1 of 17

Integration APIs

Programmatic configuration of providers and data sources

The Veza management API enables internal tooling to automate administration of cloud providers and data sources. Each supported provider has endpoints to get, create, and modify the current configurations, which can be useful when integrating with environments spanning many provider accounts.

These customer-facing APIs are all available under the prefix <VezaURL>/api/v1/, for example:

https://company.veza.com/api/v1/providers/datasources

Notes

A data plane ID is required when adding a custom provider. This value refers to the Insight Point used for discovery, or the GUID of the built-in data plane. To get all available IDs, navigate to Administration > Insight Point. Unless you have deployed an Insight Point within your environment, the only entry will be for the internal data plane.
If a request is unsuccessful, an error message will provide additional details and troubleshooting steps.

Authentication

You can issue new API keys from Administration > API Keys > Add New API Key. Provide the key as the bearer auth token in the header of each request.

Users must have the admin role to add/modify provider configurations. Configurations can be viewed by users with the operator role.

Sample Integrations and Tools

Please contact your support team for private repository access.

Register Accounts - Use the management API to add multiple AWS accounts from CSV.

Veza Python Client - Simple Python class for making REST API calls to Veza.

Cloud Formation Stacks - Configure multiple AWS accounts for Veza discovery by enabling the required assume role operations and IAM permissions.

Open Authorization APIs

If your organization uses applications, data sources, or identity providers not natively supported by Veza, you may be able to add them to your data catalog using Open Authorization APIs. You will need to query the provider to retrieve entity and permissions metadata and push the payload to Veza for parsing in a template format.

Endpoints for administering custom resources (/providers/custom/*)are described in OAA Push API.

Enable/Disable Providers

API operations for enabling and disabling provider connections

The v1/providers API includes endpoints to enable or disable integrations by provider id. This allows you to temporarily pause data extraction and synchronization for specific providers when needed, without deleting the configuration.

The provider_id value should be obtained from the provider listing APIs (e.g., /api/v1/providers/aws for AWS providers)

Enable Provider

Activate a provider connection that was disabled.

curl -X PUT \
  "https://{tenant}.vezacloud.com/api/v1/providers/{id}:enable" \
  -H "accept: application/json" \
  -H "Authorization: Bearer {your_api_key}"

Disable Provider

Deactivates a provider connection until it is-renabled, preserving the configured settings.

curl -X PUT \
  "https://{tenant}.vezacloud.com/api/v1/providers/{id}:disable" \
  -H "accept: application/json" \
  -H "Authorization: Bearer {your_api_key}"

Cloud Platforms and Data Providers

Operations for listing, adding, and modifying cloud provider configurations

You can manage Veza integrations using the management API and a Veza admin API key.

Use these operations to configure and manage cloud platform integrations including AWS, Azure, Google Cloud, Snowflake, SQL Server, and Trino providers. Each provider type has specific configuration requirements and optional parameters for controlling discovery scope.

Provider Types

Veza supports the following provider types:

AWS: Amazon Web Services accounts with support for IAM, S3, RDS, Redshift, and other services
Azure: Microsoft Azure tenants including Active Directory and SharePoint Online
Google Cloud: Google Cloud Platform projects and Google Workspace domains
Snowflake: Snowflake data warehouses and databases
SQL Server: Microsoft SQL Server instances
Trino: Trino clusters with file-based access control

For detailed integration guides, see the Integrations documentation.

Authentication

You will need an API token with administrator permissions to manage provider configurations. See API Authentication for details.

Common Provider Properties

All provider configurations share these common properties:

id (String): Unique identifier for the provider configuration
vendor_id (String): Provider-specific identifier (e.g., AWS account ID)
name (String): Display name for the provider
type (String): Provider type (AWS, AZURE, GOOGLE_CLOUD, etc.)
state (String): Current state (ENABLED, DISABLED)
data_plane_id (String): Insight Point ID used for discovery
status (String): Last discovery status (SUCCESS, PENDING, ERROR)

AWS Providers

AWS Provider Object Schema

AWS provider configurations include account credentials, regions, and service-specific settings:

