Authorize access to REST APIs with OAuth 2.0
Azure DevOps Services
Learn how to authenticate your web app users for REST API access, so your app doesn't continue to ask for usernames and passwords.
Note
- The following guidance is intended for Azure DevOps Services users since OAuth 2.0 isn't supported on Azure DevOps Server. Client Libraries are a series of packages built specifically for extending Azure DevOps Server functionality. For on-premises users, we recommend using Client Libraries, Windows Auth, or personal access tokens (PATs) to authenticate on behalf of a user.
- For more information, see the C# OAuth GitHub sample.
About OAuth 2.0
Azure DevOps Services uses the OAuth 2.0 protocol to authorize your app for a user and generate an access token. Use this token when you call the REST APIs from your application. When you call Azure DevOps Services APIs for that user, use that user's access token. Access tokens expire, so refresh the access token if expired.
Available OAuth models
Important
When creating a new OAuth 2.0 app, use Microsoft Entra ID OAuth. Azure DevOps OAuth 2.0 is slated for deprecation in 2026. Starting March 2025, we will stop accepting new Azure DevOps OAuth apps. Learn more in our blog post.
Microsoft Entra ID OAuth
Building on a new platform can be overwhelming. In this guide to building a Microsoft Entra app for Azure DevOps, we collect helpful links that might be useful to kicking off the OAuth app development process on Microsoft Entra. For folks migrating from Azure DevOps OAuth to Microsoft Entra OAuth, we offer tips to consider during your migration effort.
Azure DevOps OAuth
For existing apps, see the Azure DevOps OAuth app guide. You can also manage which Azure DevOps apps are authorized to access your resources.
Scopes
Developers are expected to specify what scopes they require from their users. The same scopes are available on both OAuth models. The following scopes are available via delegated (on-behalf-of user) flows only.
To find out what scopes you need for your app, look under the scopes
header on the API Reference page for each API you're using.
Some scopes might be inclusive of other scopes, for example, vso.code_manage
includes vso.code_write
. For example, many scopes inherit from vso.profile
. Consider what is the minimal number of scopes you need when requesting scope consent from users.
Note
Scopes only enable access to REST APIs and select Git endpoints. SOAP API access isn't supported.
Category | Scope | Name | Description | Inherits From |
---|---|---|---|---|
Advanced Security | vso.advsec |
AdvancedSecurity (read) | Grants the ability to read alerts, result instances, analysis result instances. | |
vso.advsec_write |
AdvancedSecurity (read and write) | Grants the ability to upload analyses in sarif | vso.advsec |
|
vso.advsec_manage |
AdvancedSecurity (read, write, and manage) | Grants the ability to upload analyses in sarif | vso.advsec_write |
|
Agent Pools | vso.agentpools |
Agent Pools (read) | Grants the ability to view tasks, pools, queues, agents, and currently running or recently completed jobs for agents. | |
vso.agentpools_manage |
Agent Pools (read, manage) | Grants the ability to manage pools, queues, and agents. | vso.agentpools |
|
vso.environment_manage |
Environment (read, manage) | Grants the ability to manage pools, queues, agents, and environments. | vso.agentpools_manage |
|
Analytics | vso.analytics |
Analytics (read) | Grants the ability to query analytics data. | |
Auditing | vso.auditlog |
Audit Log (read) | Grants the ability to read the auditing log to users. | |
vso.auditstreams_manage |
Audit Streams (read) | Grants the ability to manage auditing streams to users. | vso.auditlog |
|
Build | vso.build |
Build (read) | Grants the ability to access build artifacts, including build results, definitions, and requests, and the ability to receive notifications about build events via service hooks. | vso.hooks_write |
vso.build_execute |
Build (read and execute) | Grants the ability to access build artifacts, including build results, definitions, and requests, and the ability to queue a build, update build properties, and the ability to receive notifications about build events via service hooks. | vso.build |
|
Code | vso.code |
Code (read) | Grants the ability to read source code and metadata about commits, changesets, branches, and other version control artifacts. Also grants the ability to search code and get notified about version control events via service hooks. | vso.hooks_write |
vso.code_write |
Code (read and write) | Grants the ability to read, update, and delete source code, access metadata about commits, changesets, branches, and other version control artifacts. Also grants the ability to create and manage pull requests and code reviews and to receive notifications about version control events via service hooks. | vso.code |
|
vso.code_manage |
Code (read, write, and manage) | Grants the ability to read, update, and delete source code, access metadata about commits, changesets, branches, and other version control artifacts. Also grants the ability to create and manage code repositories, create and manage pull requests and code reviews, and to receive notifications about version control events via service hooks. | vso.code_write |
|
vso.code_full |
Code (full) | Grants full access to source code, metadata about commits, changesets, branches, and other version control artifacts. Also grants the ability to create and manage code repositories, create and manage pull requests and code reviews, and to receive notifications about version control events via service hooks. Also includes limited support for Client OM APIs. | vso.code_manage |
|
vso.code_status |
Code (status) | Grants the ability to read and write commit and pull request status. | ||
