REST Auth Credentials

Configure reusable authentication for Send REST Request actions in Lifecycle Management

Overview

REST Auth Credentials provide centralized, reusable authentication configurations for Send REST Request actions in Lifecycle Management workflows. Instead of configuring authentication directly in each action, you can create named credential sets that multiple actions can reference.

Benefits:

Reuse: Share authentication across multiple Send REST Request actions
Security: Sensitive fields (passwords, tokens, secrets) are encrypted at rest
Centralized management: Update credentials in one place; all referencing actions use the latest configuration
Audit: Track credential usage and creation history

Supported Authentication Types

Auth Type

Description

Use Case

Header

Custom authorization header value

API keys, custom token formats

Basic

HTTP Basic authentication (username/password)

Legacy APIs, basic auth endpoints

Bearer

Bearer token authentication

JWT tokens, API tokens

Login to Bearer

Two-step: login request, then extract token from response

APIs requiring session-based auth

OAuth2

OAuth 2.0 client credentials flow

Modern APIs with OAuth2 support

None

No authentication header added

Public APIs, pre-authenticated endpoints

Configuring REST Auth Credentials

Using the Veza UI

Navigate to Lifecycle Management > Settings
Select the Rest Credentials tab
Click Create to add a new credential
Enter a Name for the credential
Select the Auth Type and fill in the required fields (see Auth Type Configuration)
Optionally set a default URL and HTTP Method (actions can override these values)
Click Save

The URL and HTTP Method fields on credentials are optional defaults. When a Send REST Request action specifies its own Webhook URL or HTTP Method, those values take precedence over the credential defaults.

Using the REST API

REST Auth Credentials are managed via the Lifecycle Management API:

Create a credential:

curl -X POST "https://{VEZA_URL}/api/private/lifecycle_management/rest_auth_credentials" \
  -H "Authorization: Bearer {API_KEY}" \
  -H "Content-Type: application/json" \
  --data '{
    "value": {
      "name": "My API Credential",
      "auth_type": "BEARER",
      "bearer_settings": {
        "token": "eyJhbGciOiJIUzI1NiIs..."
      },
      "url": "https://api.example.com/v1",
      "method": "POST"
    }
  }'

List credentials:

curl "https://{VEZA_URL}/api/private/lifecycle_management/rest_auth_credentials" \
  -H "Authorization: Bearer {API_KEY}"

Get a single credential:

curl "https://{VEZA_URL}/api/private/lifecycle_management/rest_auth_credentials/{CREDENTIAL_ID}" \
  -H "Authorization: Bearer {API_KEY}"

Update a credential:

curl -X PATCH "https://{VEZA_URL}/api/private/lifecycle_management/rest_auth_credentials/{CREDENTIAL_ID}" \
  -H "Authorization: Bearer {API_KEY}" \
  -H "Content-Type: application/json" \
  --data '{
    "value": {
      "id": "{CREDENTIAL_ID}",
      "name": "Updated Credential Name",
      "bearer_settings": {
        "token": "new-token-value"
      }
    }
  }'

Delete a credential:

curl -X DELETE "https://{VEZA_URL}/api/private/lifecycle_management/rest_auth_credentials/{CREDENTIAL_ID}" \
  -H "Authorization: Bearer {API_KEY}"

Credentials referenced by published policy versions cannot be deleted. Remove the credential reference from all actions in published policies first.

Auth Type Configuration

Header

Provides a custom authorization header value. Use this for API keys or non-standard token formats.

Field

Required

Description

full_value

Yes

Complete header value (e.g., ApiKey sk-prod-xyz)

The value is sent as the Authorization header on each request.

Basic

HTTP Basic authentication with username and password.

Field

Required

Description

user_name

Yes

Authentication username

password

Yes

Authentication password (encrypted at rest)

Veza constructs the Authorization: Basic {base64(username:password)} header automatically.

Bearer

Bearer token authentication.

Field

Required

Description

token

Yes

Bearer token value (encrypted at rest)

Veza constructs the Authorization: Bearer {token} header automatically.

Two-step authentication: perform a login request, then extract a bearer token from the response. Use this for APIs that require an initial authentication step before issuing a session token.

Field

Required

Description

login_url

Yes

URL to send the login POST request

login_payload_json

Yes

JSON body for the login request (encrypted at rest)

bearer_token_attribute

Yes

Dot-notation path to the token in the login response (e.g., value.token)

How it works:

Veza sends a POST request to login_url with login_payload_json as the body
The JSON response is parsed using bearer_token_attribute to extract the token
The extracted token is used as a Bearer token for the actual REST request

Example:

If the login API returns:

{
  "value": {
    "token": "eyJhbGciOiJIUzI1NiIs...",
    "expires_in": 3600
  }
}

Set bearer_token_attribute to value.token to extract the token.

OAuth2

OAuth 2.0 client credentials flow.

Field

Required

Description

client_id

Yes

OAuth2 client ID

client_secret

Yes

OAuth2 client secret (encrypted at rest)

authentication_method

Yes

How to send credentials: FORM or BASIC (see below)

auth_url

Token endpoint URL. Defaults to {credential_url}/oauth2/token if not specified

ca_certificate_base64

Base64-encoded CA certificate for self-signed TLS endpoints

Veza performs the client credentials flow to obtain an access token, then uses it as a Bearer token for the REST request.

Choosing an authentication method:

FORM (default): Sends client_id and client_secret as form-encoded parameters in the POST body alongside grant_type=client_credentials. Use this when the token endpoint expects credentials in the request body.
BASIC: Sends credentials in the Authorization: Basic base64(client_id:client_secret) header, with only grant_type=client_credentials in the POST body. Use this when the token endpoint requires HTTP Basic authentication.

Check your target API's OAuth2 documentation to determine which method it supports. Both conform to RFC 6749 §2.3.1. When in doubt, try FORM first as it is the default and more widely supported.

None

No authentication header is added to the request. Use this when the target API is public or when authentication is handled through other means (e.g., network-level security, pre-shared keys in URL parameters).

Using Credentials in Actions

When configuring a Send REST Request action in a Lifecycle Management policy:

In the action configuration, select a credential from the REST Auth Credentials dropdown
The credential provides the authentication header and optional default URL/method
The action's Webhook URL and HTTP Method settings override the credential defaults when specified

REST Auth Credentials handle how to authenticate requests. To control where requests execute from (control plane vs. Insight Point), configure the Data Source field separately. See Custom Application with Send REST Payload for Insight Point routing.

The legacy Authorization Header field on the Send REST Request action is deprecated. Migrate existing configurations to use REST Auth Credentials for centralized management and encrypted storage.

Permissions

Operation

Required Role

View credentials

Admin, Operator

Create, Update, Delete

Admin

hashtagOverview

hashtagSupported Authentication Types

hashtagConfiguring REST Auth Credentials

hashtagUsing the Veza UI

hashtagUsing the REST API

hashtagAuth Type Configuration

hashtagHeader

hashtagBasic

hashtagBearer

hashtagLogin to Bearer

hashtagOAuth2

hashtagNone

hashtagUsing Credentials in Actions

hashtagPermissions

hashtagSee Also

Overview

Supported Authentication Types

Configuring REST Auth Credentials

Using the Veza UI

Using the REST API

Auth Type Configuration

Header

Basic

Bearer

Login to Bearer

OAuth2

None

Using Credentials in Actions

Permissions

See Also