{
  "id": "883dd869-8762-4187-8767-1c387de14b4b",
  "vendor_id": "123456789010",
  "name": "AWS-Production",
  "type": "AWS",
  "state": "ENABLED",
  "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
  "status": "SUCCESS",
  "account_id": "123456789010",
  "credentials_type": "ASSUME_CUSTOMER_ROLE",
  "access_key_id": "AKIA6FRNZGGIOEBZ6BEA",
  "assume_role_name": "VezaDiscoveryRole",
  "assume_role_external_id": "veza-external-id",
  "regions": [
    "us-east-1",
    "us-west-2",
    "eu-west-1"
  ],
  "db_user": "veza_user",
  "services": [
    "IAM",
    "S3",
    "RDS",
    "REDSHIFT"
  ],
  "s3_bucket_allow_list": ["prod-data-*"],
  "s3_bucket_deny_list": ["temp-*", "test-*"],
  "rds_database_allow_list": ["production"],
  "rds_database_deny_list": ["temp"]
}

AWS Configuration Fields

account_id (String): AWS account ID (12-digit number)
credentials_type (String): Authentication method - STATIC, EC2_INSTANCE_PROFILE, or ASSUME_CUSTOMER_ROLE
access_key_id (String): Access key ID for static credentials
secret_key (String): Secret access key for static credentials
assume_role_name (String): IAM role name for assume role authentication
assume_role_external_id (String): External ID for assume role authentication
regions (Array): List of AWS regions to discover
db_user (String): Database username for RDS/Redshift connections
services (Array): Specific AWS services to discover (empty array = all services)

AWS Service Discovery Options

Available service values for the services array:

IAM: Identity and Access Management
S3: Simple Storage Service
RDS: Relational Database Service
REDSHIFT: Redshift data warehouses
EC2: Elastic Compute Cloud
LAMBDA: Lambda functions
EKS: Elastic Kubernetes Service
COGNITO: Cognito user pools
SECRETS_MANAGER: Secrets Manager
KMS: Key Management Service
DYNAMODB: DynamoDB tables

AWS Resource Filtering

Use allow/deny lists to control which resources are discovered:

s3_bucket_allow_list: S3 bucket names to include (supports wildcards)
s3_bucket_deny_list: S3 bucket names to exclude
rds_database_allow_list: RDS database names to include
rds_database_deny_list: RDS database names to exclude
redshift_database_allow_list: Redshift database ARNs to include
redshift_database_deny_list: Redshift database ARNs to exclude

For detailed AWS setup instructions, see Amazon Web Services Integration.

AWS API Operations

List AWS Providers

Create AWS Provider

Get AWS Provider

Update AWS Provider

Delete AWS Provider

Get AWS Trust Policy

Check AWS Policy

Azure Providers

Azure Provider Object Schema

Azure provider configurations include tenant authentication and service settings:

{
  "id": "fa04e92f-6e0d-4285-ba58-86a20c6941ff",
  "vendor_id": "contoso.onmicrosoft.com",
  "name": "Azure-Production",
  "type": "AZURE",
  "state": "ENABLED",
  "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
  "status": "SUCCESS",
  "tenant_id": "12345678-1234-1234-1234-123456789012",
  "client_id": "87654321-4321-4321-4321-210987654321",
  "services": [
    "AZUREAD",
    "SHAREPOINT",
    "SQLSERVER"
  ],
  "gather_guest_users": true,
  "gather_disabled_users": false,
  "gather_personal_sites": true,
  "domains": ["contoso.com"],
  "sql_server_database_allow_list": ["production"],
  "sql_server_database_deny_list": ["temp"]
}

Azure Configuration Fields

tenant_id (String): Azure Active Directory tenant ID
client_id (String): Application (client) ID for service principal
client_secret (String): Client secret for authentication
auth_certificate (String): Certificate for SharePoint app-only access
auth_certificate_password (String): Certificate password
services (Array): Azure services to discover
gather_guest_users (Boolean): Include guest users in discovery
gather_disabled_users (Boolean): Include disabled users
gather_personal_sites (Boolean): Include personal SharePoint sites
domains (Array): Specific domains to discover

For detailed Azure setup instructions, see Azure Integration.

