OSS Index data is being upgraded. There are some breaking changes.
Learn more


RESTful Application Programming Interface

Sonatype OSS Index provides a REST API which tool and application integrations can use to request component vulnerability reports.


The REST API specification is available via Swagger interface for more details.


The URI scheme is versioned. The current version is v3.

Content-types are also versioned. Standard content-type application/json can be used and is treated as the latest version.


To make authenticated requests use HTTP Basic authentication.

Email address is used for the HTTP Basic authentication user name.

API Token can be used in place of password.

Rate Limiting

Rate limits apply to requests. If the rate is exceeded then responses will indicate 429 Too many requests status.

Authenticated requests have a higher limit. Register for an account and authenticate requests to get a higher limit.

Use POST when requesting vulnerability reports for multiple components. There is a limit of 128 components per HTTP request.