REST APIs
This section covers the REST APIs available for Sonatype Lifecycle. Sonatype APIs are designed for system-to-system functionality with examples using the HTTP client cURL. Following along, you may initiate the requests via a command line tool or modify the examples for other API tools. Most examples use the localhost environment with the default server credentials. You need to adjust the referencing service and credentials for your environment.
Component Identifiers
Many API reference component identifiers for searching and describing reporting components found in applications.
See Sonatype Component Identifiers for a comprehensive list of format coordinate examples.
REST API Versioning
Most Sonatype REST APIs are delineated between the API version and the Experimental APIs branch. Some APIs are solution-specific and are only available depending on your licensed solution.
For self-hosted environments, we recommend keeping your software up to date to ensure compatibility with this documentation.
Security Threats with REST APIs
Take appropriate measures to prevent security issues such as Injection and Cross-Site Scripting (XSS) when using the responses of the APIs.
Sonatype APIs for Cloud Environments
The following are considerations when making API calls to a Sonatype Cloud tenant.
Tenant Paths
Include the /platform
path when making API calls to a Sonatype Cloud tenant.
curl -u {user}:{token} https://{tenant}.sonatype.app/platform/api/v2/applications
Rate Limits
The REST API usage in Sonatype Cloud is subject to rate limiting.
API requests rate limits: 1,500 requests / IP address / 5-minute period
When rate limits are exceeded, the service returns a 429 error code with the following message.
Rate limit exceeded. Please wait 5 minutes. If this is a recurring issue, reach out to your administrator or contact your Sonatype support representative.
Accessing REST APIs via Reverse Proxy Authentication
API requests that change data are subject to cross-site request forgery (CSRF) protection. When authentication is handled by a reverse proxy server, these requests need to include matching headers and cookie tokens. The specific value of the token is irrelevant, only that it needs to be the same for both.
required header:
X-CSRF-TOKEN
required cookie:
CLM-CSRF-TOKEN
curl --header "X-CSRF-TOKEN: api" --cookie "CLM-CSRF-TOKEN=api" ...