Azure API Operations

List Azure Providers

Create Azure Provider

Get Azure Provider

Update Azure Provider

Delete Azure Provider

Google Cloud Providers

Google Cloud Provider Object Schema

Google Cloud provider configurations include service account credentials and project settings:

{
  "id": "fa04e92f-6e0d-4285-ba58-86a20c6941ff",
  "vendor_id": "gcp-project-id",
  "name": "GCP-Production",
  "type": "GOOGLE_CLOUD",
  "state": "ENABLED",
  "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
  "status": "SUCCESS",
  "customer_id": "C01234567",
  "workspace_email": "[email protected]",
  "project_allow_list": ["prod-project-1", "prod-project-2"],
  "project_deny_list": ["test-*"],
  "domain_allow_list": ["company.com"],
  "domain_deny_list": [],
  "services": [
    "IAM",
    "STORAGE",
    "COMPUTE",
    "WORKSPACE",
    "BIGQUERY"
  ],
  "dataset_allow_list": ["analytics", "reporting"],
  "dataset_deny_list": ["temp_*"]
}

Google Cloud Configuration Fields

credentials_json (String): Service account key JSON
customer_id (String): Google Workspace customer ID
workspace_email (String): Workspace user email for service account impersonation
project_allow_list (Array): GCP project names to include
project_deny_list (Array): GCP project names to exclude
domain_allow_list (Array): Workspace domains to include
domain_deny_list (Array): Workspace domains to exclude
dataset_allow_list (Array): BigQuery dataset names to include
dataset_deny_list (Array): BigQuery dataset names to exclude

For detailed Google Cloud setup instructions, see Google Cloud Integration.

Google Cloud API Operations

List Google Cloud Providers

Create Google Cloud Provider

Get Google Cloud Provider

Update Google Cloud Provider

Delete Google Cloud Provider

Snowflake Providers

Snowflake Provider Object Schema

Snowflake provider configurations include connection details and database filtering:

{
  "id": "fa04e92f-6e0d-4285-ba58-86a20c6941ff",
  "vendor_id": "xy12345.us-east-1",
  "name": "Snowflake-Production",
  "type": "SNOWFLAKE",
  "state": "ENABLED",
  "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
  "status": "SUCCESS",
  "account_locator": "xy12345",
  "region": "us-east-1",
  "cloud": "aws",
  "user": "veza_user",
  "role": "VEZA_ROLE",
  "warehouse": "COMPUTE_WH",
  "database_allow_list": ["PROD_DB", "ANALYTICS_DB"],
  "database_deny_list": ["TEMP_DB", "TEST_DB"]
}

Snowflake Configuration Fields

account_locator (String): Snowflake account locator (e.g., "xy12345")
region (String): Cloud region for the Snowflake account
cloud (String): Cloud provider ("aws", "azure", or "gcp")
user (String): Snowflake username for authentication
password (String): Password for the Snowflake user
role (String): Snowflake role to use for queries
warehouse (String): Default warehouse for compute
database_allow_list (Array): Database names to include
database_deny_list (Array): Database names to exclude

For detailed Snowflake setup instructions, see Snowflake Integration.

Snowflake API Operations

List Snowflake Providers

Create Snowflake Provider

Get Snowflake Provider

Update Snowflake Provider

Delete Snowflake Provider

SQL Server Providers

SQL Server Provider Object Schema

SQL Server provider configurations include connection details and database filtering:

{
  "id": "90112ed7-47e7-48e6-9f05-c02d19d7f137",
  "vendor_id": "sqlserver.company.com",
  "name": "SQL-Production",
  "type": "SQL_SERVER",
  "state": "ENABLED",
  "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
  "status": "SUCCESS",
  "host": "sqlserver.company.com",
  "port": 1433,
  "username": "veza_user",
  "database_allow_list": ["ProductionDB", "AnalyticsDB"],
  "database_deny_list": ["TempDB", "TestDB"],
  "schema_allow_list": ["dbo", "analytics"],
  "schema_deny_list": ["temp"]
}

SQL Server Configuration Fields

host (String): SQL Server hostname or IP address
port (Integer): Port number (typically 1433)
username (String): SQL Server username
password (String): Password for authentication
database_allow_list (Array): Database names to include
database_deny_list (Array): Database names to exclude
schema_allow_list (Array): Schema names to include
schema_deny_list (Array): Schema names to exclude

For detailed SQL Server setup instructions, see SQL Server Integration.

