Skip to content
repo-sdk
Esc
navigateopen⌘Jpreview
On this page

Azure DevOps authentication

Authenticate the Azure DevOps provider with a PAT, an OAuth access token, or an Entra ID token provider.

The azureDevOps provider from repo-sdk/azure-devops authenticates with a Personal Access Token, an OAuth access token, or an Entra ID tokenProvider callback, is pinned to an organization, and supports Azure DevOps Server via baseUrl.

The organization is required

Unlike the other providers, the azureDevOps factory is pinned to a single organization. It is not part of the repo string — a repo is addressed as project/repository.

PAT auth

Provide a Personal Access Token. The SDK encodes it into HTTP Basic auth internally.

import { createClient } from 'repo-sdk';
import { azureDevOps } from 'repo-sdk/azure-devops';

const client = createClient({
  provider: azureDevOps({
    organization: 'my-org',
    auth: { pat: process.env.AZURE_PAT! },
  }),
});
PropType
organization?string

The Azure DevOps organization (or collection). Required.

Typestring
pat?string

A Personal Access Token — encoded into HTTP Basic auth internally.

Typestring

OAuth access token

If you already hold an OAuth access token for the user (for example from an Azure DevOps OAuth app), pass it as accessToken. The SDK sends it as a Bearer token, and repos.getCloneUrl embeds it with the oauth2 username (https://oauth2:<token>@dev.azure.com/...).

azureDevOps({
  organization: 'my-org',
  auth: { accessToken: userAccessToken },
});
PropType
accessToken?string

An OAuth access token — sent as a Bearer token.

Typestring

Entra ID token provider

Instead of a PAT, supply a tokenProvider callback that returns a short-lived bearer token. The SDK calls it whenever it needs a credential, so you keep full control of minting and caching. On a 401 the callback is re-invoked once with forceRefresh: true and the request retried — see Expiring tokens.

azureDevOps({
  organization: 'my-org',
  auth: { tokenProvider: async () => getEntraToken() },
});
PropType
tokenProvider?TokenProvider

Async callback minting a short-lived Entra ID bearer token; receives { forceRefresh } — bypass your cache when it is true.

TypeTokenProvider

Scopes

Pick the PAT scope for what you’ll do:

  • Code (read) (vso.code) — required for repository discovery, commits, tags, branches, ref search, and archive downloads. Per Azure’s documented scope inheritance it also grants the profile and service-hook access the SDK relies on, so users.me, listOrganizations, and webhook management need no additional scope.
  • Project and Team (read) (vso.project) — required to list project namespaces.

Listing organizations

Organizations live outside the org-pinned provider, so listOrganizations is a standalone helper. Pass the same auth shape (PAT, accessToken, or tokenProvider); an optional second argument accepts an injectable fetch.

import { listOrganizations } from 'repo-sdk/azure-devops';

const orgs = await listOrganizations({ pat: process.env.AZURE_PAT! });
// orgs: { id, name, url }[]

Azure DevOps Server

For on-premises Azure DevOps Server, pass the collection base URL as baseUrl and use the collection name as the organization.

azureDevOps({
  organization: 'DefaultCollection',
  auth: { pat: process.env.AZURE_PAT! },
  baseUrl: 'https://azure.example.com/tfs',
});

Discover repositories

List projects and repositories once you’re authenticated.

Was this page helpful?