Managing Scoped Organization Tokens

This feature is only available in the Team and Enterprise plans.

Scoped Organization Tokens are used to run analyses on your code. To do so, the sonar.token property is used. For more details see Analysis parameters.

You must be an organization admin to be able to retrieve and manage Scoped Organization Tokens. This section explains how to do this in the UI. You can also use the Authentication domain API.

About Scoped Organization Tokens

Scoped Organization Tokens provide a secure way to manage non-user-specific authentication. Attached to an organization, they are created and managed by the organization admin who can revoke them anytime. Revoked tokens are automatically deleted.

Security and scope

Scoped Organization Tokens adhere to the principle of least privilege by defining their scope in two ways:

• Project Access: You specify which projects within the organization the token can access. This can be a custom selection of existing projects, or you can grant access to all current and future projects.

• Permissions: You define the specific permissions granted by the token.

Status and expiration

You can define any expiry date for your Scoped Organization Token, or no expiration. The different token statuses are:

• Active

• About to expire (in less that 7 days)

• Expired

Management and identification

Scoped Organization Tokens are identified through their sqco_ prefix.

SonarQube's S7791 rule can verify the non-disclosure of Scoped Organization Tokens within your code.

Retrieving and viewing Scoped Organization Tokens

1. Retrieve your organization. See Retrieving your organizations for more details.

2. Go to Scoped Organization Tokens. The list of tokens is displayed.

1. In the list of tokens, locate the token you want to view and select the Actions menu at the end of the row.

2. In the menu, select View details. The token details are displayed as illustrated below.

Creating a Scoped Organization Token

1. Retrieve your organization. See Retrieving your organizations for more details.

2. Go to Scoped Organization Tokens.

3. In the top right corner, select the Create token button.

1. Enter the token name and description. Choose a name that accurately represents the token purpose.

2. In Expires in, select the token lifetime or select No expiration.

3. In Projects this token can access, select the option you want to use, either a custom selection of projects or all projects within the organization. If you selected Custom selection of projects:

   1. Select the Select projects button. The Projects scope dialog opens.

   2. Select the projects to which the token will give access.as illustrated below.

   3. Close the dialog.

4. Select the Generate token button. A message pops up to notify the successful token generation.

5. Immediately copy the generated token from the notification message. Once you’ve left the notification, you won’t be able to view the token value any more.

1. You can now close the notification.

Revoking a Scoped Organization Token

When you revoke a Scoped Organization Token, it’s automatically deleted.

To revoke a Scoped Organization Token:

1. Retrieve your token as described above in Retrieving and viewing Scoped Organization Tokens.

2. In the Actions menu, select Revoke. A confirmation dialog opens.

3. Confirm. The token disappears from the list of tokens.

Modifying the scope of a Scoped Organization Token

You can modify the custom list of projects to which a Scoped Organization Token gives access.

To modify the custom scope of a Scoped Organization Token:

1. Retrieve your token as described above in Retrieving and viewing Scoped Organization Tokens.

2. In the Actions menu, select View details.

3. Select the Edit projects button. The Projects scope dialog opens.

4. Change the project selection.

5. Select Close.

Related pages

• Web API

Related online courses

• Creating scoped organization tokens in SonarQube Cloud