Authentication
All API calls to Vengtoo require authentication. Two methods are supported, and both are accepted on every endpoint:
- API keys — simple, non-expiring by default, ideal for internal scripts and trusted backends.
- OAuth2 Client Credentials — standards-compliant, short-lived tokens with scopes. Preferred for CI/CD, third-party integrations, and compliance-sensitive deployments. See OAuth2 Client Credentials.
Getting an API key
- Sign in to the Vengtoo Console
- Go to Settings → API Access
- Click Create API Key
- Copy the key — it won't be shown again
Using the API key
Pass the API key in the Authorization header:
Authorization: Bearer azx_...
The same header format applies to OAuth2 access tokens — the server accepts either.
Base URL
https://api.vengtoo.com
Example
curl -X POST https://api.vengtoo.com/access/v1/evaluation \
-H "Authorization: Bearer azx_..." \
-H "Content-Type: application/json" \
-d '{
"subject": { "id": "user-123", "type": "user" },
"resource": { "id": "doc-456", "type": "document" },
"action": { "name": "read" }
}'
Key management
- API keys can be revoked or deleted from the Console at any time.
- Keys do not expire by default — set an optional expiration date when creating the key.
- Optionally restrict a key to specific IP addresses or CIDR ranges — requests from other IPs are rejected.