SharePoint Indexing API
Captain indexes SharePoint document libraries through Microsoft’s Graph API. There is no per-user OAuth flow and no user passwords involved: your Microsoft 365 admin registers an app once, and Captain uses that app’s credentials to read a single file, a folder (recursively), or a whole document library.
Access can be scoped to exactly one site. With the recommended
Sites.Selected permission, your admin grants read access to the specific
site you want indexed and nothing else; Captain never sees the rest of the
tenant.
To index individual users’ OneDrive for Business drives instead, see the OneDrive Indexing API guide. The endpoints and permissions are separate by design.
What your IT admin provides
Three values, all from a one-time App Registration in Microsoft Entra ID:
Plus the URL of the SharePoint site to index, e.g.
https://yourco.sharepoint.com/sites/Sales.
One-time setup
Every step below is done by someone with admin rights in your Microsoft 365 tenant. It takes about 10 minutes and is done once. After that, indexing is a plain API call.
Step 1: Create an App Registration and client secret
- Sign in at entra.microsoft.com (or the Azure portal) and go to Identity → Applications → App registrations.
- Click New registration. Name the app (for example
captain-indexing), leave every default as is, and click Register. - On the app’s Overview page, copy two values: the Application (client) ID and the Directory (tenant) ID.
- Go to Certificates & secrets and click New client secret. Pick an expiry and click Add.
- Copy the secret’s Value right away; it is shown only once. This is
the
client_secretyou’ll send to Captain. Keep it secret.
Step 2: Grant an application permission and admin consent
- On the app’s API permissions page, click Add a permission and choose Microsoft Graph.
- Choose Application permissions, not Delegated. Application permissions are what let Captain run headlessly, with no signed-in user.
- Add one of:
Sites.Selected(recommended). The app can read only the specific sites you grant in Step 3. Nothing else in the tenant is visible.Sites.Read.All. Read access to every SharePoint site, with no Step 3 needed. Simpler but broader; security-conscious tenants usually preferSites.Selected.
- Click Grant admin consent for <your org> on the same page.
Step 3 (Sites.Selected only): Grant the app access to the site
With Sites.Selected, one more one-time call maps the app to each site it
may read. Using Microsoft Graph (with any admin credential that has
Sites.FullControl.All, e.g. Graph Explorer):
Or with PnP PowerShell:
To find {site-id} for the Graph call:
GET https://graph.microsoft.com/v1.0/sites/yourco.sharepoint.com:/sites/Sales.
Indexing
All three endpoints take the same auth fields plus the site URL, and differ only in scope.
A site’s whole document library
This indexes the site’s default document library (“Documents”). If the site
has additional libraries, pass the optional drive_id of the library to
index instead.
A folder (recursively)
folder_id is the folder’s Graph driveItem ID. Subfolders are indexed too.
A single file
item_id is the file’s Graph driveItem ID.
Every response is { "job_id": "...", "status": "pending" }. Poll
GET /v2/collections/{name}/jobs/{job_id} for progress, then query the
collection with POST /v2/collections/{name}/query.
What gets indexed
- Documents (PDF, DOCX, XLSX, PPTX, CSV, TXT, images, etc.): SharePoint stores files in their native formats, so everything downloads and processes directly. No export step.
- Skipped: OneNote notebooks, site pages (
.aspx), and any file the app can’t access (logged and skipped; the job continues).
Troubleshooting
Security notes
- Grants are read-only. Captain never writes to or deletes from SharePoint.
- With
Sites.Selected, Captain can only see the sites your admin explicitly granted. Other sites, users’ OneDrives, mail, and everything else in the tenant stay invisible. - The client secret is a credential: treat it like a password. Revoke it any time under Certificates & secrets, or kill all access by deleting the App Registration.
- Captain uses the secret only to mint short-lived tokens per job; nothing durable is stored beyond the request.
- Every read appears in your Microsoft 365 audit logs, attributed to the app.