API tokens

Codacy provides account and repository-level API tokens that allow you to:

• Upload coverage data to Codacy
• Upload to Codacy the results of running client-side analysis tools
• Authenticate when using the Codacy API

The sections below provide details about the two types of API tokens and instructions on how to generate and revoke them.

caution

Never write API tokens to your configuration files and keep your API tokens well protected, as they grant owner permissions to your projects on Codacy.

It's a best practice to store API tokens as environment variables. Check the documentation of your CI/CD platform on how to do this.

Generating and revoking account API tokens ||account-api-tokens||

Account API tokens are defined at the Codacy user account level. Each account API token authorizes access to the same organizations, repositories, and operations as the roles and permissions of the owner of the account.

caution

If you're using an account API token to upload coverage be sure to check the roles that your Git provider account must have to authorize uploading coverage to Codacy.

Use a dedicated service account to integrate Codacy with your repositories. This prevents disruption of service if the user who created an account API token loses access to the repositories, which may happen when a user leaves the team or the organization.

You can create new account API tokens programmatically using the Codacy API or using the Codacy UI:

1. Open your account, tab Access management.

2. Click the button Create API token under Account API tokens.

3. Select an expiration date from the modal options. You can select between a range of 7 days to 90 days, create a custom expiration date, or create a token with no expiration.

tip

You can create multiple account API tokens. This can be useful to have a more flexible control by revoking only a specific token.

When you have tokens created, you can view them inside the tokens table. By hovering a token, you are able to copy its value.

To delete an account API token, click the trash icon in the Actions column of the table. After this, all applications or services using that token to access the Codacy API will fail to authenticate and will receive the reply {"error":"not found"}.

Generating and revoking repository API tokens ||repository-api-tokens"||

Repository API tokens are defined on individual repositories. Each repository API token only authorizes access to the corresponding repository.

You can create new repository API tokens programmatically using the Codacy API or using the Codacy UI:

1. Open your repository Settings, tab Integrations.

2. Click the button Create API token under Repository API tokens.

   tip

   You can create multiple (up to 100) API tokens per repository. This can be useful to have a more flexible control by revoking only a specific token.

   

To revoke a repository API token, click the X next to the token. After this, all applications or services using that token to access the Codacy API will fail to authenticate and will receive the reply {"error":"not found"}.

See also

• Adding coverage to your repository
• Client-side tools
• Creating repository API tokens programmatically