| ms.topic | how-to |
|---|---|
| title | Authorize access to REST APIs with OAuth 2.0 |
| description | Use OAuth 2.0 authentication to get started with the REST APIs for Azure DevOps Services. |
| ms.assetid | 19285121-1805-4421-B7C4-63784C9A7CFA |
| ms.subservice | azure-devops-security |
| monikerRange | azure-devops |
| ms.author | chcomley |
| author | chcomley |
| ms.date | 10/21/2024 |
[!INCLUDE version-eq-azure-devops]
Learn how to authenticate your web app users for REST API access, so your app doesn't continue to ask for usernames and passwords.
Note
The following guidance is intended for Azure DevOps Services users since OAuth 2.0 isn't supported on Azure DevOps Server. Client Libraries are a series of packages built specifically for extending Azure DevOps Server functionality. For on-premises users, we recommend using Client Libraries, Windows Auth, or personal access tokens (PATs) to authenticate on behalf of a user.
Azure DevOps Services uses the OAuth 2.0 protocol to authorize your app for a user and generate an access token. Use this token when you call the REST APIs from your application. When you call Azure DevOps Services APIs for that user, use that user's access token. Access tokens expire, so refresh the access token if expired.
:::image type="content" source="media/oauth-overview.png" alt-text="Process to get authorization.":::
Important
When creating a new OAuth 2.0 app, use Microsoft Entra ID OAuth. Azure DevOps OAuth 2.0 is slated for deprecation in 2026. Starting March 2025, we will stop accepting new Azure DevOps OAuth apps. Learn more in our blog post.
Building on a new platform can be overwhelming. In this guide to building a Microsoft Entra app for Azure DevOps, we collect helpful links that might be useful to kicking off the OAuth app development process on Microsoft Entra. For folks migrating from Azure DevOps OAuth to Microsoft Entra OAuth, we offer tips to consider during your migration effort.
For existing apps, see the Azure DevOps OAuth app guide. You can also manage which Azure DevOps apps are authorized to access your resources.
Developers are expected to specify what scopes they require from their users. The same scopes are available on both OAuth models. The following scopes are available via delegated (on-behalf-of user) flows only.
To find out what scopes you need for your app, look under the scopes header on the API Reference page for each API you're using.
Some scopes might be inclusive of other scopes, for example, vso.code_manage includes vso.code_write. For example, many scopes inherit from vso.profile. Consider what is the minimal number of scopes you need when requesting scope consent from users.
Note
Scopes only enable access to REST APIs and select Git endpoints. SOAP API access isn't supported.
[!INCLUDE scopes table]
A: No. Azure DevOps Services only supports the web server flow, so there's no way to implement OAuth, as you can't securely store the app secret.
A: No. OAuth is only supported in the REST APIs.