1 of 4

OAA Push API

Methods for working with Custom Data Providers and Sources

This document provides a basic overview of the API requests for creating and updating an OAA data source. These steps and API calls can be adapted for your client or programming language of choice. You can also use the oaaclient Python module to handle Veza authentication, register the data source, and push the populated template.

Overview

While registering sources and pushing authorization metadata with Open Authorization API is relatively straightforward, it is important to understand how Veza organizes custom providers and data sources as endpoints:

You will first register a new custom application provider with a POST request to /api/providers/custom (specifying the app name and template).
- The determines the type of entities the provider supports (application, identity_provider, or hris).
Each custom provider can have one or more data sources (such as different instances or domains), generated using .
- The populated template can describe additional resources and sub-resources, such as individual databases, repositories, or views.
You can for each custom data source.
All custom data sources are shown on the Configuration > Apps & Data Sources menu, and can be retrieved using .

You should typically name the provider based on the generic application provider (such as GitHub) and the data source after the top-level instance (such as GitHub - Organization). See the for more information about parsing and identifying entities using metadata from the source application.

Your requests will need to include a Veza API Key. For OAA APIs, using a is recommended. Provide it as the bearer auth token in the header of each request, for example:

Follow best practices for managing API keys: Do not save credentials in connector code. Consider using a secrets manager to securely store API keys and make them available at run time.

To add a custom application, you will need to:

Create a new custom provider and data source.
push the entity and authorization data in a JSON payload.

Use to register a new top-level custom provider. The custom_template determines what kind of entities you can push to the provider.

Custom Application provider

This is a common configuration with broad support for modeling applications with local identities, resources, and authorization:

Custom Application with SCIM lifecycle management

If your application exposes SCIM 2.0 endpoints, it can support automated provisioning and deprovisioning through :

Custom Application with REST lifecycle management

For applications that expose custom REST APIs (but not SCIM) for user provisioning. Veza sends REST requests to the application's endpoints through the Insight Point, which must have network access to the target application:

Custom Identity Provider

This template is for modeling custom or unsupported identity providers as a source of users and groups:

Identities and groups in the custom provider can mapped to local accounts in other systems, and assigned as entity owners. Custom IdPs can also be used a source of identity for Lifecycle Management policies.

HRIS Provider

This template is intended to model HR information systems. Set provisioning to true to use the HRIS as a system of record for Lifecycle Management policies:

Provider creation response

All provider creation requests return the Provider ID, which you will need to create and manage data sources:

Provider creation fields

Field

Type

Required

Description

Using the Python SDK

The oaaclient SDK provides create_provider() with an options parameter for advanced fields:

Each provider needs at least one data source. Create one with

The response will include the data source ID:

Datasources should be unique to the data collected by an OAA integration instance. For example, if an application has a "prod" and "dev" instance, creating a datasource for each will enable independent updates to each environment.
Name the data source uniquely based on the application instance to discover. Try to include the hostname or organization name in the data source. For example, don't use "GitHub" use "GitHub - Acme Inc" or "Portal - prod.corp.com"
Note that a provider id is required in both the request path and body.

Once the data source and provider are active, publish the payload with . The request body must include the Provider ID and Data Source ID.

json_data must contain the populated OAA template as a single JSON string (escaping any unsafe characters such as ").

Specifying the Provider ID and Data Source ID, perform the same used for the initial push.

To update an existing data source, use the operations and operations to get the provider and data source IDs.

OAA Operations

API calls for managing and updating custom data sources

Use these REST API calls to manage and update custom providers and data sources with Open Authorization API.

Create Custom Provider

Creates a custom provider and returns the provider ID.

List Custom Providers

Lists all configured custom providers.

Get Custom Provider by ID

Returns details for an individual custom provider.

Delete Custom Provider

Delete a custom provider by ID.

List Custom Provider Datasources

Return all data sources for a Custom Provider ID.

You can constrain large responses by adding a filter to the request query string. Include the operator (eq), and value, for example:

CURL <VEZA_URL>/api/v1/providers/custom?filter=name eq "GitHub"&order_by=state

Returns details for a single datasource.

Unbind a datasource from a custom provider, and delete it.

To push authorization metadata for a custom datasource, you can specify the source and provider IDs, and upload a payload with the entities and permissions in JSON format.

