Commands
All HTTP method commands follow the same pattern: azd rest <method> <url> [flags]
| Command | Description |
|---|---|
azd rest get <url> | Execute a GET request |
azd rest post <url> | Execute a POST request |
azd rest put <url> | Execute a PUT request |
azd rest patch <url> | Execute a PATCH request |
azd rest delete <url> | Execute a DELETE request |
azd rest head <url> | Execute a HEAD request (headers only) |
azd rest options <url> | Execute an OPTIONS request |
azd rest doctor | Diagnose authentication and scope detection issues |
azd rest graph <kql-query> | Run an Azure Resource Graph (KQL) query |
azd rest whoami | Show the authenticated Azure identity |
azd rest scope <url> | Preview the detected OAuth scope and auth mode for a URL |
azd rest version | Display extension version |
Global Flags
These flags are available for all HTTP method commands.
Authentication
| Flag | Short | Type | Default | Description |
|---|---|---|---|---|
--scope | -s | string | (auto) | OAuth scope. Auto-detected for Azure services if not provided. |
--no-auth | bool | false | Skip authentication. Use for public APIs. | |
--client-request-id | string | "" | Set the x-ms-client-request-id header for Azure request correlation. Pass without a value to generate a random ID. |
Request Configuration
| Flag | Short | Type | Default | Description |
|---|---|---|---|---|
--header | -H | string[] | [] | Custom headers (repeatable). Format: Key:Value |
--header-file | string | "" | Read headers from a file (one Key: Value per line; blank lines and # comments ignored). -H overrides on conflict. | |
--url-param | string[] | [] | Set or append a URL query parameter (repeatable). Format: key=value | |
--data | -d | string | "" | Request body (JSON string) |
--data-file | string | "" | Read request body from file. Also accepts @file shorthand. | |
--form-field | string[] | [] | Add an application/x-www-form-urlencoded field (repeatable). Format: key=value. Repeat a key for multi-valued fields. Cannot be combined with --data or --data-file. | |
--json-field | string[] | [] | Add a string field to a JSON request body (repeatable). Format: key=value. Dotted keys nest. Cannot be combined with --data, --data-file, or --form-field. | |
--json-field-raw | string[] | [] | Add a raw JSON field to a JSON request body (repeatable). Format: key:=json. Dotted keys nest. | |
--timeout | -t | duration | 30s | Request timeout for a single attempt. Examples: 30s, 5m, 1h |
--max-time | duration | 0 | Overall time budget across retries and pagination. 0 disables the limit. | |
--insecure | -k | bool | false | Skip TLS certificate verification |
Response Configuration
| Flag | Short | Type | Default | Description |
|---|---|---|---|---|
--format | -f | string | auto | Output format: auto (pretty JSON), json (pretty JSON), raw, table, jsonl (one object per line), yaml, csv (RFC 4180) |
--compact | -c | bool | false | Minify JSON output to a single line with no extra whitespace. Applies to auto and json formats and --query results. Non-JSON, binary, raw, table, jsonl, yaml, and csv are left unchanged. |
--table-columns | string | "" | Comma-separated columns to show, in order, for --format table. Missing fields render as empty cells. Ignored for other formats. | |
--output-file | string | "" | Write response to file | |
--raw-output | -r | bool | false | With --query, print a string result unquoted and an array of strings one per line, like jq -r. Requires --query. |
--redact | string[] | [] | Mask a JSON response field before output (repeatable). Dotted path, * matches array elements. Applies to json, auto, table, and jsonl. | |
--dump-headers | string | "" | Write response status line and headers to a file (use - for stderr). Sensitive values are redacted. | |
--binary | bool | false | Stream as binary without transformation | |
--verbose | -v | bool | false | Show headers, timing, request details (tokens redacted) |
--color | string | auto | Colorize JSON output: auto (TTY only, honors NO_COLOR), always, never | |
--write-out | -w | string | "" | Print curl-style response metadata to stderr. See Write-Out Variables. |
Advanced Options
| Flag | Type | Default | Description |
|---|---|---|---|
--paginate | bool | false | Follow continuation tokens / next links |
--retry | int | 3 | Retry attempts with exponential backoff for transient errors |
--follow-redirects | bool | true | Follow HTTP redirects |
--max-redirects | int | 10 | Maximum redirect hops |
--show-throttle | bool | false | Print Azure rate-limit and quota headers (x-ms-ratelimit-remaining-*) to stderr, with a warning when remaining quota is low |
--repeat | int | 1 | Send the request N times and print latency stats (min/mean/p50/p95/p99/max) to stderr; only the last response body goes to stdout |
--allow-host | string[] | [] | Restrict requests to hosts matching a pattern (repeatable; leading *. matches subdomains). Env: AZD_REST_ALLOWED_HOSTS (comma separated) |
--fail | bool | false | Exit with code 22 when the response status is 400 or higher. The response body is still printed, so error details stay visible. |
Write-Out Variables
--write-out / -w prints a curl-style template to stderr after the request completes, so stdout stays clean for the response body. Use it in scripts and CI to capture the status code, timing, or size without parsing verbose output. The escape sequences \n and \t expand to newline and tab. Unknown%{...} tokens are left as-is.
| Variable | Description |
|---|---|
%{http_code} | Response status code (e.g. 200) |
%{http_status} | Full status line (e.g. 200 OK) |
%{time_total} | Total request time in seconds |
%{time_total_ms} | Total request time in milliseconds |
%{size_download} | Response body size in bytes |
%{content_type} | Response Content-Type |
%{method} | Request method |
%{url} | Final request URL |
%{header.NAME} | Named response header value (sensitive headers redacted) |
# Print only the status codeazd rest get https://management.azure.com/subscriptions?api-version=2020-01-01 \ --write-out "%{http_code}\n" > body.json
# Status and timing on one lineazd rest get https://graph.microsoft.com/v1.0/me \ --write-out "%{http_code} %{time_total}s %{size_download}B\n"Scope Command
Preview how azd rest would authenticate a request to a URL without sending it. The command reports the resolved authentication mode, the OAuth scope, and the matched Azure service when known. It makes no network call, and honors --scope, --no-auth, and -H headers.
