SAML SSO credential authorizations	Lists and deletes each SAML credential authorization for the user
Remove organization member	DELETE /orgs/{org}/members/{username}

Only one mode runs per revocation request.

API calls Challenge makes

Lookup: GET /orgs/{org}/members/{username} (204 = member exists)

SAML revoke mode:

• GET /orgs/{org}/credential-authorizations?login={username}
• DELETE /orgs/{org}/credential-authorizations/{credential_id} for each authorization

Remove member mode:

• DELETE /orgs/{org}/members/{username}

Username format

Use the user’s GitHub login (handle), not always their email address.

Troubleshooting

Symptom	Check
http_403	Token owner is not org owner or lacks scopes
user_not_found	Wrong GitHub login or user not in org
Remove member fails with 403	Enterprise team indirect membership may remain

Related

• Session Revocation
• GitHub SAML SSO credential authorizations API