SupportSnyk LearnAPI referenceProduct updatesSign up for free

OAuth2 API

Snyk provides an OAuth2 API, primarily for use with Snyk Apps. It complies with RFC 6749.

Most endpoints are served from the Snyk API subdomain (for example, https://api.snyk.io), with the one exception being /oauth2/authorize which is served on the main app subdomain (for example, https://app.snyk.io).

Initiate the authorization code flow

get

To be called by the end user to authorize the client application to their Snyk organizations. Success returns a redirect to the provided redirect_uri, containing an authorization code which can be exchanged for an access token.

Query parameters
response_typestring · enumrequired

The type of authorization flow being used. Only "code" is supported for authorization code flow.

Example: code
Options: code
client_idstringrequired

The client ID of the client application.

Example: 64ae3415-5ccd-49e5-91f0-9101a6793ec2
redirect_uristringrequired

The redirection URI to which the authorization server will redirect the user after granting or denying authorization. Must match one of the URIs set on the client application exactly.

Example: https://example.com/callback
statestringoptional

An opaque value used by the client to maintain state between the authorization request and the authorization callback. Use this value to match client callbacks to the request that spawned them.

Example: random_state_value
code_challengestringrequired

A cryptographically secure code challenge derived from a secret code verifier you generate on the client-side as defined in [RFC7636]. It is generated from a hashing a randomly generated string, the code_verifier used when exchanging tokens, then URL safe base 64 encoding the result.

Example: YWVjMDcwNjQ1ZmU1M2VlM2IzNzYzMDU5Mzc2MTM0ZjA1OGNjMzM3MjQ3Yzk3OGFkZDE3OGI2Y2NkZmIwMDE5Zg
code_challenge_methodstring · enumrequired

The method used to derive the code challenge from the code verifier, only S256 is supported.

Example: S256
Options: S256
Responses
curl -L \
  --url 'https://app.snyk.io/oauth2/authorize?response_type=code&client_id=64ae3415-5ccd-49e5-91f0-9101a6793ec2&redirect_uri=https%3A%2F%2Fexample.com%2Fcallback&code_challenge=YWVjMDcwNjQ1ZmU1M2VlM2IzNzYzMDU5Mzc2MTM0ZjA1OGNjMzM3MjQ3Yzk3OGFkZDE3OGI2Y2NkZmIwMDE5Zg&code_challenge_method=S256'
No body

Redirection to authorization server. The Location header is set to the provided redirect_uri so the user's browser should follow this redirect automatically.

Request an access token

post

Allows the client application to exchange the authorization code received from the authorization server for an access token.

Body
one ofoptional

Responses
curl -L \
  --request POST \
  --url 'https://api.snyk.io/oauth2/token' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data 'grant_type=authorization_code&code=returned_auth_code&client_id=64ae3415-5ccd-49e5-91f0-9101a6793ec2&client_secret=super_secret_client_secret&code_verifier=your_secure_code_verifier'
{
  "access_token": "some_opaque_access_token_string",
  "expires_in": 3599,
  "refresh_token": "some_opaque_refresh_token_string",
  "refresh_expires_in": 15552000,
  "token_type": "bearer",
  "scope": "org.read org.project.read org.project.snapshot.read",
  "bot_id": "95233fa3-33cf-4dd3-a6ac-e040985e1a4f"
}

Successful token request

Revoke refresh token

post

Revokes an otherwise valid refresh token so it can't be reused. This is used when a refresh token is accidentally, or maliciously, leaked.

Body
client_idstringrequired

The client ID of the client application.

Example: 64ae3415-5ccd-49e5-91f0-9101a6793ec2
client_secretstringrequired

The client secret of the client application.

Example: super_secret_client_secret
tokenstringrequired

The refresh token to be revoked.

Example: some_opaque_refresh_token_string
Responses
curl -L \
  --request POST \
  --url 'https://api.snyk.io/oauth2/revoke' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data 'client_id=64ae3415-5ccd-49e5-91f0-9101a6793ec2&client_secret=super_secret_client_secret&token=some_opaque_refresh_token_string'
No body

The token has been revoked, or was invalid.

PreviousV1 APINextReference

Last updated

Was this helpful?

Revision created

Add comment to emphasize required filters hidden in GitBook collapsed field