Support Snyk Learn API reference Product updates Sign up for free

OAuth2 API

Snyk provides an OAuth2 API, primarily for use with Snyk Apps. It complies with RFC 6749.

Most endpoints are served from the Snyk API subdomain (for example, https://api.snyk.io), with the one exception being /oauth2/authorize which is served on the main app subdomain (for example, https://app.snyk.io).

PreviousV1 API NextReference

Last updated 4 months ago

Was this helpful?

Revoke refresh token

Revokes an otherwise valid refresh token so it can't be reused. This is used when a refresh token is accidentally, or maliciously, leaked.

post

/revoke

Body

client_idstringrequired

The client ID of the client application.

Example: 64ae3415-5ccd-49e5-91f0-9101a6793ec2

client_secretstringrequired

The client secret of the client application.

Example: super_secret_client_secret

tokenstringrequired

The refresh token to be revoked.

Example: some_opaque_refresh_token_string

Responses

application/json

cURL

JavaScript

Python

HTTP

curl -L \
  --request POST \
  --url 'https://api.snyk.io/oauth2/revoke' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data '{"client_id":"64ae3415-5ccd-49e5-91f0-9101a6793ec2","client_secret":"super_secret_client_secret","token":"some_opaque_refresh_token_string"}'

200

400

401

403

500

No body

The token has been revoked, or was invalid.

Request an access token

Allows the client application to exchange the authorization code received from the authorization server for an access token.

post

/token

Body

one of

Responses

application/json

cURL

JavaScript

Python

HTTP

curl -L \
  --request POST \
  --url 'https://api.snyk.io/oauth2/token' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data '{"code":"returned_auth_code","client_id":"64ae3415-5ccd-49e5-91f0-9101a6793ec2","client_secret":"super_secret_client_secret","code_verifier":"your_secure_code_verifier","grant_type":"authorization_code"}'

200

400

401

403

500

{
  "access_token": "some_opaque_access_token_string",
  "expires_in": 3599,
  "refresh_token": "some_opaque_refresh_token_string",
  "refresh_expires_in": 15552000,
  "scope": "org.read org.project.read org.project.snapshot.read",
  "bot_id": "95233fa3-33cf-4dd3-a6ac-e040985e1a4f",
  "token_type": "bearer"
}

Successful token request

Initiate the authorization code flow

To be called by the end user to authorize the client application to their Snyk organizations. Success returns a redirect to the provided redirect_uri, containing an authorization code which can be exchanged for an access token.

get

/oauth2/authorize

Query parameters

response_typestring · enumrequired

The type of authorization flow being used. Only "code" is supported for authorization code flow.

Example: code

Options: code

client_idstringrequired

The client ID of the client application.

Example: 64ae3415-5ccd-49e5-91f0-9101a6793ec2

redirect_uristringrequired

The redirection URI to which the authorization server will redirect the user after granting or denying authorization. Must match one of the URIs set on the client application exactly.

Example: https://example.com/callback

statestring

An opaque value used by the client to maintain state between the authorization request and the authorization callback. Use this value to match client callbacks to the request that spawned them.

Example: random_state_value

code_challengestringrequired

A cryptographically secure code challenge derived from a secret code verifier you generate on the client-side as defined in [RFC7636]. It is generated from a hashing a randomly generated string, the code_verifier used when exchanging tokens, then URL safe base 64 encoding the result.

Example: YWVjMDcwNjQ1ZmU1M2VlM2IzNzYzMDU5Mzc2MTM0ZjA1OGNjMzM3MjQ3Yzk3OGFkZDE3OGI2Y2NkZmIwMDE5Zg

code_challenge_methodstring · enumrequired

The method used to derive the code challenge from the code verifier, only S256 is supported.

Example: S256

Options: S256

Responses

cURL

JavaScript

Python

HTTP

curl -L \
  --url 'https://app.snyk.io/oauth2/authorize?response_type=code&client_id=64ae3415-5ccd-49e5-91f0-9101a6793ec2&redirect_uri=https%3A%2F%2Fexample.com%2Fcallback&code_challenge=YWVjMDcwNjQ1ZmU1M2VlM2IzNzYzMDU5Mzc2MTM0ZjA1OGNjMzM3MjQ3Yzk3OGFkZDE3OGI2Y2NkZmIwMDE5Zg&code_challenge_method=S256'

303

No body

Redirection to authorization server. The Location header is set to the provided redirect_uri so the user's browser should follow this redirect automatically.