Every request to the OSM API requires a valid API token. Tokens are tied to your account, are prefixed with osm_, and are passed as a Bearer token in the Authorization header. There is no OAuth flow — authentication is a single header on every request.
Getting a token
Sign in to OpenSourceMalware
Open your profile settings
Click your avatar in the top-right corner and select Settings.
Generate a token
Navigate to the API Tokens section and click Generate Token. Copy the token immediately — it is only shown once.
Using your token
Pass the token in the Authorization header of every request:
Authorization: Bearer osm_your_token
curl -H "Authorization: Bearer osm_your_token" \
"https://api.opensourcemalware.com/functions/v1/check-malicious?report_type=package&resource_identifier=my-pkg&ecosystem=npm"
Invalid or missing tokens
If your token is missing, malformed, or has been revoked, the API returns a 401 Unauthorized response:
{
"error": "Unauthorized",
"message": "Invalid or missing API token."
}
Keep your API token secret. Do not commit it to source control, include it in client-side code, or share it publicly. If your token is compromised, revoke it immediately from your profile settings and generate a new one.