Tiny feature request: use a different token prefix for tokens generated for badge URLs

First up, what a fantastic category name :heart:

I’m a PM at GitHub responsible for our secret scanning functionality. We scan through code looking for leaked secrets so we can alert users of them.

I’m here to ask whether you’d consider using a different prefix for the tokens SonarQube uses when it generates badge URLs.

Since SonarQube 9.5, SonarQube API tokens have had a prefix to help distinguish they’re different types:

  • User tokens are prefixed with squ_
  • Project analysis tokens are prefixed with sqp_
  • Global analysis tokens are prefixed with sqa_

That’s awesome - it makes it way easier to determine if a token presents a risk to security or not. We’re using it at GitHub to tell users what kind of SonarQube token we’ve detected if/when we find one.

The one snag is badge URLs. They look like this:


As I understand it, the tokens in those URLS aren’t really user tokens - they’re some other form of token that is created with very limited permissions (just to serve metrics for badges).

So my (tiny) feature request is: introduce a new token prefix (maybe sqb_) to differentiate badge tokens from user tokens. Doing so would make it easier for end users to understand the threat that a leaked token poses.


Hi Grey,

Thanks for the kind feedback :blush:, and for your insight on the topic.

Tokens for project badges are indeed not really user tokens but specific tokens. It makes sense to differentiate these 2 types of tokens with different prefixes.
This is an improvement we’ll plan to address.


1 Like

Hi @greysteil,

Thanks a lot for this detailed feedback. It would indeed clarify things if there was a dedicated suffix for “badge tokens”.

I have created the ticket [SONAR-17777] - Jira to address the issue.



This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Hey @greysteil!

SONAR-17777 was implemented in SonarQube v9.9 – new badge tokens that are generated will be prefixed with sqb_.

Thanks for the feedback. :slight_smile:


1 Like

That’s awesome! Thanks for the update Colin!