Authentication

Authenticate to the FOSSA API using an API token in the Authorization header.

1 min readUpdated Jul 9, 2026

Overview

Every FOSSA API call requires an API token (also called an API key). You can create and manage tokens in the FOSSA dashboard under Account Settings → Integrations → API, or see API Tokens for details.

Warning

API tokens carry the same privileges as the account that created them. Never commit a token to source control, embed it in client-side code, or share it in a publicly accessible location.

Authenticating a request

Provide your token in the Authorization header, prefixed with Bearer:

Authorization: Bearer YOUR_API_KEY

For example:

Shell
curl --request GET \  --url 'https://app.fossa.com/api/organizations' \  --header 'Authorization: Bearer YOUR_API_KEY'

Note

All API requests must be made over HTTPS. Requests over plain HTTP are rejected.

Token types

Token typeDescription
Push-OnlyA limited-access token used by the CLI and CI integrations to push analysis results. It cannot be used for most read APIs.
FullA user-level token with the same access as the account it belongs to. Required for most API endpoints and management tasks.

For guidance on creating dedicated service accounts and rotating tokens safely, see Rotating access tokens.

© 2026 FOSSA, Inc.support@fossa.com