Skip to main content


Sonatype APIs are designed for system-to-system functionality with examples using the HTTP client cURL. Following along, you may initiate the requests via a command line tool or modify the examples for other API tools. Most examples use the localhost environment with the default server credentials. You need to adjust the referencing service and credentials for your environment.

Component Identifiers

Many API reference component identifiers for searching and describing reporting components found in applications.

See Sonatype Component Identifiers for a comprehensive list of format coordinate examples.

REST API Versioning

Most Sonatype REST APIs are delineated between the API version and the Experimental APIs branch. Some APIs are solution-specific and are only available depending on your licensed solution.

For self-hosted environments, we recommend keeping your software up to date to ensure compatibility with this documentation.

Security Threats with REST APIs

Take appropriate measures to prevent security issues such as Injection and Cross-Site Scripting (XSS) when using the responses of the APIs.

Sonatype APIs for Cloud Environments

The following are considerations when making API calls to a Sonaytpe Cloud tenant.

Tenant Paths

Include the /platform path when making API calls to a Sonatype Cloud tenet.

curl -u {user}:{token} https://{tenant}
Rate Limits

The REST API usage in Sonatype Cloud is subject to rate limiting.

  • API requests rate limits: 1,500 requests / IP address / 5-minute period

When rate limits are exceeded, the service returns a 429 error code with the following message.

  • Rate limit exceeded. Please wait 5 minutes. If this is a recurring issue, reach out to your administrator or contact your Sonatype support representative.

Accessing REST APIs via Reverse Proxy Authentication

API requests that change data are subject to cross-site request forgery (CSRF) protection. When authentication is handled by a reverse proxy server, these requests need to include matching headers and cookie tokens. The specific value of the token is irrelevant, only that it needs to be the same for both.

  • required header: X-CSRF-TOKEN

  • required cookie: CLM-CSRF-TOKEN

curl --header "X-CSRF-TOKEN: api" --cookie "CLM-CSRF-TOKEN=api" ...