| title | description | ms.assetid | ms.subservice | ms.topic | monikerRange | ms.author | author | ms.date |
|---|---|---|---|---|---|---|---|---|
Authentication Schemas for Service Endpoints | Extensions for Azure DevOps |
Find the different ways to authenticate with external services using service endpoints in Azure DevOps extensions. |
bffc76b7-f6ba-41f0-8460-ccb44d45d670 |
azure-devops-ecosystem |
conceptual |
<= azure-devops |
chcomley |
chcomley |
01/08/2025 |
[!INCLUDE version-lt-eq-azure-devops]
Learn how to set the credentials in the HTTP request header when you're calling the external endpoint. Azure DevOps can then connect to the external service using the credentials. Azure DevOps supports a closed set of authentication schemes utilized by a custom service endpoint type. Azure DevOps interprets the authentication scheme that's used in any custom endpoint & support connection to the external service.
See the following authentication schemes that are part of the closed set.
[!INCLUDE extension-docs-new-sdk]
As a security measure, we recommend using service principals & managed identities over basic authentication. For more information, see Use service principals & managed identities.
This scheme takes one input - API Token (confidential)
Default authentication header used is: {{endpoint.apitoken}}
{
"id": "endpoint-auth-scheme-token",
"description": "i18n:Token based endpoint authentication scheme",
"type": "ms.vss-endpoint.service-endpoint-type",
"targets": [
"ms.vss-endpoint.endpoint-types"
],
"properties": {
"name": "Token",
"displayName": "i18n:Token Based Authentication",
"authenticationSchemes": [
{
"type": "ms.vss-endpoint.endpoint-auth-scheme-token",
"headers": [
{
"name": "Authorization",
"value": "{{endpoint.apitoken}}"
}
],
"inputDescriptors": [
{
"id": "apitoken",
"name": "i18n:API Token",
"description": "i18n:API Token for connection to endpoint",
"inputMode": "textbox",
"isConfidential": true,
"validation": {
"isRequired": true,
"dataType": "string",
"maxLength": 300
}
}
]
}
]
}
}This scheme takes one input - Certificate (confidential)
The value of certificate has to be provided in the text area.
{
"id": "endpoint-auth-scheme-cert",
"description": "i18n:Creates a certificate-based endpoint authentication scheme",
"type": "ms.vss-endpoint.service-endpoint-type",
"targets": [
"ms.vss-endpoint.endpoint-types"
],
"properties": {
"name": "Certificate",
"displayName": "i18n:Certificate Based",
"authenticationSchemes": [
{
"type": "ms.vss-endpoint.endpoint-auth-scheme-cert",
"inputDescriptors": [
{
"id": "certificate",
"name": "i18n:Certificate",
"description": "Content of the certificate",
"inputMode": "TextArea",
"isConfidential": true,
"validation": {
"isRequired": true,
"dataType": "string"
}
}
]
}
]
}
}This scheme is used when an endpoint type doesn't require to take any input. For example, external services that support anonymous access to its resources.
{
"id": "endpoint-auth-scheme-none",
"description": "i18n:Creates an endpoint authentication scheme with no authentication.",
"type": "ms.vss-endpoint.endpoint-auth-scheme-none",
"targets": [
"ms.vss-endpoint.endpoint-auth-schemes"
],
"properties": {
"name": "None",
"displayName": "i18n:No Authentication"
}
}