🔐Access AuthZ APIs

Overview

Delivered as a unified REST API, Veza Access AuthZ empowers developers and system administrators to automate last-mile provisioning and deprovisioning across diverse enterprise environments. These Access Request APIs eliminate the need to develop integrations one at a time between your systems and target applications, enabling rapid time-to-value, reduced manual errors, and strengthened identity security.

Access AuthZ works with native integrations (Active Directory, Azure AD, Okta, Snowflake, AWS), SCIM-compatible systems, and custom applications using Veza's Open Authorization API (OAA) framework. The APIs support both standalone direct access automation and integration with Veza Lifecycle Management for policy-driven access grants.

Key benefits include automated provisioning and de-provisioning to minimize attack surface, unified REST API endpoints that simplify integrations, comprehensive application support for leading platforms, and flexibility for custom and legacy applications.

Use cases span Day 1 productivity for new employees, elimination of orphaned accounts for terminated users, and just-in-time access for contractors and guest workers. The APIs follow consistent patterns whether managing direct access requests or integrating with broader lifecycle management policies.

Get Started

The following topics can help you familiarize yourself with Access AuthZ concepts and workflows:

Quick Start Tutorial

Learn the basics of creating and monitoring access requests with step-by-step examples.

Prerequisites and Setup

Configure your Veza environment for Access AuthZ including integrations and permissions.

Frequently Asked Questions

Common questions and troubleshooting guidance for Access AuthZ implementations.

Prerequisites

Before using Access AuthZ APIs, ensure your Veza environment is properly configured. See Prerequisites and Setup for complete requirements including:

• Target integrations enabled for Lifecycle Management

• Access Requests enabled

• "Grant without approval" enabled (for automatic execution)

• An Admin token for API access

How It Works

Direct Access Request APIs

Endpoint: POST /api/private/lifecycle_management/access_requests

These operations allow direct operations on supported target systems without requiring a full Lifecycle Management configuration involving Policies and Access Profiles. Instead, the API request itself specifies the exact users, groups, and entitlements to modify.

For detailed API schemas and examples, see the related endpoint documentation:

• CreateAccessRequest - Create access requests to grant or revoke entitlements

• GetAccessRequest - Retrieve request status and monitor progress

Direct API calls use Veza Access Graph data to identify the entities (e.g., users or groups) to modify. They work with any integration that supports Lifecycle Management Actions.

Supported Target Systems:

Access AuthZ works with:

• Native integrations: Active Directory, Azure AD, Okta, Snowflake, AWS, and many others

• SCIM-compatible systems: Any application supporting SCIM v2 protocol

• Custom applications: Using Veza's Open Authorization API (OAA) framework

See Target Application Support for the complete list of supported integrations and target entity types.

Basic Request Pattern

A common use case is to grant a user access to specific groups. Here is an example for a SCIM integration to add a user to a group:

Example Request:

curl -X POST "https://your-instance.vezacloud.com/api/private/lifecycle_management/access_requests" \
  -H "authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "request_type": "GRANT",
    "request_source": "ACCESS_REQUEST",
    "reason": "User needs access to project resources",
    "datasource_id": "0198cfaf-1f97-7698-a760-05b98833ffd3",
    "assignee_entity_type": "OAA.SCIM.User",
    "assignee_entity_id": "custom_provider:application:demo-scim:user:a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "target_entity_type": "OAA.SCIM.Group",
    "target_entity_ids": [
      "custom_provider:application:demo-scim:group:f9e8d7c6-b5a4-3210-9876-543210fedcba"
    ]
  }'

Example Response:

{
  "value": {
    "id": "0198cfb4-0adb-740b-8e2d-7a7c09044996",
    "state": "PLAN_SELECTED",
    "request_type": "GRANT",
    "reason": "User needs access to project resources",
    "assignee_entity_id": "custom_provider:application:demo-scim:user:a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "assignee_entity_name": "Jane Smith",
    "assignee_entity_type": "OAA.SCIM.User",
    "target_entity_names": ["Project Team"],
    "entitlements": [
      {
        "entity_type": "OAA.SCIM.Group",
        "entity_id": "custom_provider:application:demo-scim:group:f9e8d7c6-b5a4-3210-9876-543210fedcba"
      }
    ],
    "created_at": "2025-08-22T02:50:45.123456789Z"
  }
}

The response includes the assignee_entity_id which can be used for subsequent operations on this user.

Request Monitoring

Once a request is created, the job is queued and runs asynchronously. You can track the progress of the request and wait for it to complete.

Use GetAccessRequest to retrieve the request status.

To monitor status, poll the request and check the state field in the response until it reaches a terminal state:

Terminal States:

• COMPLETED - Access successfully granted/revoked

• ERRORED - Request failed (check error_message field for details)

• CANCELED - Request was canceled

• REJECTED - Request was rejected

• JIT_REVOKED - Just-in-time access was revoked

In-Progress States:

• INITIAL - Request has been created

• WAITING_FOR_APPROVAL - Request awaiting approval

• NEEDS_MORE_INFORMATION - Approver requested more information

• PLAN_SELECTED - Request is processing

• EXTERNAL_RUNNING - External system is processing request

API Documentation

For more information, see the rest of the Access AuthZ API documentation. Expand the section on the left navigation to view all topics.