The FOSSA Developer Hub

Welcome to the FOSSA developer hub. You'll find comprehensive guides and documentation to help you start working with FOSSA as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

API & Custom Integrations

Generating API tokens and utilizing endpoints for custom integrations.

To use CI/CD Scanning or integrate with many of FOSSA's services, you must provision API tokens.

API Tokens

FOSSA allows users to create API tokens in order to access the API.

To create a token, visit your Account Settings:

To use the API token for fossa-cli or many of our client integrations, you must set the FOSSA_API_KEY environment variable or pass it directly to the tool/integration.

To arbitrarily authenticate and query our API, add the Authorization header of the request:

curl -H "Authorization: token <token>" "https://app.fossa.io/<API endpoint>"

The FOSSA api utilizes Basic Authentication as our auth mechanism.

API Reference for Custom Integrations

FOSSA provides an API to access one of the largest databases in the world about open source projects and metadata. Currently, our registry hosts data on over 23 million components totaling beyond .5TB of data.

In addition, each project analyzed by FOSSA also exposes REST api endpoints for you to use to automate different parts of your workflow including:

  1. CI tasks
  2. Dependency management scripts
  3. Generate custom documents/reports

Or any custom feature that operates on your code/dependencies. In fact, all FOSSA itself is built off of our own API.

API documentation and access is currently only available to Enterprise customers. Please contact [email protected] if you'd like to learn more.

Push Only API Token

Creating a push only API token restricts the users access to only allow uploading builds. The API token will be restricted from reading anything about the project or editing existing information.

This token was created with open source project maintainers in mind. The FOSSA API key is required to be set as an environment variable or included in the configuration file whenever integrating FOSSA with a CI system, such as TravisCI. This has the unfortunate side effect of exposing the API key to anyone who makes a pull request. Restricting a user's access with a push only API token is the best way to combat any malicious actors. The steps to create one are as follows:

  1. Navigate to your API Tokens Page.
  2. Click the "Edit" button next to the API Token you wish to change to bring up the view below.
  1. Check the box next to "Push Only" and scroll down to click "Confirm".

Try it out! Try running FOSSA_API_KEY=<push_only_token> fossa report licenses to see what happens when you attempt to access restricted information.

Updated 8 days ago

API & Custom Integrations


Generating API tokens and utilizing endpoints for custom integrations.

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.