Table of Contents

API Calls Using Third Party Applications: Personal Access Tokens

Read Time: 2 mins

When creating an integration that will access Sonar through the API, the first step is to create a personal access token in your Sonar instance for that integration to use. The following article details the steps in creating a personal access token.

  1. Create an appropriate role and a user that you will use to perform the queries or mutations.
Typically, it is best to create an individual role that offers the bare minimum permissions required to make the integration work properly. This way, if the user or token is ever compromised, the exposure is as limited as possible.
  1. Log in as that user.
  2. Click the Avatar on the top-right (first letter of your username by default).
  1. Select the Personal Access Tokens tab to navigate to the management page, then click on Create Personal Access Token.
  1. Name your access token. It is best practice to name this as a device, vendor, or server that will be integrating with Sonar.
Your token will only be available after this form is submitted, and afterward will be hidden for security purposes. Please make sure to copy it somewhere safe.

Once you have copied the token, you will then need to click "Confirm" - after these steps have been completed, the token will appear in the Personal Access Tokens section as shown below.

GraphQL from CLI

Below is an example of running GraphQL query from the command line via curl. It is the most basic possible example of querying GraphQL outside of using

It should be run from bash or *nix because of the singe quotes. If you’re a Windows user, be sure to set up WSL for running Ubuntu in a container.

Replace <token> with an actual token that you got from following the instructions above
curl -X POST \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <token>' \
--data-raw '{"query": "{ me { name username } }"}' \

Using Postman

You can also connect to your Sonar instance using the Personal Access Token by using an application such as Postman. In this case, you would provide the Personal Access Token as Authorization Type / Bearer Token

How did we do?

A Deeper Dive into the New Sonar API

Browser Compatibility and Minimum Hardware Requirements for Sonar