LogoLogo
User GuideDeveloper DocumentationIntegrationsRelease Notes
  • 🏠Veza Documentation
  • ☑️Getting Started
  • 📖Veza Glossary
  • ❓Product FAQ
  • 🛡️Security FAQ
    • Advanced Security FAQ
  • Release Notes
    • 🗒️Release Notes
      • Release Notes: 2025-05-28
      • Release Notes: 2025-05-14
      • Release Notes: 2025-04-30
      • Release Notes: 2025-04-16
      • Release Notes: 2025-04-02
      • Release Notes: 2025-03-19
      • Archive
        • 2024.9.23
        • 2024.9.16
        • 2024.9.9
        • 2024.9.2
        • 2024.8.26
        • 2024.8.19
        • 2024.8.12
        • 2024.8.5
        • 2024.7.29
        • 2024.7.22
        • 2024.7.15
        • 2024.7.1
        • 2024.6.24
        • 2024.6.17
        • 2024.6.10
        • 2024.6.3
        • 2024.5.27
        • 2024.5.20
        • 2024.5.13
        • 2024.5.6
        • 2024.4.29
        • 2024.4.22
        • 2024.4.15
        • 2024.4.8
        • 2024.4.1
        • 2024.3.25
        • 2024.3.18
        • 2024.3.11
        • 2024.3.4
        • 2024.2.26
        • 2024.2.19
        • 2024.2.12
        • 2024.2.5
        • 2024.1.29
        • 2024.1.22
        • 2024.1.15
        • 2024.1.8
        • 2024.1.1
        • 2023.12.18
        • 2023.12.11
        • 2023.12.4
        • 2023.11.27
        • 2023.11.20
        • 2023.11.13
        • 2023.11.6
        • 2023.10.30
        • 2023.10.23
        • 2023.10.16
        • 2023.10.9
        • 2023.10.2
        • 2023.9.25
        • 2023.9.18
        • 2023.9.11
        • 2023.9.4
        • 2023.8.28
        • 2023.8.21
        • 2023.8.14
        • 2023.8.7
        • 2023.7.31
        • 2023.7.24
        • 2023.7.17
        • 2023.7.10
        • 2023.7.3
        • 2023.6.26
        • 2023.6.19
        • 2023.6.12
        • 2023.6.5
        • 2023.5.29
        • 2023.5.22
        • 2023.5.15
        • 2023.5.8
        • 2023.5.1
        • 2023.4.24
        • 2023.4.17
        • 2023.4.10
        • 2023.4.3
        • 2023.3.27
        • 2023.3.20
        • 2023.3.13
        • 2023.3.6
        • 2023.2.27
        • 2023.2.20
        • 2023.2.13
        • 2023.2.6
        • 2023.1.30
        • 2023.1.23
        • 2023.1.16
        • 2023.1.9
        • 2023.1.2
        • 2022.12.12
        • 2022.12.5
        • 2022.11.28
        • 2022.11.14
        • 2022.11.7
        • 2022.10.31
        • 2022.10.24
        • 2022.10.17
        • 2022.10.1
        • 2022.6.2
        • 2022.6.1
        • 2022.5.1
        • 2022.4.1
        • 2022.3.1
  • Features
    • 🔎Access Visibility
      • Graph
      • Query Builder
      • Saved Queries
      • Filters
      • Query Mode
      • Intermediate Entities
      • Regular Expressions
      • Tags
      • Tagged Entity Search
      • Assumed AWS IAM Roles
      • Veza Query Language
        • Quick Start
        • Syntax
        • VQL API
    • 💡Access Intelligence
      • Overview
      • Dashboards
        • Reports
        • Scheduled Exports of Query Results via a Secure Email Link
      • Risks
      • Analyze
      • Compare
      • Rules and Alerts
      • Entities
      • NHI Identify Classification Logic
      • NHI Secrets
    • 🔏Access Reviews
      • Get Started: Access Reviewers
      • Get Started: Review Operators
      • Access Review Tasks
        • Assign Reviewers
        • Create a Configuration
        • Create a Review
        • Draft Reviews
        • Edit a Configuration
        • Filters and Bulk Actions
        • Manage Access Reviews
        • Using the Reviewer Interface
        • Row Grouping for Access Reviews
        • Schedule an Access Review
      • Access Review Configuration
        • Access Reviews Query Builder
        • Access Reviews Global Settings
        • Configuring a Global Identity Provider
          • Alternate Manager Lookup
        • Customizing Default Columns
        • Email Notifications and Reminders
        • Identity Provider and HRIS Enrichment
        • Entity Owners and Resource Manager Tags
        • Multi-Level Review
        • 1-Step Access Reviews
        • On-Demand Reviews
        • Veza Actions for Access Reviews
        • Review Intelligence Policies
        • Review Presentation Options
        • Reviewer Selection Methods
        • Reviewer Digest Notifications
      • Access Review Scenarios
        • Access Reviews: Active Directory Security Groups
        • Access Reviews: Okta App Assignments
        • Access Reviews: Okta Group Membership
        • Access Reviews: Okta Admin Roles
        • Access Reviews: Azure AD Roles
        • Access Reviews with Saved Queries
        • Source-Only Access Reviews
    • 📊Access Monitoring
