Managing your tokens

Generate tokens to run analysis or invoke web services without accessing your actual credentials.

You can generate authentication tokens that can be used to run analysis or invoke web services without access to your actual credentials. You can create as many tokens as you want. Once a token is created, you can use it to perform analysis on a project where you have Execute Analysis permission.

You receive an email notification when one of your tokens is about to expire.

Types of tokens

User

Understanding user tokens

User tokens allow you to perform, via the Web API, any action the user can do via the UI.

These tokens are the required authentication method used by SonarQube for IDE when setting up SonarLint Connected Mode. A user token gives you all the permissions of the user who issued it. For example, a global admin’s user token gives you full rights to the instance.

When using tokens to set up Connected mode in SonarQube for IDE, user tokens are required. Note that the binding will not function properly if project tokens or global tokens are used during the setup process. Check the SonarQube for IDE documentation for more details:

Project analysis

Understanding project analysis tokens

A project analysis token allows you to run analyses on the specific project it was generated for.

To create a project analysis token, the user should have Global Execute Analysis permission or Execute Analysis permission on the token’s associated project.

If the token’s author loses Execute Analysis permissions for the associated project, the token will no longer be valid for performing an analysis.

The usage of project analysis tokens is encouraged for security reasons. If such a token were to leak, an attacker would only gain access to analyze a single project or to interact with the related web services requiring Execute Analysis permissions.

Global analysis

Understanding global analysis tokens

These tokens can be used to run analyses on every project.

To create global analysis tokens, the user should have Global Execute Analysis Permission.

If the token’s author loses the Global Execute Analysis permission, the token will no longer be valid for performing an analysis.

Generating a token

You can generate new tokens at User > My Account > Security.

The form at the top of the page allows you to generate new tokens, specifying their token type. You can select an expiration for your token or choose "no expiration". If you select an expiration date, and your system administrator has configured SonarQube Server to send email notifications, you will receive an email 7 days prior to your token’s expiry date to remind you to rotate your token. If the token is not revoked before expiring, you will receive another email once the token has expired to notify you the token is no longer usable.

If an Administrator has enforced a maximum lifetime for tokens, then the "no expiration" option will not be available and the maximum allowed expiration will correspond to the maximum token lifetime allowed by your organization. Enforcing a maximum lifetime for all newly generated tokens is available as part of the Enterprise Edition and above; for more information, please see Security features.

Once you select Generate, you will see the token value. Copy it immediately; when you dismiss the notification, you will not be able to retrieve it.

Revoking a token

You can revoke an existing token at User > My Account > Security by selecting Revoke next to the token.

Expired tokens

If a token has an expiration date and is past the expiration, it will no longer be usable. The token will still be visible under User > My Account > Security, where you can revoke it like any other token.

Using a token

User tokens are used in the following scenarios:

  • when running analyses on your code, use the token as value of the sonar.token property, or create the SONAR_TOKEN environment variable and set the token as its value.

  • when invoking web services, pass the token using the bearer or basic HTTP authentication scheme (see Web API).

In both cases, you don’t need to provide a password. Using a token is the preferred method over using a login and password.

Expiration date in HTTP response

When using a token to interact with web services, a SonarQube-Authentication-Token-Expiration HTTP header will be added to the response. This header contains the token expiration date and can help third-party tools track upcoming expirations; this method allows the token to be rotated in time.

Related pages

  • Tokens This page is directed at the System Administrator.

PreviousChanging passwordNextUsing a project badge

Was this helpful?