Web API URI/Authentication/User token

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    SonarQube = sonarqube-developer-
    Scanner = sonar-scanner-
  • what are you trying to achieve
    I want to collect reports from the C++ scanning results
  • what have you tried so far to achieve this
    I’ve read the web pages provided from the Web API link
  • What is the URI for the web services?
  • How can I obtain the user token for the web authentication?

Here is what I’ve read.

User Token

Each user has the ability to generate tokens that can be used to run analyses or invoke web services without access to the user’s actual credentials.

How to Generate a Token

To generate a token, to go User > My Account > Security . Your existing tokens are listed here, each with a Revoke button.
==> Where can I find this option?

The form at the bottom of the page allows you to generate new tokens. Once you click the Generate button, you will see the token value. Copy it immediately; once you dismiss the notification you will not be able to retrieve it.


Brian Nguyen

Hi @brianvkn ,

you described the path correctly. On the top right there is your user profile picture and when you click on it it will open a drop down menu where you can find the option “My Account”.


hope that helps

Hi Tobias,

That path is used for the user tokens which are for specific projects. And I have no questions about it.

Here is the full story. I was able to set up SonarQube (Developer Edition). It is up and running. I was able to scan several C++ projects. And now I try to see if SonarQube can produce any type of reports from the scanning results. The reports will be used as input to Vulnerator which can convert to some formats that are accepted by the government.

I’ve posted this question on this community channel and Massimo told me to try the web API. I’ve read almost everything that those web pages can provide but could not find any required URL for the web services. And for web service authentication, it would require a user token. Is it correct?

I’ve seen a bunch of .pb files produced in a sub-folder named scanner-report and I wonder how I can view them. Can they be converted to any kind of report?

I really appreciate your assistance due to the time constraint of a trial license I’ve had. It will expire in several days and I have to do all the evaluations before my company can decide to purchase this service.


Brian Nguyen

Okay so just to recap your question is more about how to extract some metrics from sonarqube and how to authenticate against the web api?

the easy part first: yes you will need a user token in order to authenticate against the api. you can find some samples how to use the authentication in our documentation.

how to extract some metrics depends on what metrics you want. you could for example use something like this:

curl -u $SONARCLOUD_TOKEN: https://${SONARQUBE_FQDN}/api/measures/search_history?from=$DATE&component=$COMPONENT_KEY&metrics=ncloc,coverage,new_violations&ps=1000

The $DATE should be in YYYY-MM-DD format and the component key can be extracted from your project.
Documentation about this api endpoint is baked into your sonarqube installation: sq-url/web_api/api/measures?query=measures%2Fsearch_history

if you want to have a more human friendly output there is also the possibility to generate a pdf export for portfolio views in the enterprise edition ($$).

hope that clarifies your questions

Hi Tobias,

Please forgive my silly question.
How do I obtain these following required parameters?


Following the link of documentation, I still could not find how to obtain a user token for web service authentication.

And how about the question with the .pb files in scanner-report?



Hi Tobias,

For experiment purposes, I’ve executed the following statement. Note that I’ve used one of my tokens that are generated by SonarQube for my C++ projects.

curl -u fa9676be1d0f6a66c647c5278dfb0bdbf2be8f9f: https://sonarqube.org/api/user_tokens/search

and got this returned. What does it mean?

302 Found


The document has moved here.

Hi @brianvkn ,

$SONARCLOUD_TOKEN should be your generated token
SONARQUBE_FQDN is the fully qualified domain name of your sonarqube instance (e.g. sonarqube.your-company.com/sonar)
$COMPONENT_KEY is the component key of the project you want to extract the metrics from. you can extract this via the “project information” tab in your sonarqube projects web ui.

i highly doubt that you can get anything from the .pb files tbh.

as for your curl command: you need to target your instance. a curl against our page will not give you much

Hi Tobias,

I’ve tried this command
curl -u d5f545bf8bd6988d33e75c34e1ccee4ba7a49b0d: http://localhost:9000/api/measures/search_history?from=2020-08-17&component=cpp-restfullibrary&metrics=ncloc,coverage,new_violations&ps=1000

and got this error message returned
{“errors”:[{“msg”:“The ‘component’ parameter is missing”}]}‘component’ is not recognized as an internal or external command,
operable program or batch file.
‘metrics’ is not recognized as an internal or external command,
operable program or batch file.
‘ps’ is not recognized as an internal or external command,
operable program or batch file.

Please help advise.



Hi Tobias,

I got the following error.

C:\WINDOWS\system32>curl http://localhost:9000/api/alm_integrations/list_bitbucketserver_projects
{“errors”:[{“msg”:“Authentication is required”}]}

Please help advise.


Brian Nguyen

depending on your environment you have to quote the curl string as the & can be treated as a unix command for a background task

try it like this:

curl -u d5f545bf8bd6988d33e75c34e1ccee4ba7a49b0d: "http://localhost:9000/api/measures/search_history?from=2020-08-17&component=cpp-restfullibrary&metrics=ncloc,coverage,new_violations&ps=1000"