A warning is returned for any non-critical errors during payload processing. These can indicate incomplete or inaccurate data in the payload that do not prevent processing, but may warrant attention.

For large payloads that exceed 100 MB, use the multipart upload endpoint to upload the payload in chunks. See for details, examples, and Python SDK usage.

For , this endpoint pushes CSV data to an existing datasource. Typically, you will first create the integration and define column mappings using the "Add Integration" flow in Veza.

CSV data must base64 encoded into the JSON body of the request.

The populated template can be compressed and encoded, for significantly reduced payload size.

Specify the compression_type. Currently supported: GZIP.
If compression is selected, Veza will expect the payload json_data as a compressed, base64-encoded string.

To compress using shell commands:

Size is typically not an issue when updating custom datasources. However, you may want to compress large payloads. The maximum body size is 100MB (compressed or uncompressed).

Veza expects the populated template as a single JSON string, enclosed in the request body json_data field. Any "s and non-ASCII characters must be escaped.

To convert a template to JSON string using Python, the json.dumps() method could be used:

You can optionally add an icon for your custom provider by uploading a PNG or SVG file (less than 64kb) as a base64-encoded string:

Upload a custom icon to display for an OAA provider.

Return the type and string-encoded icon for a custom provider.

Delete the icon associated with an OAA provider.

Multipart Upload

Upload large OAA payloads using chunked multipart requests

Overview

For OAA payloads that exceed 100 MB after compression, you can use multipart upload to split the payload into smaller chunks and upload them sequentially. The Veza platform assembles the chunks server-side before processing.

Multipart upload is useful when:

The payload is too large for a single HTTP request
Network reliability is a concern for large transfers
You need to monitor upload progress for very large data sources

Start the upload by sending a start request — the server creates an upload session and returns an upload_id.
Upload chunks sequentially, each base64-encoding a raw slice of the payload. Include the upload_id from step 1 and an incrementing sequence_number.

Each chunk must be base64-encoded from raw bytes before sending. The server decodes and reassembles chunks in sequence order when the complete operation is received.

Field

Type

Description

The response returns an upload_id (UUID string) to use in all subsequent requests for this upload session.

Field

Type

Description

Send a separate POST to the same endpoint after all chunks are uploaded:

Field

Type

Description

The oaaclient Python SDK handles multipart upload automatically when enabled:

When enable_multipart is set to True, the SDK automatically switches to multipart for payloads exceeding 50 MB (uncompressed) and:

Splits the payload into chunks and base64-encodes each one individually
Starts an upload session and tracks the upload_id
Uploads each chunk sequentially with the correct sequence_number

All chunks for a given upload_id must be uploaded before sending the completion operation.
You can re-upload a chunk with the same sequence_number and upload_id if needed — the last upload for a given sequence number is used. All chunks must be present before the completion operation is sent.

Okta SSO Last Login Enrichment

Enrich OAA custom application users with SSO last login timestamps from Okta

Early Access: This feature is not enabled by default. Contact your Veza support team to enable the INTEG_OAA_SSO_LAST_LOGIN flag for your tenant.

Veza can enrich custom application (OAA) users with SSO last login timestamps by correlating Okta sign-in activity with your application's local users. When enabled, each local user in the Veza graph gains a sso_last_login_at property showing the last time that user accessed the application through Okta SSO.

This is useful for identifying dormant accounts, auditing access patterns, and supporting access reviews.

How it works

You specify the Okta Application ID (okta_app_id) for your custom application.
Veza matches your OAA local users to Okta users using a configurable matching property (set via the Veza API in Step 2).
On each data push, Veza looks up Okta SSO activity for your application and writes the last login timestamp to matching local user nodes.

Enrichment runs in the OAA service after data submission. If Okta activity data is unavailable, the push completes normally without SSO timestamps — no data is lost.

An active Okta integration in Veza with . Audit log data is the source for sso_last_login_at timestamps.
A custom application (OAA) integration, using either API push or CSV upload.
Your OAA local users must have identities values that match a property on your Okta user profiles (such as email address or a custom attribute).

Contact your Veza representative or support team and request:

Enable the INTEG_OAA_SSO_LAST_LOGIN feature flag on our tenant.

This flag is Veza-administered and cannot be self-enabled.