    • 🔄Lifecycle Management
      • Implementation and Core Concepts
      • Access Profiles
      • Policies
      • Conditions and Actions
      • Attribute Sync and Transformers
        • Lookup Tables
      • Integrations
        • Active Directory
        • Exchange Server
        • Okta
        • Salesforce
        • Workday
    • ⚖️Separation of Duties (SoD)
      • Managing SoD Risks with Veza
      • Creating SoD Detection Queries
      • Analyzing Separation of Duties Query Results
      • Example Separation of Duties Queries
      • SoD Manager Assignment
      • Access Reviews for SoD
  • Integrations
    • ✨Veza Integrations
      • Adobe Enterprise
      • Amazon Web Services
        • Add Existing AWS Accounts
        • Automatically Add New AWS Accounts
        • AWS DynamoDB
        • AWS KMS
        • AWS RDS MySQL
        • AWS RDS PostgreSQL
        • AWS Redshift
        • Activity Monitoring for AWS
        • Using AWS Secrets Manager for RDS Extraction
        • Notes & Supported Entities
      • Anaplan
      • Atlassian Cloud Products
      • Auth0
      • BambooHR
      • Bitbucket Data Center
      • BlackLine
      • Beeline
      • Boomi
      • Box
      • Bullhorn
      • Cassandra
      • Cisco Duo
      • Clickhouse
      • Concur
      • Confluence Server
      • Confluent
      • Coupa
      • Coupa Contingent Workforce
      • Crowdstrike Falcon
      • CSV Upload
        • CSV Upload Examples
        • CSV Upload Troubleshooting
        • CSV Upload API
      • Databricks (Single Workspace)
      • Databricks (Unity Catalog)
      • Delinea Secret Server
      • Device42
      • DocuSign
      • Dropbox
      • Egnyte
      • Expensify
      • Exchange Online (Microsoft 365)
      • Fastly
      • Google Cloud
        • Check Google Cloud Permissions
        • Notes & Supported Entities
      • Google Drive
      • GitHub
      • GitLab
      • HashiCorp Vault
      • HiBob
      • Hubspot
      • IBM Aspera
      • iManage
      • Ivanti Neurons
      • Jamf Pro
      • Jenkins
      • JFrog Artifactory
      • Jira Data Center
      • Kubernetes
      • LastPass
      • Looker
      • MongoDB
      • Microsoft Active Directory
      • Microsoft Azure
        • Azure SQL Database
        • Azure PostgreSQL Database
        • Microsoft Dynamics 365 CRM
        • Microsoft Dynamics 365 ERP
        • Notes & Supported Entities
      • Microsoft Azure AD
      • Microsoft SharePoint Online
      • Microsoft SharePoint Server
      • Microsoft SQL Server
      • MuleSoft
      • MySQL
      • NetSuite
      • New Relic
      • Okta
        • Okta MFA status
      • OneLogin
      • OpenAI
      • Oracle Cloud Infrastructure
      • Oracle Database
      • Oracle Database (AWS RDS)
      • Oracle E-Business Suite (EBS)
      • Oracle EPM
      • Oracle Fusion Cloud
      • Oracle JD Edwards EnterpriseOne
      • PagerDuty
      • Palo Alto Networks SASE/Prisma Access
      • PingOne
      • PostgreSQL
      • Power BI
      • Privacera
      • PTC Windchill
      • Qualys
      • QNXT
      • Ramp
      • Redis Cloud
      • Rollbar
      • Salesforce
      • Salesforce Commerce Cloud
      • SCIM integration
      • ServiceNow
      • Slack
      • Smartsheet
      • Snowflake
        • Snowflake Native Application
        • Snowflake Row Access Policies
        • Snowflake Masking Policies
        • Exporting Saved Query Results to Snowflake
        • Audit Log Export
        • Event Export
      • Solarwinds
      • Spotio
      • Sumo Logic
      • Tableau Cloud
      • Teleport
      • Terraform
      • ThoughtSpot
      • Trello
      • Trino (PrestoSQL)
      • UKGPro
      • Veza
      • Windows Server
        • Enterprise Deployment
      • Workato
      • Workday
      • YouTrack
      • Zendesk
      • Zip
      • Zoom
      • Zscaler
      • 1Password
    • 🎯Integrations Overview
    • ⚠️Prerequisites and Connectivity
      • Insight Point
        • Deploying an Insight Point using the install script
        • Deploy with AWS EC2
        • Deploy with Virtual Appliance
          • Deploy with Virtual Appliance (Legacy)
        • Deploy with Azure Container Instances
        • Insight Point (Helm Chart)
      • Certificates with OpenSSL
    • ⚙️Configuring Integrations
      • Integrations FAQ
      • Extraction and Discovery Intervals
      • Custom Identity Mappings
      • Limiting Extractions
      • Enrichment Rules
      • ℹ️Running Veza Scripts with Python
  • Administration
    • 🛠️Veza Administration
      • Securing Your Veza Tenant
      • Veza Actions
        • Slack
        • ServiceNow
        • Jira
