Using Personal Access Tokens to access Visual Studio Online

July 22, 2015 by Rene van Osnabrugge 24 Comments

People who use Visual Studio Online for a while are probably familiar with the alternate credentials. These are used when accessing the REST API or when using an external client for accessing your Git repositories.

You configure your alternate credentials on your [My Profile] page and fill a username and password of your choice.

Once you enable your credentials, you can use these credentials when doing a REST call or (easier to test) clone a Git repository

This is great but not the most secure way of doing things.

Personal Access Tokens

In the update of July 7th, we now have the ability to use Personal Access Tokens as an alternative to the Alternate Credentials. Instead of sending our username and password over the wire we an now use a secure token that we can scope to a timeframe and to functionality within VSO. On the [My Profile] page you can configure one or more Personal Access Tokens. For example a token to access Code Features.

When you create the token, you see a token (only visible after creation !) that you should copy and keep safe.

This token alone is sufficient to authenticate against VSO. So when you now clone a Git repository you only have to fill in this token in the password box. Username can be empty or any value

The great thing is that you can revoke rights or the token afterwards and make sure that people cannot access stuff anymore.

Hope this helps!

Tips & Tricks, Visual Studio Online

security, VSO

About Rene van Osnabrugge

View all posts by Rene van Osnabrugge →

Integrating TeamCity with Team Foundation Server – Part 2

Get started with Docker on Azure for Microsoft developers and/or Linux noobs

24 Responses to “Using Personal Access Tokens to access Visual Studio Online”

Travis July 25, 2015 at 9:36 pm

How do you actually use one of these things? Do I just send the personal access token as the value of the authorization header in the request? Does it have to be formatted some certain way? I’m using Casablanca for a command line tool and I can’t get it to authenticate using a personal access token against the REST APIs. This all seems to be too new to have much around the net about using it, this and one other blog post announcing it are all I found. Any docs that get into the specifics of the handshake?
- Rene van Osnabrugge July 26, 2015 at 6:41 am
  
  I used Postman in Google Chrone as App Postman sends the value in the header. Just like the basic authentication. Hope this helps !
Morious October 17, 2015 at 4:19 am

Is there a way to set the access token in a config so I don’t have to copy paste it?
I know VSO is working on SSH support but in the meanwhile….
Thx.
- Rene van Osnabrugge November 12, 2015 at 9:28 pm
  
  What config do you mean ?
- Zhong Xun December 11, 2015 at 5:49 am
  
  I use powershell to read token from config file and replace it to url like this https://token@xxx.visualstudio.com/DefaultCollection/XXX/_git/xxx
Zhong Xun December 8, 2015 at 10:04 pm

Sorry for an irrelevant question! Which tool you used for drawing frame and curved line?
- Rene van Osnabrugge December 9, 2015 at 7:51 am
  
  Paint.net 🙂
  - zhongxun1975 December 11, 2015 at 5:36 am
    
    That tool is cool. Your article is great!
mkruger777 February 11, 2016 at 1:22 pm

Silly Question :- )
But is this functionality also available in the normal “non-cloud version” of TFS 2015 ?
- Rene van Osnabrugge February 11, 2016 at 1:28 pm
  
  Nope…
  - mkruger777 February 11, 2016 at 3:40 pm
    
    Bummer.Thanks for your answer!