Skip to main content
API keys authenticate every request to the Veto API. Include your key in the Authorization header of each request: 
Authorization: Bearer veto_your_api_key

Key format

All API keys follow this format: 
veto_<32 hex characters>
Example: veto_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4
The raw key value is returned once at creation and never again. Store it immediately in a secure location such as an environment variable or a secrets manager. If you lose a key, revoke it and create a new one.

Scopes

Each key has one or more scopes that control what it can do.
ScopeAccess
adminFull access — can create, update, and delete agents, policies, and API keys, and call all read endpoints
readRead-only — can call POST /v1/authorize, GET /v1/agents, GET /v1/policies, GET /v1/audit-logs, and GET /v1/api-keys

POST /v1/api-keys

Create a new API key for your workspace.
Requires an API key with the admin scope.

Request body

name
string
required
Display name for the key, for your reference. Between 1 and 255 characters.
scopes
string[]
required
Scopes to grant. Use ["admin"] for full access or ["read"] for read-only access.
expiresAt
string
ISO 8601 expiry timestamp. If omitted, the key does not expire.

Response

Returns 201 with:
id
string
required
UUID of the API key record.
name
string
required
Display name of the key.
prefix
string
required
First 12 characters of the key (e.g., veto_a1b2c3d4). Use this to identify the key in the future — the full key is not stored.
scopes
string[]
required
Scopes granted to this key.
expiresAt
string | null
required
Expiry timestamp, or null if the key does not expire.
createdAt
string
required
ISO 8601 creation timestamp.
key
string
required
The raw API key value. This is the only time this value is returned. Store it securely now.

GET /v1/api-keys

List all API keys in your workspace. The raw key is never included in list responses — only the prefix and metadata.
Requires an API key with the admin scope.
Returns an array of objects with: id, name, prefix, scopes, expiresAt, lastUsedAt, createdAt.
id
string
required
UUID of the API key record.
name
string
required
Display name of the key.
prefix
string
required
First 12 characters of the key for identification.
scopes
string[]
required
Scopes granted to this key.
expiresAt
string | null
required
Expiry timestamp, or null if the key does not expire.
lastUsedAt
string | null
required
ISO 8601 timestamp of the last time this key was used to authenticate a request. null if never used.
createdAt
string
required
ISO 8601 creation timestamp.

DELETE /v1/api-keys/:id

Revoke an API key. The key is immediately invalidated — any subsequent requests using it will return 401.
Requires an API key with the admin scope.
When rotating keys, create the new key first and update your services before deleting the old key. Deleting first will cause authentication failures until the new key is deployed.
Returns 204 No Content on success, or 404 with API_KEY_NOT_FOUND. 
curl --request POST \
  --url https://api.veto.tools/v1/api-keys \
  --header 'Authorization: Bearer veto_your_api_key' \
  --header 'Content-Type: application/json' \
  --data '{
    "name": "Production deployment",
    "scopes": ["admin"],
    "expiresAt": "2025-12-31T23:59:59Z"
  }'

{
  "id": "k7e8f9a0-b1c2-3456-def0-123456789012",
  "name": "Production deployment",
  "prefix": "veto_a1b2c3d4",
  "scopes": ["admin"],
  "expiresAt": "2025-12-31T23:59:59.000Z",
  "createdAt": "2024-11-15T10:00:00.000Z",
  "key": "veto_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4"
}