9.7 | User guide | User account | Generating and using tokens

On this page

Generating and using tokens

Users can generate tokens that can be used to run analyses or invoke web services without access to the user's actual credentials.

Types of tokens

User tokens

These tokens can be used to run analyses and to invoke web services, based on the token author's permissions.

Project analysis tokens

These tokens can be used to run analyses on a specific project.

To create Project analysis token, the user should have Global Execute Analysis permission or Execute Analysis permission on the token's associated project.

If the token's author loses Execute Analysis permissions for the associated project, the token will no longer be valid for performing an analysis.

Global analysis tokens

These tokens can be used to run analyses on every project.

To create Global analysis tokens, the user should have Global Execute Analysis Permission.

If the token's author loses the Global Execute Analysis permission, the token will no longer be valid for performing an analysis.

Generating a token

You can generate new tokens at User > My Account > Security.

The form at the top of the page allows you to generate new tokens, specifying their token type. You can select an expiration for your token or choose "no expiration".

If an Administrator has enforced a maximum lifetime for tokens, then the "no expiration" option will not be available and the maximum allowed expiration will correspond to the maximum token lifetime allowed by your organization. Enforcing a maximum lifetime for all newly generated tokens is available as part of the Enterprise Edition and above; for more information, please see Security.

Once you select Generate, you will see the token value. Copy it immediately; when you dismiss the notification, you will not be able to retrieve it.

Revoking a token

You can revoke an existing token at User > My Account > Security by selecting Revoke next to the token.

Expired tokens

If a token has an expiration date and is past the expiration, it will no longer be usable. The token will still be visible under User > My Account > Security, where you can revoke it like any other token.

Using a token

User tokens must replace your normal login process in the following scenarios:

  • when running analyses on your code, replace your login with the token in the sonar.login property.
  • when invoking web services, pass the token instead of your login while doing the basic authentication.

In both cases, you don't need to provide a password therefore, when running analyses on your code, the property sonar.password is optional. Using a token is the preferred method over using a login and password.

Expiration date in HTTP response

When using a token to interact with web services, a SonarQube-Authentication-Token-Expiration HTTP header will be added to the response. This header contains the token expiration date and can help third-party tools track upcoming expirations; this method allows the token to be rotated in time.

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License