SQL Server API Operations

List SQL Server Providers

Create SQL Server Provider

Get SQL Server Provider

Update SQL Server Provider

Delete SQL Server Provider

Trino Providers

Trino Provider Object Schema

Trino provider configurations include cluster connection details and S3 access control file settings:

{
  "id": "fa04e92f-6e0d-4285-ba58-86a20c6941ff",
  "vendor_id": "trino.company.com",
  "name": "Trino-Production",
  "type": "TRINO",
  "state": "ENABLED",
  "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
  "status": "SUCCESS",
  "host": "trino.company.com",
  "port": 8080,
  "username": "veza_user",
  "aws_s3_object_config": {
    "access_key": "AKIA...",
    "region": "us-east-1",
    "bucket": "trino-config",
    "object": "access-control.properties",
    "credentials_type": "STATIC",
    "assume_role_name": "",
    "account_id": ""
  },
  "ssl_certificate": "-----BEGIN CERTIFICATE-----\n..."
}

Trino Configuration Fields

host (String): Trino coordinator hostname
port (Integer): Trino coordinator port (typically 8080 or 8443)
username (String): Trino username
password (String): Password for authentication
aws_s3_object_config (Object): S3 configuration for access control file
ssl_certificate (String): TLS certificate for secure connections

S3 Object Configuration

The aws_s3_object_config object contains:

access_key (String): AWS access key ID
secret_key (String): AWS secret access key
region (String): S3 bucket region
bucket (String): S3 bucket name
object (String): Path to access control file
credentials_type (String): Authentication method
assume_role_name (String): IAM role name (for assume role)
assume_role_external_id (String): External ID for assume role
account_id (String): AWS account ID

For detailed Trino setup instructions, see Trino Integration.

Trino API Operations

List Trino Providers

Create Trino Provider

Get Trino Provider

Update Trino Provider

Delete Trino Provider

Error Handling

All provider API operations return standard HTTP status codes:

200 OK: Request successful
400 Bad Request: Invalid request parameters or payload
401 Unauthorized: Invalid or missing API token
403 Forbidden: Insufficient permissions
404 Not Found: Provider configuration not found
409 Conflict: Provider configuration already exists
500 Internal Server Error: Server error

Error responses include a descriptive message and error code:

{
  "error": {
    "code": "INVALID_CREDENTIALS",
    "message": "The provided credentials are invalid or expired",
    "details": "AWS STS AssumeRole failed with error: Access denied"
  }
}

Best Practices

When managing provider configurations:

Use descriptive names that identify the environment and purpose
Implement least privilege by configuring only necessary services and resources
Use allow lists rather than deny lists when possible for better security
Test configurations in development environments before production
Monitor discovery status regularly to ensure successful data collection
Rotate credentials according to your organization's security policies
Use assume role authentication for AWS providers when possible
Configure resource filtering to limit discovery scope and improve performance

Disable AWS Services using Provider Management APIs

Overview

This guide explains how to disable specific AWS services across multiple AWS integrations (providers) using the Veza API. Limiting AWS service extraction can reduce processing overhead, help teams focus on relevant services, or exclude analytics platforms like DATABRICKS that may not be deployed or required for visibility in Veza. This is particularly useful for organizations with many AWS accounts who need to disable unused services at scale.

In the JSON AWS provider configuration, the services array acts as an allow list that controls which AWS services Veza will discover and extract:

Empty array [] = All available AWS services are enabled for discovery
Populated array = Only the listed services are enabled; all others are disabled

To disable specific services, you must populate the array with only the services you want to monitor.

