# VQL API

## Overview

You can programmatically execute Veza Query Language (VQL) queries through Veza's [Assessment Query API](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/developers/api/query-builder). This interface allows you to run VQL queries against Veza's Access Graph and retrieve results using standard REST API calls.

### VQL vs. Traditional Approaches

VQL offers a simplified way to interact with Veza's Assessment Query APIs, enabling:

* Automated compliance monitoring
* Cross-platform integration
* Custom investigation and reporting tools built on top of the Veza graph

While Veza's traditional JSON-based interfaces provide robust programmatic functionality, they are developer-focused and require detailed specification of all query components. VQL, with its SQL-like syntax, is more accessible to security practitioners who may already be familiar with similar query languages.

#### Example Comparison

Here's how the same query appears in both formats:

**Traditional JSON Format:**

```json
{
  "query_type": "SOURCE_TO_DESTINATION",
  "source_node_types": {
    "nodes": [
      {
        "node_type": "AwsIamUser",
        "condition_expression": {
          "specs": [
            {
              "fn": "EQ",
              "property": "is_active",
              "value": true
            }
          ]
        }
      }
    ]
  },
  "destination_node_types": {
    "nodes": [
      {
        "node_type": "S3Bucket"
      }
    ]
  }
}
```

**Equivalent VQL:**

```sql
SHOW AwsIamUser WHERE is_active = true RELATED_TO S3Bucket
```

VQL's concise syntax makes queries easier to write, review, and troubleshoot while maintaining the power of Veza's assessment capabilities.

### Requirements

To use the VQL API, you will need:

* A valid API token. For details on obtaining and using API tokens, see [Authentication](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/developers/api/authentication).
* Basic understanding of VQL syntax (see [VQL Syntax](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/search/vql/vql-syntax))
* VQL features enabled in your Veza instance

## API Endpoints

The VQL API provides two primary endpoints for retrieving query results: [Get Query Results (Count)](#get-query-results-count) and [Get Query Results (Nodes)](#get-query-results-nodes).

### Get Query Results (Count)

This endpoint retrieves result counts for a VQL query. These queries can execute faster and are optimal for metrics, reporting, and dashboard use cases where you need the total count rather than detailed node information.

{% openapi src="<https://1967633068-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZDkWMxox3pekd0NsZJ%2Fuploads%2Fgit-blob-78f548f68894fbfb26b0fd9627c7e562be046dfa%2Fopenapi.yaml?alt=media>" path="/api/v1/assessments/vql:result" method="post" %}
[openapi.yaml](https://1967633068-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZDkWMxox3pekd0NsZJ%2Fuploads%2Fgit-blob-78f548f68894fbfb26b0fd9627c7e562be046dfa%2Fopenapi.yaml?alt=media)
{% endopenapi %}

### Get Query Results (Nodes)

The `vql:nodes` endpoint retrieves detailed results for VQL queries, showing source nodes, their properties, and access relationship information. This format is useful for security analysis, access reviews, and permission auditing.

#### Example Request

```http
POST /api/v1/assessments/vql:nodes
{
  "query": "SHOW OktaUser WHERE is_active = true RELATED TO S3Bucket RESULT INCLUDE DESTINATION NODES LIMIT 50;"
}
```

This example asks: "Show me all active Okta users who have access to AWS S3 buckets, include details about those buckets, and limit results to 50 entries."

#### Understanding the API Response

When you send a VQL query, Veza returns a structured JSON response with results based on the latest graph data. The response contains:

* **Path Values**: Each entry represents a connection between a source and destination node
* **Source**: Details about the source node, including properties and risk level
* **Permissions**: Both high-level ("abstract") permissions and specific ("concrete") permissions
* **Destination**: Information about the destination node the source can access

**Example Response**

```json
{
  "path_values": [
    {
      "source": {
        "id": "00u5pqrs7xyP9uvw30z9",
        "type": "OktaUser",
        "properties": {
          "email": "jsmith@example.com",
          "name": "jsmith@example.com",
          "first_name": "John",
          "last_name": "Smith",
          "is_active": true,
          "identity_type": "HUMAN"
        },
        "risk_level": "CRITICAL"
      },
      "abstract_permissions": [
        "MetadataRead"
      ],
      "concrete_permissions": [
        "s3:ListBucket"
      ],
      "destination": {
        "id": "arn:aws:s3:::aws-cloudtrail-logs-123456789012-abcdef12",
        "type": "S3Bucket",
        "properties": {
          "name": "aws-cloudtrail-logs-123456789012-abcdef12",
          "region": "us-east-1",
          "block_public_access_enabled": true
        },
        "risk_level": "LOW"
      }
    }
  ],
  "cursor": "eyJsaW1pdCI6NTAsInN0YXJ0IjpbInNlcV9pZP...",
  "has_more": true
}
```

#### Pagination

For queries that return large result sets, use pagination to retrieve results in manageable chunks using the `LIMIT` and `AFTER CURSOR` keywords in your VQL query:

1. Make an initial request with a specified limit (e.g., `LIMIT 50`)
2. Check if `has_more` is `true` in the response
3. If more results exist, make subsequent requests using the cursor token from the previous response with `AFTER CURSOR 'token'`

Example initial request:

```json
{
  "query": "SHOW SnowflakeUser RELATED TO SnowflakeTable WITH EFFECTIVE PERMISSIONS = ANY ('DATA_DELETE') LIMIT 50;"
}
```

For subsequent requests, use the cursor token from the previous response:

```json
{
  "query": "SHOW SnowflakeUser RELATED TO SnowflakeTable WITH EFFECTIVE PERMISSIONS = ANY ('DATA_DELETE') AFTER CURSOR 'elcl9uYW1lIjoicjJkMiJ9fQ==' LIMIT 50;"
}
```

{% openapi src="<https://1967633068-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZDkWMxox3pekd0NsZJ%2Fuploads%2Fgit-blob-78f548f68894fbfb26b0fd9627c7e562be046dfa%2Fopenapi.yaml?alt=media>" path="/api/v1/assessments/vql:nodes" method="post" %}
[openapi.yaml](https://1967633068-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZDkWMxox3pekd0NsZJ%2Fuploads%2Fgit-blob-78f548f68894fbfb26b0fd9627c7e562be046dfa%2Fopenapi.yaml?alt=media)
{% endopenapi %}

### Related Documentation

* [VQL Syntax Reference](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/search/vql/vql-syntax) - Complete documentation of VQL query syntax
* [VQL Quick Start Guide](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/search/vql/vql-quickstart) - Examples and usage patterns
* [Assessment Query API Overview](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/developers/api/query-builder) - General information about the Assessment Query API


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/search/vql/vql-api.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.