# Managing Scoped Organization Tokens

*This feature is only available in the Team and Enterprise plans.*

Scoped Organization Tokens are used to run analyses on your code. To do so, the `sonar.token` property is used. For more details see [#authentication-to-the-server](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/analysis-parameters#authentication-to-the-server "mention").

You must be an organization admin to be able to retrieve and manage Scoped Organization Tokens. This section explains how to do this in the UI. You can also use the [Authentication domain API](https://api-docs.sonarsource.com/sonarqube-cloud/default/public-externalauthentication-0-0).

## About Scoped Organization Tokens

Scoped Organization Tokens provide a secure way to manage non-user-specific authentication. Attached to an organization, they are created and managed by the organization admin who can revoke them anytime. Revoked tokens are automatically deleted.

{% hint style="warning" %}
Scope Organization Tokens are not yet supported with Azure DevOps service connections.
{% endhint %}

### Security and scope

Scoped Organization Tokens adhere to the principle of least privilege by defining their scope in two ways:

* Project Access: You specify which projects within the organization the token can access. This can be a custom selection of existing projects, or you can grant access to all current and future projects.
* Permissions: You define the specific permissions granted by the token.

{% hint style="warning" %}
Scope Organization Tokens can only be granted the Execute analysis permission. Support for additional permissions is planned for the near future.
{% endhint %}

### Status and expiration

You can define any expiry date for your Scoped Organization Token, or no expiration. The different token statuses are:

* Active
* About to expire (in less that 7 days)
* Expired

{% hint style="info" %}
For security reasons, tokens without expiry date that have been inactive for 60 days will be automatically removed.
{% endhint %}

### Management and identification

Scoped Organization Tokens are identified through their `sqco_` prefix.

SonarQube's S7791 rule can verify the non-disclosure of Scoped Organization Tokens within your code.

## Retrieving and viewing Scoped Organization Tokens

1. Retrieve your organization. See [viewing-organizations](https://docs.sonarsource.com/sonarqube-cloud/getting-started/viewing-organizations "mention") for more details.
2. Go to **Scoped Organization Tokens**. The list of tokens is displayed.

<figure><img src="broken-reference" alt="Retrieving scoped organization tokens"><figcaption></figcaption></figure>

3. In the list of tokens, locate the token you want to view and select the **Actions** menu at the end of the row.
4. In the menu, select **View details**. The token details are displayed as illustrated below.

<figure><img src="broken-reference" alt="Scope organization tokens details"><figcaption></figcaption></figure>

## Creating a Scoped Organization Token

1. Retrieve your organization. See [viewing-organizations](https://docs.sonarsource.com/sonarqube-cloud/getting-started/viewing-organizations "mention") for more details.
2. Go to **Scoped Organization Tokens**.
3. In the top right corner, select the **Create token** button.

<figure><img src="broken-reference" alt="Creating a token form"><figcaption></figcaption></figure>

4. Enter the token name and description. Choose a name that accurately represents the token purpose.
5. In **Expires in**, select the token lifetime or select **No expiration**.
6. In **Projects this token can access**, select the option you want to use, either a custom selection of projects or all projects within the organization.\
   If you selected **Custom selection of projects**:
   1. Select the **Select projects** button. The **Projects scope** dialog opens.
   2. Select the projects to which the token will give access.as illustrated below.
   3. Close the dialog.
7. Select the **Generate token** button. A message pops up to notify the successful token generation.
8. Immediately copy the generated token from the notification message. Once you’ve left the notification, you won’t be able to view the token value any more.

<figure><img src="broken-reference" alt="Select the copy tool located at the right of the generated token to copy and then paste the token."><figcaption></figcaption></figure>

12. You can now close the notification.

## Revoking a Scoped Organization Token

When you revoke a Scoped Organization Token, it’s automatically deleted.

To revoke a Scoped Organization Token:

1. Retrieve your token as described above in [#retrieving-and-viewing-scoped-organization-tokens](#retrieving-and-viewing-scoped-organization-tokens "mention").
2. In the **Actions** menu, select **Revoke**. A confirmation dialog opens.
3. Confirm. The token disappears from the list of tokens.

## Modifying the scope of a Scoped Organization Token

You can modify the custom list of projects to which a Scoped Organization Token gives access.

{% hint style="warning" %}
You cannot modify the scope of a Scoped Organization Token configured for all current and future projects.
{% endhint %}

To modify the custom scope of a Scoped Organization Token:

1. Retrieve your token as described above in [#retrieving-and-viewing-scoped-organization-tokens](#retrieving-and-viewing-scoped-organization-tokens "mention").
2. In the **Actions** menu, select **View details**.
3. Select the **Edit projects** button. The **Projects scope** dialog opens.
4. Change the project selection.
5. Select **Close**.

## Related pages

* [web-api](https://docs.sonarsource.com/sonarqube-cloud/appendices/web-api "mention")

## Related online courses

* <i class="fa-video">:video:</i> [Creating scoped organization tokens in SonarQube Cloud](https://www.sonarsource.com/learn/course/sonarqube-cloud/86ad9781-cfb5-4c02-b141-1fe776843827/creating-scoped-organization-tokens-in-sonarqube-cloud)