Configure which Okta user property Veza uses to correlate Okta users with your application's local users. You can set this yourself using the Veza API.

The string you pass as value specifies which OktaUser attribute to use for identity mapping. The attribute value on each Okta user must match the identities field on the linked OAA local users.

For example, if local users have identities: ["jane.doe@company.com"] and OktaUser nodes have login: "jane.doe@company.com", use login.
Custom attributes (e.g., customprop_employee_id) are also supported.

To set the property, send a PUT request with an API key that has the admin or system_monitoring role:

Replace <okta_user_property_name> with the OktaUser property to match on (e.g., login, email, or a custom attribute such as customprop_idx_uid).

To verify the current value:

Look for the okta_sso_user_matching_property key in the response.

Locate the Okta Application ID (0oa…) for the application you want to enrich:

Log in to your Okta Admin Console.
Navigate to Applications > Applications.
Select the application.
Copy the application ID from the URL (format: 0oaXXXXXXXXXXXXXXXX

The method depends on how you push data to Veza.

Add the okta_app_id field to your application payload at the application level:

okta_app_id (application level): Your Okta Application ID.
identities (user level): One or more identity strings matched against the configured Okta user property.

Navigate to Integrations > Custom Application (CSV).
Enter your Okta Application ID in the Okta App ID field in the application configuration form.
Upload your CSV as usual, ensuring users have identity values that match their Okta profiles.

After pushing data, verify enrichment is working:

Open Query Builder in Veza.
Query for your custom application's local users.
Check the sso_last_login_at column on user nodes.

Users whose identities matched an Okta user with SSO activity for your application will have a sso_last_login_at timestamp. Users without a match (such as service accounts or users not in Okta) will not have this property — this is expected.

Matching is case-insensitive. Jane.Doe@company.com and jane.doe@company.com are treated as the same identity.
First match wins. If a user has multiple identities, the first one that matches an Okta user is used.
Enrichment is non-blocking. If Okta data is unavailable, the push completes without SSO timestamps. No data is lost.

Issue

Possible cause

Resolution

OAA Push API

Methods for working with Custom Data Providers and Sources

Overview

You will first register a new custom application provider with a POST request to /api/providers/custom (specifying the app name and template).
- The determines the type of entities the provider supports (application, identity_provider, or hris).
Each custom provider can have one or more data sources (such as different instances or domains), generated using .
- The populated template can describe additional resources and sub-resources, such as individual databases, repositories, or views.
You can for each custom data source.
All custom data sources are shown on the Configuration > Apps & Data Sources menu, and can be retrieved using .

Your requests will need to include a Veza API Key. For OAA APIs, using a is recommended. Provide it as the bearer auth token in the header of each request, for example:

Follow best practices for managing API keys: Do not save credentials in connector code. Consider using a secrets manager to securely store API keys and make them available at run time.

To add a custom application, you will need to:

Create a new custom provider and data source.
push the entity and authorization data in a JSON payload.

Use to register a new top-level custom provider. The custom_template determines what kind of entities you can push to the provider.

Custom Application provider

This is a common configuration with broad support for modeling applications with local identities, resources, and authorization:

Custom Application with SCIM lifecycle management

If your application exposes SCIM 2.0 endpoints, it can support automated provisioning and deprovisioning through :

Custom Application with REST lifecycle management

Custom Identity Provider

This template is for modeling custom or unsupported identity providers as a source of users and groups:

HRIS Provider

This template is intended to model HR information systems. Set provisioning to true to use the HRIS as a system of record for Lifecycle Management policies:

Provider creation response

All provider creation requests return the Provider ID, which you will need to create and manage data sources:

Provider creation fields

Field

Type

Required

Description

Using the Python SDK

The oaaclient SDK provides create_provider() with an options parameter for advanced fields:

Each provider needs at least one data source. Create one with

The response will include the data source ID:

Datasources should be unique to the data collected by an OAA integration instance. For example, if an application has a "prod" and "dev" instance, creating a datasource for each will enable independent updates to each environment.
Name the data source uniquely based on the application instance to discover. Try to include the hostname or organization name in the data source. For example, don't use "GitHub" use "GitHub - Acme Inc" or "Portal - prod.corp.com"
Note that a provider id is required in both the request path and body.