Connected Server | vso.connected_server |
Connected Server | Grants the ability to access endpoints needed from an on-premises connected server. | |
Entitlements | vso.entitlements |
Entitlements (Read) | Provides read only access to licensing entitlements endpoint to get account entitlements. | |
vso.memberentitlementmanagement |
MemberEntitlement Management (read) | Grants the ability to read users, their licenses as well as projects and extensions they can access. | ||
vso.memberentitlementmanagement_write |
MemberEntitlement Management (write) | Grants the ability to manage users, their licenses as well as projects and extensions they can access. | vso.memberentitlementmanagement |
|
Extensions | vso.extension |
Extensions (read) | Grants the ability to read installed extensions. | vso.profile |
vso.extension_manage |
Extensions (read and manage) | Grants the ability to install, uninstall, and perform other administrative actions on installed extensions. | vso.extension |
|
vso.extension.data |
Extension data (read) | Grants the ability to read data (settings and documents) stored by installed extensions. | vso.profile |
|
vso.extension.data_write |
Extension data (read and write) | Grants the ability to read and write data (settings and documents) stored by installed extensions. | vso.extension.data |
|
Github Connections | vso.githubconnections |
GitHub Connections (read) | Grants the ability to read GitHub connections and GitHub repositories data. | |
vso.githubconnections_manage |
GitHub Connections (read and manage) | Grants the ability to read and manage GitHub connections and GitHub repositories data | vso.githubconnections |
|
Graph & identity | vso.graph |
Graph (read) | Grants the ability to read user, group, scope, and group membership information. | |
vso.graph_manage |
Graph (manage) | Grants the ability to read user, group, scope and group membership information, and to add users, groups, and manage group memberships. | vso.graph |
|
vso.identity |
Identity (read) | Grants the ability to read identities and groups. | ||
vso.identity_manage |
Identity (manage) | Grants the ability to read, write, and manage identities and groups. | vso.identity |
|
Machine Group | vso.machinegroup_manage |
Deployment group (read, manage) | Provides ability to manage deployment group and agent pools. | vso.agentpools_manage |
Marketplace | vso.gallery |
Marketplace | Grants read access to public and private items and publishers. | vso.profile |
vso.gallery_acquire |
Marketplace (acquire) | Grants read access and the ability to acquire items. | vso.gallery |
|
vso.gallery_publish |
Marketplace (publish) | Grants read access and the ability to upload, update, and share items. | vso.gallery |
|
vso.gallery_manage |
Marketplace (manage) | Grants read access and the ability to publish and manage items and publishers. | vso.gallery_publish |
|
Notifications | vso.notification |
Notifications (read) | Provides read access to subscriptions and event metadata, including filterable field values. | vso.profile |
vso.notification_write |
Notifications (write) | Provides read and write access to subscriptions and read access to event metadata, including filterable field values. | vso.notification |
|
vso.notification_manage |
Notifications (manage) | Provides read, write, and management access to subscriptions and read access to event metadata, including filterable field values. | vso.notification_write |
|
vso.notification_diagnostics |
Notifications (diagnostics) | Provides access to notification-related diagnostic logs and provides the ability to enable diagnostics for individual subscriptions. | vso.notification |
|
Packaging | vso.packaging |
Packaging (read) | Grants the ability to read feeds and packages. | vso.profile |
vso.packaging_write |
Packaging (read and write) | Grants the ability to create and read feeds and packages. | vso.packaging |
|
vso.packaging_manage |
Packaging (read, write, and manage) | Grants the ability to create, read, update, and delete feeds and packages. | vso.packaging_write |
|
Pipeline Resources | vso.pipelineresources_use |
Pipeline Resources (use) | Grants the ability to approve a pipeline's request to use a protected resource: agent pool, environment, queue, repository, secure files, service connection, and variable group. | |
vso.pipelineresources_manage |
Pipeline Resources (use and manage) | Grants the ability to manage a protected resource or a pipeline's request to use a protected resource: agent pool, environment, queue, repository, secure files, service connection, and variable group. | vso.pipelineresources_manage |
|
Project and Team | vso.project |
Project and team (read) | Grants the ability to read projects and teams. | |
vso.project_write |
Project and team (read and write) | Grants the ability to read and update projects and teams. | vso.project |
|
vso.project_manage |
Project and team (read, write and manage) | Grants the ability to create, read, update, and delete projects and teams. | vso.project_write |
|
Release | vso.release |
Release (read) | Grants the ability to read release artifacts, including releases, release definitions and release environment. | vso.profile |
vso.release_execute |
Release (read, write and execute) | Grants the ability to read and update release artifacts, including releases, release definitions and release environment, and the ability to queue a new release. | vso.release |
|
vso.release_manage |
Release (read, write, execute and manage) | Grants the ability to read, update, and delete release artifacts, including releases, release definitions and release environment, and the ability to queue and approve a new release. | vso.release_manage |
|
Secure Files | vso.securefiles_read |
Secure Files (read) | Grants the ability to read secure files. | |