# Preview the scope for a Management API URLazd rest scope https://management.azure.com/subscriptions?api-version=2020-01-01
# See the effect of --no-authazd rest scope https://api.github.com/repos/Azure/azure-dev --no-auth
# Machine-readable outputazd rest scope https://graph.microsoft.com/v1.0/me --format json| Flag | Short | Type | Default | Description |
|---|---|---|---|---|
--scope | -s | string | (auto) | Override the OAuth scope reported for the URL |
--no-auth | bool | false | Report the request as unauthenticated | |
--header | -H | string[] | [] | Headers used to evaluate auth skip (repeatable) |
--format | -f | string | auto | Output format: auto or json |
Version Command
# Default outputazd rest version
# Quiet — version number onlyazd rest version --quiet
# JSON outputazd rest version --format json| Flag | Short | Type | Default | Description |
|---|---|---|---|---|
--quiet | -q | bool | false | Display only the version number |
--format | -f | string | auto | Output format: auto or json |
Scope Detection
azd rest automatically detects the correct OAuth scope based on the URL hostname. This eliminates the need to manually specify scopes for most Azure API calls.
Supported Azure Services
| Service | Hostname Pattern | Scope |
|---|---|---|
| Azure Management API | management.azure.com | https://management.azure.com/.default |
| Microsoft Graph | graph.microsoft.com | https://graph.microsoft.com/.default |
| Azure Key Vault | *.vault.azure.net | https://vault.azure.net/.default |
| Azure Storage | *.blob.core.windows.net*.queue.core.windows.net*.table.core.windows.net*.file.core.windows.net*.dfs.core.windows.net | https://storage.azure.com/.default |
| Azure Container Registry | *.azurecr.io | https://containerregistry.azure.net/.default |
| Azure Cosmos DB | *.documents.azure.com | https://cosmos.azure.com/.default |
| Azure App Configuration | *.azconfig.io | https://azconfig.io/.default |
| Azure Batch | *.batch.azure.com | https://batch.core.windows.net/.default |
| Azure Database (PostgreSQL/MySQL) | *.postgres.database.azure.com*.mysql.database.azure.com*.mariadb.database.azure.com | https://ossrdbms-aad.database.windows.net/.default |
| Azure SQL Database | *.database.windows.net | https://database.windows.net/.default |
| Azure Synapse | *.dev.azuresynapse.net | https://dev.azuresynapse.net/.default |
| Azure Data Lake | *.azuredatalakestore.net | https://datalake.azure.net/.default |
| Azure Media Services | *.media.azure.net | https://rest.media.azure.net/.default |
| Azure Log Analytics | api.loganalytics.io | https://api.loganalytics.io/.default |
| Azure DevOps | dev.azure.com*.visualstudio.com | 499b84ac-1321-427f-aa17-267ca6975798/.default |
| Azure Kusto | *.kusto.windows.net | https://{hostname}/.default |
| Azure Service Bus | *.servicebus.windows.net | https://servicebus.azure.net/.default |
| Azure Event Hubs | *.servicebus.windows.net | https://eventhubs.azure.net/.default |
Custom Scopes
For services not in the auto-detection list, provide a scope manually:
azd rest get https://api.myservice.com/data --scope https://myservice.com/.defaultPagination
When --paginate is enabled, azd rest automatically follows continuation tokens from Azure APIs. It looks for:
nextLinkin the JSON response body@odata.nextLinkin OData responsesLinkHTTP headers withrel="next"
# Get all resources across all pagesazd rest get https://management.azure.com/subscriptions/{sub}/resources?api-version=2021-04-01 --paginateRetry Configuration
azd rest automatically retries failed requests with exponential backoff for transient errors (5xx status codes, network errors).
# Default: 3 retriesazd rest get https://api.example.com/resource
# Custom retry countazd rest get https://api.example.com/resource --retry 5
# Disable retriesazd rest get https://api.example.com/resource --retry 0Exit Codes
| Code | Meaning |
|---|---|
0 | Success |
1 | Request failed (network error, invalid response) |
2 | Invalid arguments or configuration |
22 | Response status was 400 or higher and --fail was set |
Troubleshooting
Authentication Errors
Error: failed to get token: credential unavailable
# Ensure you're logged in to Azureaz login
# Or use service principalexport AZURE_CLIENT_ID="..."export AZURE_CLIENT_SECRET="..."export AZURE_TENANT_ID="..."Scope Detection Issues
Error: Warning: Azure host detected but no scope found
# Manually specify scopeazd rest get https://management.azure.com/... --scope https://management.azure.com/.defaultNetwork Errors
Error: timeout or connection refused
# Increase timeoutazd rest get https://api.example.com/resource --timeout 5m
# Check proxy settingsecho $HTTP_PROXYecho $HTTPS_PROXYInvalid JSON Response
Error: failed to format response: invalid JSON
# Use raw format to see actual responseazd rest get https://api.example.com/resource --format raw