RESTful Application Programming Interface

Sonatype OSS Index provides a REST API which tool and application integrations can use to request component vulnerability reports.


The REST API specification is available via Swagger interface for more details.


The URI scheme is versioned. The current version is v3.

Content-types are also versioned. Standard content-type application/json can be used and is treated as the latest version.


To make authenticated requests use HTTP Basic authentication.

Email address is used for the HTTP Basic authentication user name.

API Token can be used in place of password.

Rate Limiting

Rate and request metric limits apply to requests. If limits are exceeded then responses will indicate 429 Too many requests status. There are a number of request metrics that may trigger the 429 status.

Authenticated requests have a higher limit. Register for an account and authenticate requests to get a higher limit.

Use POST when requesting vulnerability reports for multiple components. There is a limit of 128 components per HTTP request.