        • Webhooks
      • Virtual Private Veza
      • System Events
      • Sign-In Settings
        • Single Sign-On with Okta
        • Single Sign-On with Okta (OIDC)
        • Single Sign-On with Microsoft Entra
      • User Management
        • Multi-factor Authentication
        • Team Management
        • Support User Access
  • Developers
    • 🌐Veza APIs
      • Authentication
      • Troubleshooting
      • Pagination
      • Open Authorization API
        • Getting Started
        • Core Concepts
          • Connector Requirements
          • Using OAA Templates
          • Providers, Data Sources, Names and Types
          • Sourcing and Extracting Metadata
          • Naming and Identifying OAA Entities
          • Modeling Users, Permissions, and Roles
          • Custom Properties
          • Tagging with OAA
          • Cross Service IdP Connections
          • Incremental Updates
        • OAA Push API
          • OAA Operations
        • OAA Templates
          • Custom Application
          • Custom Identity Provider
          • Custom HRIS Provider
        • OAA .NET SDK
          • C# OAA Application Connector
        • OAA Python SDK
          • Application Outline
          • oaaclient modules
            • Client
            • Structures
            • Templates
            • Utils
        • Sample Apps
        • Example Connectors
      • Integration APIs
        • Enable/Disable Providers
        • Cloud Platforms and Data Providers
        • Identity Providers
        • Data Sources
        • Sync and Parse Status
      • Query APIs
        • Quick Start
        • Query Builder Terminology
        • Query Builder Parameters
        • Query Builder Results
        • List saved queries
        • Save a query
        • Get a saved query
        • Update a query
        • Delete a query
        • Get query node destinations
        • Get query nodes
        • Get query result
        • Get query spec node destinations
        • Get query spec nodes
        • Get query spec results
        • Private APIs
          • Get Access Relationship
          • Role Existence
          • Role Maintenance
          • Cohort Role Analysis
        • Tags
          • Create, Add, Remove Tag
          • Promoted Tags
      • Access Reviews APIs
        • Workflow Parameters Reference
        • List Workflows
        • List Certifications
        • List Certification Results
        • Update Certification Result
        • Force Update Result
        • Update Webhook Info
        • Get Certification Result
        • Manage Reviewer Deny List
        • Quick Filters
        • Help Page Templates
        • Smart Action Definitions
        • Delegate Reviewers
        • List Reviewer Infos
        • Get Access Graph
        • Automations API
        • Global Settings APIs
      • System Audit Logs
      • System Events
      • Notification Templates
        • Notification Templates API
      • Team and User Management APIs
        • Team API Keys
      • SCIM Provisioning
        • SCIM API Reference
        • SCIM Provisioning with Okta
  • Product Updates
    • 🆕Product Updates
      • Product Update: April'25
      • Product Update: March'25
      • Product Update: February'25
      • UX Update - Integration Management
      • Product Update: January'25
      • Product Update: December'24
      • Product Update: November'24
      • Product Update: October'24
      • Product Update: September'24
      • Product Update: August'24
      • UX Update: Veza Integrations
      • Product Update: July'24
      • Product Update: June'24
      • Product Update: May'24
      • Product Update: April'24
      • UX Update - Enhanced Reviewer Experience for Veza Access Reviews
      • Product Update: March'24
      • Product Update: February'24
      • Design Update: February'24
      • UX Update - New Navigation Experience
      • UX Update - Access Review Dashboards
      • Building Veza’s Platform and Products
      • Veza Product Update - Jan'24
      • Veza Product Update - 2H 2023
      • Veza Product Update - December'23
      • Veza Product Update - November'23
      • Veza Product Update - October'23
      • Veza Product Update - September'23
      • Veza Product Update - August'23
      • Veza Product Update - July'23
      • Veza Product Update - June'23
      • Veza Product Update - May'23
      • Veza Product Update - April'23
      • Veza Product Update - March'23
      • Veza Product Update - Feb'23
      • Veza Product Update - Jan'23
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Developers
  2. Veza APIs
  3. Team and User Management APIs

