10.4 | Extension Guide | Web API

On this page



SonarQube provides web API to access its functionalities from applications. The web services composing the web API are documented within SonarQube, by URL. You can also access the Web API documentation from the top bar in SonarQube:

Note that the Web API V2 will gradually replace the Web API as endpoints get deprecated and replaced.


Administrative web services are secured and require the user to have specific permissions. In order to be authenticated, the user must provide credentials as described below.

User token

This is the recommended way. Benefits are described on the page Generating and using tokens.

SonarQube supports the bearer authentication scheme: 

curl --header 'Authorization: Bearer MY_TOKEN' https://sonarqube.com/api/user_tokens/search

Alternatively, you can use the basic scheme with an empty password:

# note that the colon after the token is required in curl to set an empty password 
curl -u THIS_IS_MY_TOKEN: https://sonarqube.com/api/user_tokens/search

HTTP Basic Access

Login and password are sent via the standard HTTP Basic fields:

curl -u MY_LOGIN:MY_PASSWORD https://sonarqube.com/api/user_tokens/search

Users who authenticate in the web application through an OAuth provider, for instance, GitHub or Bitbucket, don't have credentials and can't use HTTP Basic mode. They must generate and use tokens.

Web API deprecation policy

The goal of the deprecation policy is to make sure that users are aware of what is changing and have time to adjust before a component of the API is dropped at a given planned date.

The Web API deprecation policy states that:

  • An API component must be deprecated before being dropped. Furthermore, if the underlying feature is not being dropped, a replacement component must immediately be provided.
  • A deprecated API component must be fully supported until its drop (For instance the implementation of a deprecated method can't be replaced by throwing a new UnsupportedOperationException()).
  • The API release cycle is tied to the SonarQube release cycle
  • If an API component is deprecated in version X.Y, this component is planned to be dropped in version (X+1).0.  For example, a component deprecated in the 10.x version is kept until the 10.x LTS version: it will be dropped in the 11.0 version.

This leads to the following policy recommendations for API users:

  • Regularly monitor the deprecation of API components and check if you’re currently using them. See Monitoring the deprecated API components.
  • If you're currently using deprecated API components:
    • Don't add new uses of it.
    • Make the necessary updates in your next few releases so you’re ready for any breaking changes after the next LTS release.

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License