You can programmatically execute Veza Query Language (VQL) queries through Veza's . This interface allows you to run VQL queries against Veza's Access Graph and retrieve results using standard REST API calls.
VQL vs. Traditional Approaches
VQL offers a simplified way to interact with Veza's Assessment Query APIs, enabling:
Automated compliance monitoring
Cross-platform integration
Custom investigation and reporting tools built on top of the Veza graph
While Veza's traditional JSON-based interfaces provide robust programmatic functionality, they are developer-focused and require detailed specification of all query components. VQL, with its SQL-like syntax, is more accessible to security practitioners who may already be familiar with similar query languages.
Example Comparison
Here's how the same query appears in both formats:
SHOW AwsIamUser WHERE is_active = true RELATED_TO S3Bucket
VQL's concise syntax makes queries easier to write, review, and troubleshoot while maintaining the power of Veza's assessment capabilities.
Requirements
To use the VQL API, you will need:
VQL features enabled in your Veza instance
API Endpoints
Get Query Results (Count)
This endpoint retrieves result counts for a VQL query. These queries can execute faster and are optimal for metrics, reporting, and dashboard use cases where you need the total count rather than detailed node information.
Get Query Results (Nodes)
The vql:nodes endpoint retrieves detailed results for VQL queries, showing source nodes, their properties, and access relationship information. This format is useful for security analysis, access reviews, and permission auditing.
Example Request
POST /api/v1/assessments/vql:nodes
{
"query": "SHOW OktaUser WHERE is_active = true RELATED TO S3Bucket RESULT INCLUDE DESTINATION NODES LIMIT 50;"
}
This example asks: "Show me all active Okta users who have access to AWS S3 buckets, include details about those buckets, and limit results to 50 entries."
Understanding the API Response
When you send a VQL query, Veza returns a structured JSON response with results based on the latest graph data. The response contains:
Path Values: Each entry represents a connection between a source and destination node
Source: Details about the source node, including properties and risk level
Permissions: Both high-level ("abstract") permissions and specific ("concrete") permissions
Destination: Information about the destination node the source can access
For queries that return large result sets, use pagination to retrieve results in manageable chunks using the LIMIT and AFTER CURSOR keywords in your VQL query:
Make an initial request with a specified limit (e.g., LIMIT 50)
Check if has_more is true in the response
If more results exist, make subsequent requests using the cursor token from the previous response with AFTER CURSOR 'token'
Example initial request:
{
"query": "SHOW SnowflakeUser RELATED TO SnowflakeTable WITH EFFECTIVE PERMISSIONS = ANY ('DATA_DELETE') LIMIT 50;"
}
For subsequent requests, use the cursor token from the previous response:
{
"query": "SHOW SnowflakeUser RELATED TO SnowflakeTable WITH EFFECTIVE PERMISSIONS = ANY ('DATA_DELETE') AFTER CURSOR 'elcl9uYW1lIjoicjJkMiJ9fQ==' LIMIT 50;"
}
Related Documentation
A valid API token. For details on obtaining and using API tokens, see .
Basic understanding of VQL syntax (see )
The VQL API provides two primary endpoints for retrieving query results: and .
- Complete documentation of VQL query syntax
- Examples and usage patterns
- General information about the Assessment Query API