Once the data source and provider are active, publish the payload with . The request body must include the Provider ID and Data Source ID.

json_data must contain the populated OAA template as a single JSON string (escaping any unsafe characters such as ").

Specifying the Provider ID and Data Source ID, perform the same used for the initial push.

To update an existing data source, use the operations and operations to get the provider and data source IDs.

Okta SSO Last Login Enrichment

Enrich OAA custom application users with SSO last login timestamps from Okta

Early Access: This feature is not enabled by default. Contact your Veza support team to enable the INTEG_OAA_SSO_LAST_LOGIN flag for your tenant.

This is useful for identifying dormant accounts, auditing access patterns, and supporting access reviews.

How it works

You specify the Okta Application ID (okta_app_id) for your custom application.
Veza matches your OAA local users to Okta users using a configurable matching property (set via the Veza API in Step 2).
On each data push, Veza looks up Okta SSO activity for your application and writes the last login timestamp to matching local user nodes.

Enrichment runs in the OAA service after data submission. If Okta activity data is unavailable, the push completes normally without SSO timestamps — no data is lost.

An active Okta integration in Veza with . Audit log data is the source for sso_last_login_at timestamps.
A custom application (OAA) integration, using either API push or CSV upload.
Your OAA local users must have identities values that match a property on your Okta user profiles (such as email address or a custom attribute).

Contact your Veza representative or support team and request:

Enable the INTEG_OAA_SSO_LAST_LOGIN feature flag on our tenant.

This flag is Veza-administered and cannot be self-enabled.

Configure which Okta user property Veza uses to correlate Okta users with your application's local users. You can set this yourself using the Veza API.

The string you pass as value specifies which OktaUser attribute to use for identity mapping. The attribute value on each Okta user must match the identities field on the linked OAA local users.

For example, if local users have identities: ["jane.doe@company.com"] and OktaUser nodes have login: "jane.doe@company.com", use login.
Custom attributes (e.g., customprop_employee_id) are also supported.

To set the property, send a PUT request with an API key that has the admin or system_monitoring role:

Replace <okta_user_property_name> with the OktaUser property to match on (e.g., login, email, or a custom attribute such as customprop_idx_uid).

To verify the current value:

Look for the okta_sso_user_matching_property key in the response.

Locate the Okta Application ID (0oa…) for the application you want to enrich:

Log in to your Okta Admin Console.
Navigate to Applications > Applications.
Select the application.
Copy the application ID from the URL (format: 0oaXXXXXXXXXXXXXXXX

The method depends on how you push data to Veza.

Add the okta_app_id field to your application payload at the application level:

okta_app_id (application level): Your Okta Application ID.
identities (user level): One or more identity strings matched against the configured Okta user property.

Navigate to Integrations > Custom Application (CSV).
Enter your Okta Application ID in the Okta App ID field in the application configuration form.
Upload your CSV as usual, ensuring users have identity values that match their Okta profiles.

After pushing data, verify enrichment is working:

Open Query Builder in Veza.
Query for your custom application's local users.
Check the sso_last_login_at column on user nodes.

Matching is case-insensitive. Jane.Doe@company.com and jane.doe@company.com are treated as the same identity.
First match wins. If a user has multiple identities, the first one that matches an Okta user is used.
Enrichment is non-blocking. If Okta data is unavailable, the push completes without SSO timestamps. No data is lost.

