Authentication
Authenticate to the FOSSA API using an API token in the Authorization header.
1 min readUpdated Jul 9, 2026
Overview
Every FOSSA API call requires an API token (also called an API key). You can create and manage tokens in the FOSSA dashboard under Account Settings → Integrations → API, or see API Tokens for details.
Warning
API tokens carry the same privileges as the account that created them. Never commit a token to source control, embed it in client-side code, or share it in a publicly accessible location.
Authenticating a request
Provide your token in the Authorization header, prefixed with Bearer:
Authorization: Bearer YOUR_API_KEYFor example:
Shell
curl --request GET \ --url 'https://app.fossa.com/api/organizations' \ --header 'Authorization: Bearer YOUR_API_KEY'Note
All API requests must be made over HTTPS. Requests over plain HTTP are rejected.
Token types
| Token type | Description |
|---|---|
| Push-Only | A limited-access token used by the CLI and CI integrations to push analysis results. It cannot be used for most read APIs. |
| Full | A user-level token with the same access as the account it belongs to. Required for most API endpoints and management tasks. |
For guidance on creating dedicated service accounts and rotating tokens safely, see Rotating access tokens.