Team API Keys

PreviousTeam and User Management APIsNextSCIM Provisioning

Last updated 8 months ago

Was this helpful?

Overview

Team API keys are designed for service accounts that manage Open Authorization API (OAA) integrations assigned to a team. Similar to personal API keys, these keys authenticate API requests, and can be revoked or reinstated to control programmatic access to Veza. Each key is associated with a single team and has the oaa_push role, restricted to specific read and write operations for creating and updating OAA data sources.

Team API keys are limited to the following operations:

Administrators can create and manage team API keys using the endpoints documented below. Note that Team API Keys are currently provided as an early access feature, and /preview/ API operations are subject to change as capabilities are added or modified.

List Team API Keys

Method: GET Endpoint: /api/preview/teamkeys

Returns API key details such as last activity time and status. If the query includes a team_id filter expression, only keys for that team are listed.

Example Request:

curl -X GET "https://<base-url>/api/preview/teamkeys?filter=team_id+eq+%2260437fa0-15ab-4c1f-a211-010543ac8a89%22" \
 -H "accept: application/json"

Example Response:

{
  "values": [
    {
      "id": "54807783-c5ec-4efd-9d1b-853bada658dd",
      "access_key": "",
      "name": "AWS Team Key",
      "created_at": "2024-06-25T08:30:17.087351612Z",
      "last_access_at": "2024-06-25T08:30:17.087351612Z",
      "status": "ACTIVE",
      "team_id": "60437fa0-15ab-4c1f-a211-010543ac8a89"
    }
  ],
  "next_page_token": ""
}

Create Team API Key

Method: POST Endpoint: /api/preview/teamkeys

Create an API key by providing a key name and team team_id. The response includes the access_key, which cannot be retrieved again.