vso.securefiles_write |
Secure Files (read, create) | Grants the ability to read and create secure files. | vso.securefiles_read |
|
vso.securefiles_manage |
Secure Files (read, create, and manage) | Grants the ability to read, create, and manage secure files. | vso.securefiles_write |
|
Security | vso.security_manage |
Security (manage) | Grants the ability to read, write, and manage security permissions. | |
Service Connections | vso.serviceendpoint |
Service Endpoints (read) | Grants the ability to read service endpoints. | vso.profile |
vso.serviceendpoint_query |
Service Endpoints (read and query) | Grants the ability to read and query service endpoints. | vso.serviceendpoint |
|
vso.serviceendpoint_manage |
Service Endpoints (read, query and manage) | Grants the ability to read, query, and manage service endpoints. | vso.serviceendpoint_query |
|
Service Hooks | vso.hooks |
Service hooks (read) | Grants the ability to read service hook subscriptions and metadata, including supported events, consumers, and actions. (No longer public.) | vso.profile |
vso.hooks_write |
Service hooks (read and write) | Grants the ability to create and update service hook subscriptions and read metadata, including supported events, consumers, and actions. (No longer public.) | vso.hooks |
|
vso.hooks_interact |
Service hooks (interact) | Grants the ability to interact and perform actions on events received via service hooks. (No longer public.) | vso.profile |
|
Settings | vso.settings |
Settings (read) | Grants the ability to read settings. | |
vso.settings_write |
Settings (read and write) | Grants the ability to create and read settings. | ||
Symbols | vso.symbols |
Symbols (read) | Grants the ability to read symbols. | vso.profile |
vso.symbols_write |
Symbols (read and write) | Grants the ability to read and write symbols. | vso.symbols |
|
vso.symbols_manage |
Symbols (read, write and manage) | Grants the ability to read, write, and manage symbols. | vso.symbols_write |
|
Task Groups | vso.taskgroups_read |
Task Groups (read) | Grants the ability to read task groups. | |
vso.taskgroups_write |
Task Groups (read, create) | Grants the ability to read and create task groups. | vso.taskgroups_read |
|
vso.taskgroups_manage |
Task Groups (read, create and manage) | Grants the ability to read, create and manage taskgroups. | vso.taskgroups_write |
|
Team Dashboard | vso.dashboards |
Team dashboards (read) | Grants the ability to read team dashboard information. | |
vso.dashboards_manage |
Team dashboards (manage) | Grants the ability to manage team dashboard information. | vso.dashboards |
|
Test Management | vso.test |
Test management (read) | Grants the ability to read test plans, cases, results and other test management related artifacts. | vso.profile |
vso.test_write |
Test management (read and write) | Grants the ability to read, create, and update test plans, cases, results and other test management related artifacts. | vso.test |
|
Threads | vso.threads_full |
PR threads | Grants the ability to read and write to pull request comment threads. | |
Tokens | vso.tokens |
Delegated Authorization Tokens | Grants the ability to manage delegated authorization tokens to users. | |
vso.tokenadministration |
Token Administration | Grants the ability to manage (view and revoke) existing tokens to organization administrators. | ||
User Profile | vso.profile |
User profile (read) | Grants the ability to read your profile, accounts, collections, projects, teams, and other top-level organizational artifacts. | |
vso.profile_write |
User profile (write) | Grants the ability to write to your profile. | vso.profile |
|
Variable Groups | vso.variablegroups_read |
Variable Groups (read) | Grants the ability to read variable groups. | |
vso.variablegroups_write |
Variable Groups (read, create) | Grants the ability to read and create variable groups. | vso.variablegroups_read |
|
vso.variablegroups_manage |
Variable Groups (read, create and manage) | Grants the ability to read, create and manage variable groups. | vso.variablegroups_write |
|
Wiki | vso.wiki |
Wiki (read) | Grants the ability to read wikis, wiki pages and wiki attachments. Also grants the ability to search wiki pages. | |
vso.wiki_write |
Wiki (read and write) | Grants the ability to read, create and updates wikis, wiki pages and wiki attachments. | vso.wiki |
|
Work Items | vso.work |
Work items (read) | Grants the ability to read work items, queries, boards, area and iterations paths, and other work item tracking related metadata. Also grants the ability to execute queries, search work items and to receive notifications about work item events via service hooks. | vso.hooks_write |
vso.work_write |
Work items (read and write) | Grants the ability to read, create, and update work items and queries, update board metadata, read area and iterations paths other work item tracking related metadata, execute queries, and to receive notifications about work item events via service hooks. | vso.work |
|
vso.work_full |
Work items (full) | Grants full access to work items, queries, backlogs, plans, and work item tracking metadata. Also provides the ability to receive notifications about work item events via service hooks. | vso.work_write |
|
User Impersonation | user_impersonation |
User Impersonation | Have full access to Visual Studio Team Services REST APIs. Request and/or consent this scope with caution as it is very powerful! |
Frequently asked questions (FAQs)
Q: Can I use OAuth with my mobile phone app?
A: No. Azure DevOps Services only supports the web server flow, so there's no way to implement OAuth, as you can't securely store the app secret.
Q: Can I use OAuth with the SOAP endpoints and REST APIs?
A: No. OAuth is only supported in the REST APIs.