Custom Application with Send REST Payload (OAA)

Overview

Lifecycle Management supports three integration pathways for custom applications. This document covers configuring the OAA Write Framework pathway with Insight Point routing for Send REST Payload actions.

When using the Send REST Request action in Lifecycle Management workflows, requests execute from the Veza control plane by default. For target APIs that are on-premises or behind a firewall, you can configure a Custom Provider (OAA integration) to route requests through an Insight Point agent instead.

This configuration enables:

• On-premises API access: Call internal APIs that aren't accessible from the public internet

• Network isolation: Route requests through your own infrastructure for security compliance

• Hybrid deployments: Mix cloud-based and on-premises targets in the same workflow

When to Use This Configuration

You DO NOT need this configuration if:

• Your target API is publicly accessible

• You're calling cloud services (SaaS APIs, webhooks)

• Your Send REST Payload actions work without selecting a data source

You NEED this configuration if:

• Your target API is on-premises or in a private network

• The API is only accessible from specific network locations

• You need requests to originate from an Insight Point agent

How It Works

Without Data Source (Default):

With Data Source (Insight Point Routing):

When a Custom Provider is configured with external_lifecycle_management_type: SEND_REST_PAYLOAD:

1. The provider's data source appears in the Send REST Payload action's Data Source dropdown

2. Selecting it routes the HTTP request through the associated Insight Point

3. The Insight Point agent executes the request from within your network

Configuration

This setting is configured via the Veza REST API. It is not currently available in the Veza UI. The provider configuration only sets up Insight Point routing—the actual request URL, HTTP method, payload, and authentication are configured per-action in the policy editor.

Create Custom Provider with Send REST Payload Support

Update Existing Custom Provider

Required Fields

Validation Rules

• Provisioning required: provisioning must be true when setting external_lifecycle_management_type

• No internal app name: Cannot be used with internal_app_name (these are mutually exclusive)

• No configuration_json: Unlike SCIM configuration, Send REST Payload does not use configuration_json. Including it in the request will cause a validation error. Authentication is configured per-action using the Authorization Header setting or REST Auth Credentials.

• Cannot change type while in use: external_lifecycle_management_type cannot be changed while the provider is referenced by Lifecycle Management policies. Remove the provider from all policies before changing this field.

Using in Lifecycle Management Policies

Once configured, the Custom Provider's data source will appear in the Send REST Payload action configuration:

1. In the policy editor, add a Send REST Payload action

2. In the Data Source field, select your configured Custom Provider

3. Configure the URL, method, headers, and payload as needed

4. The request will route through the associated Insight Point

Combining with REST Auth Credentials

You can use REST Auth Credentials together with Insight Point routing:

• REST Auth Credentials: Handle authentication (OAuth2, Bearer tokens, etc.)

• Data Source selection: Routes the request through an Insight Point

These are independent configurations—REST Auth Credentials manage how to authenticate, while the data source controls where the request executes from.

Troubleshooting

Data Source Dropdown is Empty

If no data sources appear in the Send REST Payload action's Data Source dropdown:

1. No providers configured: Verify you have at least one Custom Provider with external_lifecycle_management_type: SEND_REST_PAYLOAD

2. Provisioning not enabled: Check that provisioning: true is set on the provider

3. No data source created: Push an OAA payload to create a data source for the provider

Validation Error: "external_lifecycle_management_type requires provisioning to be true"

Include provisioning: true in your API request along with the external_lifecycle_management_type field.

Validation Error: "data_plane_id: Cannot be empty"

The data_plane_id is required when creating a provider with external_lifecycle_management_type: SEND_REST_PAYLOAD. Ensure you have a deployed Insight Point and include its ID in your create request.

Validation Error: "cannot change external_lifecycle_management_type while provider is in use by LCM"

The provider is referenced by one or more Lifecycle Management policies. Remove the provider from all policies before changing its external_lifecycle_management_type.

Request Fails from Insight Point

If requests fail when routed through an Insight Point:

1. Network connectivity: Verify the Insight Point can reach the target API

2. Firewall rules: Ensure outbound HTTPS is allowed from the Insight Point to the target

3. DNS resolution: Confirm the target hostname resolves from the Insight Point's network

4. TLS certificates: If using self-signed certificates, configure CA certificates appropriately

See Also

• Lifecycle Management Integrations: Overview of integration pathways (Native, SCIM, OAA Write Framework)

• Send REST Request Action: Action configuration, variable substitution, and response handling

• REST Auth Credentials: Centralized authentication management for Send REST Request actions

• SCIM for Custom Applications: Alternative LCM option using SCIM endpoints (requires configuration_json)

• Insight Point: Agent deployment, connectivity requirements, and high availability

• Open Authorization API: Custom integration development