Every request to the OpenSourceMalware API requires a valid API token. Tokens are tied to your account, are prefixed with osm_, and are passed as a Bearer token in the Authorization header. There is no OAuth flow. Authentication is a single header on every request.
Getting a token
Sign in to OpenSourceMalware
Open your profile settings
Click your avatar in the top-right corner and select Settings.
Generate a token
Navigate to the API Tokens section and click Create Token. Copy the token immediately (it’s only shown once). Keep your API token secret. Do not commit it to source control, include it in client-side code, or share it publicly. If your token is compromised, revoke it immediately from your profile settings and generate a new one.
Using your token
Pass the token in the Authorization header of every request:
Authorization: Bearer osm_your_token
curl -H "Authorization: Bearer osm_your_token" \
"https://api.opensourcemalware.com/functions/v1/check-malicious?report_type=package&resource_identifier=my-pkg&ecosystem=npm"
Invalid or missing tokens
If your token is missing, malformed, or has been revoked, the API returns a 401 Unauthorized response:
{
"error": "Unauthorized",
"message": "Invalid or missing API token."
}