Before you start

Before you update AWS provider services, ensure:

You have API access credentials for your Veza instance (see for API key setup)
You have the VEZA_TOKEN environment variable configured
You have the VEZA_URL environment variable set to your instance (e.g., https://yourcompany.cookiecloud.ai)
You have appropriate permissions to modify provider configurations
You understand that empty services arrays mean ALL services are enabled

Disable specific AWS services across providers

Step 1: Discover your current AWS providers

First, retrieve all AWS provider configurations to understand your current setup:

Understanding the response:

Providers with empty services: [] arrays have ALL services enabled
Providers with populated services arrays only extract the listed services
Note the id, name, and account_id fields for providers you want to modify

Example response structure:

Step 2: Identify target providers and services

Identify which providers to modify based on:
- Provider names that match your AWS accounts
- Account IDs that correspond to your AWS accounts
- Current services configuration
Determine your desired services configuration:
Option A: Disable DATABRICKS only
Option B: Enable only specific services
Option C: Custom configuration
- Review the below
- Create your own array with desired services

Step 3: Test with a single provider

Before updating all providers, test with one provider first:

Verify the change:

Check that the response shows your desired services array.

Step 4: Apply to multiple providers

Manual approach (recommended for small numbers)

Update each provider individually using their specific IDs:

Bulk approach (for many providers)

Create a script for bulk updates. Use with caution as this affects all AWS providers:

Step 5: Verify changes

After updating providers, verify the changes took effect:

Reversing changes

Re-enable all services

To return a provider to monitoring all services:

Modify service configuration

To change which services are monitored:

Available AWS services

The following AWS services can be included in the services array:

S3 - Simple Storage Service
RDS_POSTGRES - PostgreSQL databases
RDS_MYSQL - MySQL databases
RDS_ORACLE - Oracle databases
RDS - General RDS service
DYNAMODB - DynamoDB NoSQL database
REDSHIFT - Redshift data warehouse
REDSHIFT_CLUSTER - Redshift cluster management
EC2 - Elastic Compute Cloud (virtual machines)
LAMBDA - Serverless functions
EKS - Elastic Kubernetes Service
ECR - Elastic Container Registry
EMR - Elastic MapReduce (big data)
AWS_IAM - Identity and Access Management
KMS - Key Management Service
SECRETS_MANAGER - AWS Secrets Manager
COGNITO - User authentication service
SSO - AWS Single Sign-On
ORGANIZATIONS - AWS Organizations
DATABRICKS - Analytics platform

Important notes:

Service availability may vary by Veza version and configuration
Some services may require specific permissions or setup
When in doubt, check your Veza UI to see which services are available for your AWS providers

Identity Providers

API endpoints for configuring Okta and OneLogin

You can manage Veza Identity Provider integrations using the management API and a Veza admin API key.

AzureAD and Google Workspace identities are discovered by adding the associated Google Cloud account or Azure tenant as a cloud provider.

providers/activedirectory
providers/okta
providers/onelogin

`providers/activedirectory`

See the configuration guide for the prerequisite steps to integrate Active Directory with Veza. An AD configuration has the following parameters:

{
  "ad_fqdn": "FQDN.NAME.ON.CERT",
  "name": "Test-AD",
  "host": "FQDN.FOR.DOMAIN.CONTROLLER",
  "port": 636,
  "ldaps_certificate": "Base64 Encoded String of PEM format",
  "username": "ADMIN",
  "password": "PASSWORD",
  "domains": ["FQDN.OF.DOMAIN"],
  "data_plane_id": "DATAPLAN_ID"
}

List Active Directory Providers

curl --location --request GET '/api/v1/providers/activedirectory' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer TOKEN'

The response will include all existing configurations, in the format:

{
    "values": [
        {
            "id": "interation-GUID",
            "vendor_id": "domain.controller.FQDN",
            "name": "ad_cct01",
            "type": "ACTIVE_DIRECTORY",
            "state": "ENABLED",
            "data_plane_id": "insight-point-GUID",
            "status": "SUCCESS",
            "host": "domain.controller.FQDN",
            "port": 636,
            "username": "read.only",
            "domains": [
                "corp.cookie.ai"
            ],
            "ad_fqdn": "cct01-ad-01.corp.cookie.ai",
            "identity_mapping_configuration": null
        }
    ]
}

Create Active Directory Provider

curl --location --request POST '/api/v1/providers/activedirectory' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
  "ad_fqdn": "FQDN.NAME.ON.CERT",
  "name": "Test-AD",
  "host": "FQDN.FOR.DOMAIN.CONTROLLER",
  "port": 636,
  "ldaps_certificate": "Base64 Encoded String of PEM format",
  "username": "ADMIN",
  "password": "PASSWORD",
  "domains": ["FQDN.OF.DOMAIN"],
  "data_plane_id": "DATAPLAN_ID"
}'

