Choose the right authentication mechanism
Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019
For applications that interface with Azure DevOps Services, you must authenticate to gain access to resources like REST APIs. This article provides guidance to help you choose the right authentication mechanism for your application.
The following table outlines the recommended authentication mechanisms for different application types. Refer to the accompanying descriptions, examples, and code samples to help get you started.
| Type of application | Description | Example | Authentication mechanism | Code samples |
|---|---|---|---|---|
| Interactive client-side app (REST) | Client application that allows user interaction calling Azure DevOps Services REST APIs | Console application enumerating projects in an organization | OAuth | sample |
| Interactive client-side app (client libraries) | Client application that allows user interaction calling Azure DevOps Services client libraries | Console application enumerating bugs assigned to the current user | Client libraries | sample |
| Non-interactive client-side app | Headless text only client-side application | Console app displaying all bugs assigned to a user | Device Profile | sample |
| Personal access token (PAT) | Bearer token to access your own resources | Use your PAT in place of your password for REST requests. Not ideal for building applications. | PATs | docs |
| Server app | Azure DevOps Server app using the Client OM library | Azure DevOps Server extension displaying team bug dashboards | Client Libraries | sample |
| Service principal or Managed Identity | Application identity with access to organization's Azure DevOps resources | Azure function to create work items | Service principals and managed identities | sample |
| Web extension | Azure DevOps Services extension | Agile Cards extension | VSS Web Extension SDK | sample |
Frequently asked questions (FAQs)
Q: Why can't my service account access the Azure DevOps REST API?
A: Your service account might not have "materialized." Service accounts without interactive sign-in permissions can't sign in. For more information, see this work-around for a solution.
Q: Should I use Azure DevOps Services Client Libraries or Azure DevOps Services REST APIs for my interactive client-side application?
A: We recommend using Azure DevOps Services Client Libraries over REST APIs for accessing Azure DevOps Services resources. They're simpler and easier to maintain when REST endpoint versions change. If the client libraries lack certain functionality, use MSAL for authentication with our REST APIs.
Q: Is this guidance only for Azure DevOps Services or is it also relevant for on-premises Azure DevOps Server users?
A: This guidance is primarily for Azure DevOps Services users. For Azure Devops Server users, we recommend using the Client Libraries, Windows Authentication, or Personal Access Tokens (PATs) for authentication.
Q: What if I want my application to authenticate with both Azure DevOps Server and Azure DevOps Services?
A: The best practice is to have separate authentication paths for Azure DevOps Server and Azure DevOps Services. You can use the requestContext to determine which service you're accessing and then apply the appropriate authentication mechanism. If you prefer a unified solution, PATs work for both.