Example Request:

curl -X POST "https://<base-url>/api/preview/teamkeys" \
 -H "accept: application/json" \
 -H "content-type: application/json" \
 -d '{"name":"New Team API Key","team_id":"60437fa0-15ab-4c1f-a211-010543ac8a89"}'

Example Response:

{
  "value": {
    "id": "7ddd5e0c-29cd-41c5-b41f-884b2d24b05d",
    "access_key": "<access key>",
    "name": "New Team API Key",
    "created_at": "2024-08-26T21:29:59.409761363Z",
    "last_access_at": "2024-08-26T21:29:59.409761363Z",
    "status": "ACTIVE",
    "team_id": "60437fa0-15ab-4c1f-a211-010543ac8a89"
  }
}

Remove Team API Key

Method: DELETE Endpoint: /api/preview/teamkeys/{id}

Permanently delete a team API key.

Example Request:

curl -X DELETE "https://<base-url>/api/preview/teamkeys/7ddd5e0c-29cd-41c5-b41f-884b2d24b05d" \
 -H "accept: application/json"

Example Response:

{
  "value": {
    "id": "7ddd5e0c-29cd-41c5-b41f-884b2d24b05d",
    "access_key": "",
    "name": "Updated API Key",
    "created_at": "2024-08-26T21:29:59.409761363Z",
    "last_access_at": "2024-08-26T21:29:59.409761363Z",
    "status": "INACTIVE",
    "team_id": "60437fa0-15ab-4c1f-a211-010543ac8a89"
  }
}

Revoke Team API Key

Method: POST Endpoint: /api/preview/teamkeys/{id}:revoke

Suspend usage of a team API key, changing the status to INACTIVE.

Example Request:

curl -X POST "https://<base-url>/api/preview/teamkeys/7ddd5e0c-29cd-41c5-b41f-884b2d24b05d:revoke" \
 -H "accept: application/json"

Example Response:

{}

Reinstate Team API Key

Method: POST Endpoint: /api/preview/teamkeys/{id}:reinstate

Reinstates a previously revoked team API key, changing the status to ACTIVE.

Example Request:

curl -X POST "https://<base-url>/api/preview/teamkeys/7ddd5e0c-29cd-41c5-b41f-884b2d24b05d:reinstate" \
 -H "accept: application/json"

Example Response:

{}

Update Team API Key

Method: PATCH Endpoint: /api/preview/teamkeys/{value.id}

Use this operation to update the display name of a team API key.

Example Request:

curl -X PATCH "https://<base-url>/api/preview/teamkeys/7ddd5e0c-29cd-41c5-b41f-884b2d24b05d" \
 -H "accept: application/json"\
 -H "content-type: application/json" \
 -d '{"name":"Updated API Key"}'

Example Response:

{
  "value": {
    "id": "7ddd5e0c-29cd-41c5-b41f-884b2d24b05d",
    "access_key": "",
    "name": "Updated API Key",
    "created_at": "2024-08-26T21:29:59.409761363Z",
    "last_access_at": "2024-08-26T21:29:59.409761363Z",
    "status": "ACTIVE",
    "team_id": "60437fa0-15ab-4c1f-a211-010543ac8a89"
  }
}

Note: When using a personal API key for a , the team_id filter is automatically applied. Only root team administrators can view keys across all teams.

