Authentication for Web API v2

samb · January 15, 2026, 3:23pm

I’m trying to use the Web API v2, but can’t get the authentication to work - the provided header is being rejected.

I’ve provided an example to demonstrate. It’s using a fresh personal token. The API v1 works fine, but v2 is being rejected.

The documentation here suggests it’s the same format - i.e., "Authorization: Bearer <token>".

What am I missing?

$ TOKEN="<redacted>"
$ ORG_KEY="<redacted>"
$ curl -s -H "Authorization: Bearer $TOKEN" "https://sonarcloud.io/api/components/search?organization=$ORG_KEY&ps=1" | jq
{
  "paging": {
    "pageIndex": 1,
    "pageSize": 1,
    "total": 133
  },
  "components": [
    {
      "organization": "<redacted>",
      "key": "<redacted>",
      "name": "<redacted>",
      "qualifier": "TRK",
      "project": "<redacted>"
    }
  ]
}
$ curl -s -H "Authorization: Bearer $TOKEN" "https://api.sonarcloud.io/organizations?organization=$ORG_KEY" | jq
{
  "message": "Invalid key=value pair (missing equal-sign) in Authorization header (hashed with SHA-256 and encoded with Base64): '<redacted>'."
}

ganncamp · January 20, 2026, 5:23pm

Hi,

Have you tried this via the UI? The best way to master the API is to perform the desired action via the UI and eavesdrop to see which calls the UI made to accomplish the action.

You may also find this guide helpful.

HTH,
Ann

samb · January 20, 2026, 5:57pm

Hi Ann,

Thanks for the pointer. In the UI, in the cases I’ve looked at (e.g. https://api.sonarcloud.io/organizations/organizations), when calls are made to the V2 API, they send a session cookie for authentication, not the Authorization HTTP header.

Either way, given that I’m just following the API documentation to the letter, I’m thinking that either the documentation’s not correct, or there’s something amiss with the API. Could you see if there’s anything else I’ve missed?

Thanks,

Sam

ganncamp · January 20, 2026, 6:50pm

Hi Sam,

Maybe drop that -s so we can see if there’s any more detail to the error?

Ann

samb · January 21, 2026, 8:15am

Hi Ann,

Dropping -s yields the exact same response. I’ve added in -i to show the response headers a little more of the response.

curl -i -H "Authorization: Bearer $TOKEN" "https://api.sonarcloud.io/organizations?organization=$ORG_KEY"
HTTP/2 403
content-type: application/json
content-length: 176
date: Wed, 21 Jan 2026 08:08:00 GMT
x-amzn-trace-id: Root=1-69708960-5d5dfbbc2a232369577f32e6
server: Server
x-amzn-requestid: 6663e578-341f-4bb2-8a42-1fc097c1dbba
x-amzn-errortype: IncompleteSignatureException
x-amz-apigw-id: XhpnNG3TliAFXQg=
x-cache: Error from cloudfront
via: 1.1 e8f9b46f64c4f609a553f92a0c9eae18.cloudfront.net (CloudFront)
x-amz-cf-pop: MAN51-P3
x-amz-cf-id: ur9wwVW5JH6NOI5rDKyKo8grHSZy1rl5VzyrOGHZKvo0OsxsUKcgnQ==
vary: Origin

{"message":"Invalid key=value pair (missing equal-sign) in Authorization header (hashed with SHA-256 and encoded with Base64): '<redacted>='."}

Thanks,
Sam

samb · January 21, 2026, 8:39am

Hi Ann,

Realised the mistake. The endpoint is hosted at httpx://api.sonarcloud.io/organizations/organizations , not httpx://api.sonarcloud.io/organizations.

Thanks for your help,
Sam

Topic		Replies	Views
Issues with Web API v2 SonarQube Cloud sonarqube-cloud	2	166	September 24, 2025
Web API authentication - Documentation bug? SonarQube Server / Community Build web_api	2	47	June 19, 2025
Not able to connect to API SonarQube Server / Community Build web_api	3	443	May 4, 2023
SonarCloud API Authentication SonarQube Cloud	10	2931	September 12, 2020
SonarCloud API - authentication using token SonarQube Cloud	3	10151	February 27, 2021

Authentication for Web API v2

Related topics