Issue

Possible cause

Resolution

{ "value": { "id": "text", "external_id": "text", "name": "text", "custom_template": "text", "custom_templates": [ "text" ], "state": 1, "application_types": [ "text" ], "idp_types": [ "text" ], "file_system_types": [ "text" ], "hris_types": [ "text" ], "principal_types": [ "text" ], "secret_store_types": [ "text" ], "schema_definition_json": "text", "provisioning": true, "push_type": 1, "rbac_id": "text", "internal_app_name": "text", "configuration_json": "text", "data_plane_id": "text", "lifecycle_management_state": 1, "team_id": "text", "csv_mapping_configuration": { "template_type": "text", "column_mappings": [ { "column_name": "text", "destination_type": "text", "destination_property": "text", "custom_property": { "name": "text", "type": 1, "lcm_unique_identifier": true }, "as_list": true, "template": "text", "property_type": 1, "is_required": true } ], "application": { "application_name": "text", "application_type": "text", "identity": [ "text" ], "resource_type": "text", "okta_app_id": "text" }, "advanced": { "list_delimiter": "text" }, "idp": { "idp_type": "text", "domain": "text" }, "hris": { "hris_name": "text", "hris_type": "text", "hris_url": "text", "hris_identity_mapping": { "mappings": [ { "destination_datasource_type": "text", "destination_datasource_oaa_app_type": "text", "type": 1, "mode": 1, "transformations": [ 1 ], "custom_value": "text", "property_matchers": [ { "source_property": 1, "destination_property": 1, "custom_source_property": "text", "custom_destination_property": "text" } ], "id_matchers": [ { "source_id": "text", "destination_id": "text" } ], "destination_datasources": [ { "type": "text", "oaa_app_type": "text" } ], "property_match_operator": 1 } ], "use_email": true }, "hris_provisioning_source": true }, "cmdb": { "cmdb_instance_name": "text", "cmdb_instance_type": "text", "csc_global_config": { "owner_id_column_name": "text", "asset_id_column_name": "text", "asset_type_column_name": "text", "owner_node_type": "text", "owner_id_property": "text", "asset_connections": [ { "asset_type_value": "text", "asset_node_type": "text", "asset_property_name": "text" } ] } } }, "secret_references": [ { "id": "text", "secret_id": "text", "secret_mapping": { "type": 1, "mapping": "text" }, "vault_id": "text", "vault": { "id": "text", "name": "text", "vault_provider": "text", "insight_point_id": "text", "deleted": true } } ], "external_lifecycle_management_type": 1, "cmdb_types": [ "text" ], "notification_preferences": { "enabled": true, "subscribed_events": [ 1 ], "notify_integration_owner": true, "additional_recipients": [ "text" ], "delivery_methods": [ { "type": 1, "id": "text" } ] } } }

{ "values": [ { "id": "text", "external_id": "text", "name": "text", "custom_template": "text", "custom_templates": [ "text" ], "state": 1, "application_types": [ "text" ], "idp_types": [ "text" ], "file_system_types": [ "text" ], "hris_types": [ "text" ], "principal_types": [ "text" ], "secret_store_types": [ "text" ], "schema_definition_json": "text", "provisioning": true, "push_type": 1, "rbac_id": "text", "internal_app_name": "text", "configuration_json": "text", "data_plane_id": "text", "lifecycle_management_state": 1, "team_id": "text", "csv_mapping_configuration": { "template_type": "text", "column_mappings": [ { "column_name": "text", "destination_type": "text", "destination_property": "text", "custom_property": { "name": "text", "type": 1, "lcm_unique_identifier": true }, "as_list": true, "template": "text", "property_type": 1, "is_required": true } ], "application": { "application_name": "text", "application_type": "text", "identity": [ "text" ], "resource_type": "text", "okta_app_id": "text" }, "advanced": { "list_delimiter": "text" }, "idp": { "idp_type": "text", "domain": "text" }, "hris": { "hris_name": "text", "hris_type": "text", "hris_url": "text", "hris_identity_mapping": { "mappings": [ { "destination_datasource_type": "text", "destination_datasource_oaa_app_type": "text", "type": 1, "mode": 1, "transformations": [ 1 ], "custom_value": "text", "property_matchers": [ { "source_property": 1, "destination_property": 1, "custom_source_property": "text", "custom_destination_property": "text" } ], "id_matchers": [ { "source_id": "text", "destination_id": "text" } ], "destination_datasources": [ { "type": "text", "oaa_app_type": "text" } ], "property_match_operator": 1 } ], "use_email": true }, "hris_provisioning_source": true }, "cmdb": { "cmdb_instance_name": "text", "cmdb_instance_type": "text", "csc_global_config": { "owner_id_column_name": "text", "asset_id_column_name": "text", "asset_type_column_name": "text", "owner_node_type": "text", "owner_id_property": "text", "asset_connections": [ { "asset_type_value": "text", "asset_node_type": "text", "asset_property_name": "text" } ] } } }, "secret_references": [ { "id": "text", "secret_id": "text", "secret_mapping": { "type": 1, "mapping": "text" }, "vault_id": "text", "vault": { "id": "text", "name": "text", "vault_provider": "text", "insight_point_id": "text", "deleted": true } } ], "external_lifecycle_management_type": 1, "cmdb_types": [ "text" ], "notification_preferences": { "enabled": true, "subscribed_events": [ 1 ], "notify_integration_owner": true, "additional_recipients": [ "text" ], "delivery_methods": [ { "type": 1, "id": "text" } ] } } ], "next_page_token": "text", "has_more": true }