🌐
Create Custom Provider Data Source
Push Custom Provider Data Source
Delete Custom Provider Data Source
Get Custom Provider Data Source
List Custom Provider Templates
List Custom Providers
List Custom Provider Data Sources
Push Custom Provider CSV Data Source
non-root team
Get User

List API keys for teams

get
Authorizations
Query parameters
filterstringOptional

[team_id] String to filter API keys belonging to a specific team. If empty, list all team keys in scope

page_sizeinteger · int32Optional
page_tokenstringOptional
Responses
200
OK
application/json
default
Default error response
application/json
get
GET /api/preview/teamkeys HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Accept: */*
{
  "values": [
    {
      "id": "text",
      "access_key": "text",
      "name": "text",
      "created_at": "2025-05-29T09:58:41.842Z",
      "last_access_at": "2025-05-29T09:58:41.842Z",
      "status": 1,
      "team_id": "text",
      "team_name": "text"
    }
  ],
  "next_page_token": "text"
}

Remove team API Key

delete
Authorizations
Path parameters
idstringRequired
Responses
200
OK
application/json
default
Default error response
application/json
delete
DELETE /api/preview/teamkeys/{id} HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Accept: */*
{
  "value": {
    "id": "text",
    "access_key": "text",
    "name": "text",
    "created_at": "2025-05-29T09:58:41.842Z",
    "last_access_at": "2025-05-29T09:58:41.842Z",
    "status": 1,
    "team_id": "text",
    "team_name": "text"
  }
}

Revoke team API Key

post
Authorizations
Path parameters
idstringRequired
Responses
200
OK
application/json
Responseobject
default
Default error response
application/json
post
POST /api/preview/teamkeys/{id}:revoke HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Accept: */*
{}

Reinstate a revoked team API Key

post
Authorizations
Path parameters
idstringRequired
Responses
200
OK
application/json
Responseobject
default
Default error response
application/json
post
POST /api/preview/teamkeys/{id}:reinstate HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Accept: */*
{}
  • Overview
  • List Team API Keys
  • GETList API keys for teams
  • Create Team API Key
  • POSTCreate a new team API key for a service account
  • Remove Team API Key
  • DELETERemove team API Key
  • Revoke Team API Key
  • POSTRevoke team API Key
  • Reinstate Team API Key
  • POSTReinstate a revoked team API Key
  • Update Team API Key
  • PATCHUpdate team API key metadata

Create a new team API key for a service account

post
Authorizations
Body
namestringOptional

Human friendly name

team_idstringOptional

Service account's team ID

Responses
200
OK
application/json
default
Default error response
application/json
post
POST /api/preview/teamkeys HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Content-Type: application/json
Accept: */*
Content-Length: 32

{
  "name": "text",
  "team_id": "text"
}
{
  "value": {
    "id": "text",
    "access_key": "text",
    "name": "text",
    "created_at": "2025-05-29T09:58:41.842Z",
    "last_access_at": "2025-05-29T09:58:41.842Z",
    "status": 1,
    "team_id": "text",
    "team_name": "text"
  }
}

Update team API key metadata

patch
Authorizations
Path parameters
value.idstringRequired
Query parameters
update_maskstring · field-maskOptional
Body

API Key

idstringOptional

The unique identifier of this API key.

access_keystringRead-onlyOptional

Base64 encoded access token. Only available when creating a key

namestringOptional

User provided name for this key

created_atstring · date-timeRead-onlyOptional

ISO-8601 timestamp of when this key was created

last_access_atstring · date-timeRead-onlyOptional

ISO-8601 timestamp of when this key was last updated

statusinteger · enumRead-onlyOptional

Status of the key. Key is ACTIVE or INACTIVE. API keys can only be used when they are ACTIVE

team_idstringOptional

Team ID that this key belongs to

team_namestringRead-onlyOptional

Team Name that this key belongs to

Responses
200
OK
application/json
default
Default error response
application/json
patch
PATCH /api/preview/teamkeys/{value.id} HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Content-Type: application/json
Accept: */*
Content-Length: 44

{
  "id": "text",
  "name": "text",
  "team_id": "text"
}
{
  "value": {
    "id": "text",
    "access_key": "text",
    "name": "text",
    "created_at": "2025-05-29T09:58:41.842Z",
    "last_access_at": "2025-05-29T09:58:41.842Z",
    "status": 1,
    "team_id": "text",
    "team_name": "text"
  }
}