Table of Contents

API Calls Using Third Party Applications - Personal Access Tokens

Alex Moore Updated by Alex Moore

Read Time: 2 mins

When creating an integration that will access Sonar through the API, the first step is to create a personal access token in your Sonar instance for that integration to use. The following article details the steps in creating a personal access token.

  1. Create an appropriate role and a user that you will use to perform the queries or mutations.
Generally speaking, it is best to create an individual role that offers the bare minimum permissions required to make the integration work properly. This way if the user or token are ever compromised, the exposure is as limited as possible.
  1. Log in as that user.
  2. Click the Avatar on the top-right (first letter of your username by default) and select the name from the drop down.
  3. Click the down-arrow next to Update Info and select Create Personal Access Token.
  4. Name your access token. Generally speaking, it is best practice to name this as device, vendor, or server that will be integrating with Sonar.
Your token will only be available after this form is submitted, and afterward will be hidden for security purposes. Please make sure to copy it somewhere safe.

GraphQL from CLI

Below is an example of running GraphQL query from the command line via curl. It is the most basic possible example of querying GraphQL outside of using

It should be run from bash or *nix because of the singe quotes. If you’re a Windows user, be sure to set up WSL for running Ubuntu in a container.

Replace <token> with an actual token that you got from following the instructions above
curl -X POST \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <token>' \
--data-raw '{"query": "query {users(id: 1) {entities { id name public_name username } } }"}' \

Using Postman

You can also connect to your Sonar instance using the Personal Access Token by using an application such as Postman. In this case, you would provide the Personal Access Token as Authorization Type / Bearer Token

How did we do?

Notification Preferences

The New Sonar API