Make REST API calls with automatic Azure authentication and scope detection β no manual token management.
Full documentation, CLI reference, and security architecture
π¦ Part of azd Extensions β
Browse all Azure Developer CLI extensions by Jon Gallant
Stop managing tokens. Run azd rest and authentication happens automatically.
# Add the extension registry
azd extension source add -n jongio -t url -l https://jongio.github.io/azd-extensions/registry.json
# Install the extension
azd extension install jongio.azd.rest
# Make your first request
azd rest get https://management.azure.com/subscriptions?api-version=2020-01-01That's it. The extension detects the correct OAuth scope, acquires tokens, handles retries, and formats JSON responses.
|
Uses your Azure CLI credentials with automatic OAuth scope detection for 20+ Azure services β Management API, Graph, Key Vault, Storage, Cosmos DB, and more. SSRF protection with DNS resolution validation, blocked CIDR ranges, rate limiting, header sanitization, and response size limits. See security architecture β Built-in Model Context Protocol server for AI agent integration. Copilot and other AI tools can make authenticated Azure REST calls through |
GET, POST, PUT, PATCH, DELETE, HEAD, and OPTIONS with JSON body support from inline data or files. Request/response details, traceparent injection for distributed tracing, and redacted sensitive headers in logs. Comprehensive CI with CodeQL security scanning, spell checking, multi-platform testing (Linux/Windows/macOS), and 80%+ test coverage. |
# POST with JSON body
azd rest post https://management.azure.com/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Storage/storageAccounts/{name}?api-version=2021-04-01 \
--data '{"location":"eastus","kind":"StorageV2","sku":{"name":"Standard_LRS"}}'
# POST with body from file
azd rest post https://management.azure.com/.../storageAccounts/{name}?api-version=2021-04-01 \
--data-file storage-account.json
# Key Vault secret
azd rest get https://myvault.vault.azure.net/secrets/mysecret?api-version=7.4
# Microsoft Graph
azd rest get https://graph.microsoft.com/v1.0/me
# Azure Resource Graph (KQL) query
azd rest graph "Resources | summarize count() by type"
# Show the signed-in Azure identity (tenant, app, scopes, expiry)
azd rest whoami
# Public API (no auth)
azd rest get https://api.github.com/repos/Azure/azure-dev --no-auth
# Preview the detected scope without sending a request
azd rest scope https://management.azure.com/subscriptions?api-version=2020-01-01
# Custom headers + save response
azd rest get https://management.azure.com/subscriptions?api-version=2020-01-01 \
--header "Accept: application/json" --output-file subscriptions.json
# Table output (works with arrays and ARM value[] responses)
azd rest get https://management.azure.com/subscriptions?api-version=2020-01-01 --format table
# Newline-delimited JSON (one object per line) for piping to jq -c
azd rest get https://management.azure.com/subscriptions?api-version=2020-01-01 --format jsonl
# Read a single field into a shell variable without piping through jq -r
name=$(azd rest get https://management.azure.com/subscriptions/$SUB?api-version=2022-12-01 --query displayName -r)
# Minify the response to one line, for example to append one record per call to a log
azd rest get https://management.azure.com/subscriptions?api-version=2020-01-01 -c >> audit.log
# Send a YAML request body (converted to JSON automatically)
azd rest put https://management.azure.com/subscriptions/{sub}/resourceGroups/{rg}?api-version=2021-04-01 \
--data-file group.yaml --data-format yaml
# Flatten a response to dotted paths, then grep for one field
azd rest get https://management.azure.com/subscriptions/{sub}/resourceGroups/{rg}?api-version=2021-04-01 \
--flatten
# Diagnose authentication issues
azd rest doctor
# Exit non-zero (code 22) on an HTTP error so scripts and CI stop on failure
azd rest get https://management.azure.com/subscriptions/{sub}/resourceGroups/{rg}?api-version=2021-04-01 --failFor the complete command and flag reference, see the CLI Reference on the website.
# Build
cd cli && mage build
# Test
cd cli && mage test
# Lint
cd cli && mage lint
# All (fmt β lint β test β build β install)
cd cli && mageFor detailed testing information, see TESTING.md.
azd rest uses your Azure credentials to authenticate API requests. Only make requests to trusted endpoints, use HTTPS (default), and never use --insecure in production.
See the Security Architecture page for the full threat model, SSRF protections, and hardening details.
- Website β Full documentation and guided tour
- CLI Reference β Complete command and flag reference
- Security Architecture β Threat model and security hardening
- Troubleshooting β Common error scenarios and solutions
- CONTRIBUTING.md β Contribution guidelines
azd rest is part of a suite of Azure Developer CLI extensions by Jon Gallant.
| Extension | Description | Website |
|---|---|---|
| azd app | Run Azure apps locally with auto-dependencies, dashboard, and AI debugging | jongio.github.io/azd-app |
| azd copilot | AI-powered Azure development with 16 agents and 28 skills | jongio.github.io/azd-copilot |
| azd exec | Execute scripts with azd environment context and Key Vault integration | jongio.github.io/azd-exec |
| azd rest | Authenticated REST API calls with automatic scope detection | jongio.github.io/azd-rest |
π Extension Hub: jongio.github.io/azd-extensions β Browse all extensions, quick install, and registry info.
MIT β see LICENSE for details.