POST /api/v1/providers/custom HTTP/1.1 Host: your-tenant.vezacloud.com Authorization: Bearer YOUR_SECRET_TOKEN Content-Type: application/json Accept: */* Content-Length: 1934 { "name": "text", "custom_template": "text", "provisioning": true, "push_type": 1, "internal_app_name": "text", "configuration_json": "text", "data_plane_id": "text", "custom_templates": [ "text" ], "csv_mapping_configuration": { "template_type": "text", "column_mappings": [ { "column_name": "text", "destination_type": "text", "destination_property": "text", "custom_property": { "name": "text", "type": 1, "lcm_unique_identifier": true }, "as_list": true, "template": "text", "property_type": 1, "is_required": true } ], "application": { "application_name": "text", "application_type": "text", "identity": [ "text" ], "resource_type": "text", "okta_app_id": "text" }, "advanced": { "list_delimiter": "text" }, "idp": { "idp_type": "text", "domain": "text" }, "hris": { "hris_name": "text", "hris_type": "text", "hris_url": "text", "hris_identity_mapping": { "mappings": [ { "destination_datasource_type": "text", "destination_datasource_oaa_app_type": "text", "type": 1, "mode": 1, "transformations": [ 1 ], "custom_value": "text", "property_matchers": [ { "source_property": 1, "destination_property": 1, "custom_source_property": "text", "custom_destination_property": "text" } ], "id_matchers": [ { "source_id": "text", "destination_id": "text" } ], "destination_datasources": [ { "type": "text", "oaa_app_type": "text" } ], "property_match_operator": 1 } ], "use_email": true }, "hris_provisioning_source": true }, "cmdb": { "cmdb_instance_name": "text", "cmdb_instance_type": "text", "csc_global_config": { "owner_id_column_name": "text", "asset_id_column_name": "text", "asset_type_column_name": "text", "owner_node_type": "text", "owner_id_property": "text", "asset_connections": [ { "asset_type_value": "text", "asset_node_type": "text", "asset_property_name": "text" } ] } } }, "secret_references": [ { "secret_id": "text", "secret_mapping": { "type": 1, "mapping": "text" }, "vault_id": "text" } ], "external_lifecycle_management_type": 1, "notification_preferences": { "enabled": true, "subscribed_events": [ 1 ], "notify_integration_owner": true, "additional_recipients": [ "text" ], "delivery_methods": [ { "type": 1, "id": "text" } ] } }

OAA Push API

Overview

OAA Operations

Create Custom Provider

List Custom Providers

Get Custom Provider by ID

Delete Custom Provider

List Custom Provider Datasources

Multipart Upload

Overview

Okta SSO Last Login Enrichment

How it works

OAA Push API

Overview

Authentication

First Run

Create a Custom Provider

Create a Data Source for the Provider

Push data source metadata

Get Custom Providers

Get Custom Data Sources

Update Custom Data Source

OAA Operations

Create Custom Provider

List Custom Providers

Get Custom Provider by ID

Delete Custom Provider

List Custom Provider Datasources

Create Custom Provider Datasource

Get Datasource by ID

Delete Custom Provider Datasource

Push Custom Provider Datasource

Multipart Push Custom Provider Datasource

Push Custom Provider Datasource CSV

Compression

Escaping unsafe characters

Custom Provider Icons

Create Custom Provider Icon

Get Custom Provider Icon

Delete Custom Provider Icon

Multipart Upload

Overview

How it works

API endpoint

Start request body

Chunk request body

Finalization request body

Example

Using the Python SDK

Notes

Okta SSO Last Login Enrichment

How it works

Prerequisites

Setup

Step 1: Request feature enablement

Step 2: Set the matching property configuration

Step 3: Find your Okta application ID

Step 4: Add the Okta app ID to your custom application

API push (JSON)

CSV upload

Verifying enrichment

Behavior notes

Troubleshooting

List custom providers