Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure DevOps Services | Azure DevOps Server | Azure DevOps Server 2022
When you define a custom service endpoint type in your extension, you specify an authentication scheme that tells Azure DevOps how to set credentials in the HTTP request header. Azure DevOps supports the following authentication schemes for custom endpoints.
Tip
For the latest extension development guidance, including theming and migration from VSS.SDK, see the Azure DevOps Extension SDK developer portal.
Basic authentication
Uses a username and password sent as a Base64-encoded Authorization header.
Important
Where possible, use service principals and managed identities instead of basic authentication. For more information, see Use service principals & managed identities.
The built-in scheme type is ms.vss-endpoint.endpoint-auth-scheme-basic. You don't need to declare it in your extension manifest — reference it in your endpoint type's authenticationSchemes array:
"authenticationSchemes": [
{
"type": "ms.vss-endpoint.endpoint-auth-scheme-basic"
}
]
Azure DevOps prompts the user for Username and Password and sends them as the standard HTTP Basic Authorization header.
Token-based authentication
Takes a single confidential input — an API token. The token value is sent in the Authorization header.
{
"id": "endpoint-auth-scheme-token",
"description": "i18n:Token based endpoint authentication scheme",
"type": "ms.vss-endpoint.service-endpoint-type",
"targets": [
"ms.vss-endpoint.endpoint-types"
],
"properties": {
"name": "Token",
"displayName": "i18n:Token Based Authentication",
"authenticationSchemes": [
{
"type": "ms.vss-endpoint.endpoint-auth-scheme-token",
"headers": [
{
"name": "Authorization",
"value": "{{endpoint.apitoken}}"
}
],
"inputDescriptors": [
{
"id": "apitoken",
"name": "i18n:API Token",
"description": "i18n:API Token for connection to endpoint",
"inputMode": "textbox",
"isConfidential": true,
"validation": {
"isRequired": true,
"dataType": "string",
"maxLength": 300
}
}
]
}
]
}
}
The {{endpoint.apitoken}} placeholder resolves to the value the user enters in the API Token field at runtime.
Certificate-based authentication
Takes a single confidential input — the certificate content, entered in a text area.
{
"id": "endpoint-auth-scheme-cert",
"description": "i18n:Creates a certificate-based endpoint authentication scheme",
"type": "ms.vss-endpoint.service-endpoint-type",
"targets": [
"ms.vss-endpoint.endpoint-types"
],
"properties": {
"name": "Certificate",
"displayName": "i18n:Certificate Based",
"authenticationSchemes": [
{
"type": "ms.vss-endpoint.endpoint-auth-scheme-cert",
"inputDescriptors": [
{
"id": "certificate",
"name": "i18n:Certificate",
"description": "Content of the certificate",
"inputMode": "TextArea",
"isConfidential": true,
"validation": {
"isRequired": true,
"dataType": "string"
}
}
]
}
]
}
}
No authentication
Use this scheme when the external service supports anonymous access and no credentials are needed.
{
"id": "endpoint-auth-scheme-none",
"description": "i18n:Creates an endpoint authentication scheme with no authentication.",
"type": "ms.vss-endpoint.endpoint-auth-scheme-none",
"targets": [
"ms.vss-endpoint.endpoint-auth-schemes"
],
"properties": {
"name": "None",
"displayName": "i18n:No Authentication"
}
}