SonarCloud api question / Alternative way to set sonar.pullrequest.vsts.token.secured token?

Dear Community

I would like to automatically set a PAT on a project to connect to DevOps from Sonarcloud, is there any way other than passing this PAT in the query string?
To be more technical, is there another way than:


Hey there.

Normally you shouldn’t have to do anything related to the token in the build pipeline. Either the global organization-level token is used, or the project-level token is set once. What are you trying to achieve by setting it “automatically?”

1 Like

Each day, we would like to set the PAT token for all projects which sonarcloud needs to check our pull requests. This can only be done by sending it as query parameter in the post call. But this is unsafe (logged) and it’s better to put the new PAT in the body. The api documentation doesn’t tell if that is possible?

To be more specific,

The following lines will work in Powershell

$PATURL = "$key&value=$newPAT"
Invoke-RestMethod -Method POST -Header $Header -uri $PATURL

But I prefer a method without secret query parameters to avoid logging them.
Is it possible to use form variables?
For example:

$PATURL = "$key"
$Form = @{
      value = $newPAT
Invoke-RestMethod -Method POST -Header $Header -Form $Form -uri $PATURL

Hey there.

You do have to use query parameters for this API, so there’s no way around that. Our APIs are more generally moving toward a place where values are passed as form data rather than query parameters, but not this API yet. This was wrong information.

I’m still trying to understand why you want to set the PAT every day. Do your tokens expire daily?

No, our tokens don’t expire daily. I took your advice and moved the setting to organizational level and it solved our problem. I wondered if it was possible because this webpage SonarCloud Web API ( suggested that I needed to use of form data parameters but didn’t show how to.

… I might be a step behind on something (or confused by a difference between SonarQube and SonarCloud). Glad you were able to set an org-level token, but let me check on this and come back to you.

Hey @Cees

Coming back to this, here’s an example of using form data:

curl --request POST \
  --url \
  --header 'Authorization: Bearer ******' \
  --header 'Content-Type: multipart/form-data' \
  --form key=sonar.pullrequest.vsts.token.secured \
  --form component=project_key \
  --form value=SENSITIVE-DATA-HERE

I still think you should use the org-level token, but you can indeed use form data parameters instead of query parameters (this is what SonarCloud is doing itself when submitting these values)

1 Like

Thanks for your research, Colin.
This is very helpful, I will use it in any future needed sonarcloud post calls.