Skip to main content

Authentication

All API calls to Vengtoo require authentication. Two methods are supported, and both are accepted on every endpoint:

  • API keys — simple, non-expiring by default, ideal for internal scripts and trusted backends.
  • OAuth2 Client Credentials — standards-compliant, short-lived tokens with scopes. Preferred for CI/CD, third-party integrations, and compliance-sensitive deployments. See OAuth2 Client Credentials.

Getting an API key

  1. Sign in to the Vengtoo Console
  2. Go to Settings → API Access
  3. Click Create API Key
  4. Copy the key — it won't be shown again

Using the API key

Pass the API key in the Authorization header:

Authorization: Bearer azx_...

The same header format applies to OAuth2 access tokens — the server accepts either.

Base URL

https://api.vengtoo.com

Example

curl -X POST https://api.vengtoo.com/access/v1/evaluation \
-H "Authorization: Bearer azx_..." \
-H "Content-Type: application/json" \
-d '{
"subject": { "id": "user-123", "type": "user" },
"resource": { "id": "doc-456", "type": "document" },
"action": { "name": "read" }
}'

Key management

  • API keys can be revoked or deleted from the Console at any time.
  • Keys do not expire by default — set an optional expiration date when creating the key.
  • Optionally restrict a key to specific IP addresses or CIDR ranges — requests from other IPs are rejected.