Get Active Directory Provider

curl --location --request POST '/api/v1/providers/activedirectory' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
  "ad_fqdn": "FQDN.NAME.ON.CERT",
  "name": "Test-AD",
  "host": "FQDN.FOR.DOMAIN.CONTROLLER",
  "port": 636,
  "ldaps_certificate": "Base64 Encoded String of PEM format",
  "username": "ADMIN",
  "password": "PASSWORD",
  "domains": ["FQDN.OF.DOMAIN"],
  "data_plane_id": "DATAPLAN_ID"
}'

Delete Active Directory Provider

curl --location --request DELETE '/api/v1/providers/activedirectory/{{provider_id}}' \
--header 'Authorization: Bearer TOKEN'

Update Active Directory Provider

curl --location --request PATCH '/api/v1/providers/azure/{{provider_id}}' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
    "port": 636
}'

`providers/okta`

An Okta configuration includes connection information and credentials, as well as any limits on apps and domains to extract:

{
  "id": "string",
  "domain": "string",
  "region": "string",
  "token": "string",
  "gather_all_applications": true,
  "domain_allow_list": [
    "string"
  ],
  "domain_deny_list": [
    "string"
  ],
  "app_allow_list": [
    "string"
  ],
  "app_deny_list": [
    "string"
  ]
}

See the Okta integration guide for more details on retrieving an Okta API token and registering your domain with Veza.

List Okta Providers

List Okta Providers

GET {{vezaURL}}/api/v1/providers/okta

Get the configuration and status for all configured Okta integrations.

* indicates a required field.

{
  "values": [
    {
      "id": "string",
      "vendor_id": "string",
      "name": "string",
      "type": "UNKNOWN_PROVIDER",
      "state": "STARTED",
      "data_plane_id": "string",
      "status": "PENDING",
      "domain": "string"
    }
  ]
}

Create Okta Provider

Create Okta Provider

POST {{vezaURL}}/api/v1/providers/okta

Submit a new Okta provider configuration.

* indicates a required field.

Request Body

Name

Type

Description

name*

string

Name for the Okta Provider

domain*

string

Okta domain

region*

string

The Okta region

us

data_plane_id

string

Provide if connecting via an Insight Point

token*

string

Okta API token

gather_all_applications

boolean

Whether to extract all apps or only selected

domain_allow_list

string list

Domains to explicitly allow

domain_deny_list

string list

Domains to exclude from discovery

app_allow_list

string list

Apps to explicitly allow

app_deny_list

string list

Apps to exclude from discovery

{
  "values": [
    {
      "id": "string",
      "vendor_id": "string",
      "name": "string",
      "type": "UNKNOWN_PROVIDER",
      "state": "STARTED",
      "data_plane_id": "string",
      "status": "PENDING",
      "domain": "string"
    }
  ]
}

Get Okta Provider

Get Okta Provider

GET {{vezaURL}}/api/v1/providers/okta/{id}

Get an individual Okta provider configuration.

* indicates a required field.

Path Parameters

Name

Type

Description

id*

string

The Okta provider configuration ID

{
  "value": {
    "id": "string",
    "vendor_id": "string",
    "name": "string",
    "type": "UNKNOWN_PROVIDER",
    "state": "STARTED",
    "data_plane_id": "string",
    "status": "PENDING",
    "domain": "string"
  }
}

Delete Okta Provider

Delete Okta Provider

DELETE {{vezaURL}}/api/v1/providers/okta/{id}

Delete an Okta provider, removing all associated entities from Veza.

* indicates a required field.

Path Parameters

Name

Type

Description

string

ID of the configuration to delete

{}

Update Okta Provider

Update Okta Provider

PATCH {{vezaURL}}/api/v1/providers/okta/{id}

Update an existing provider configuration with new properties.

* indicates a required field.

Path Parameters

Name

Type

Description

{id}*

string

The Okta provider configuration ID

Query Parameters

Name

Type

Description

update_mask.paths

array[string]

the set of field mask paths

Request Body

Name

Type

Description

domain

string

region

string

token

string

{
  "value": {
    "id": "string",
    "vendor_id": "string",
    "name": "string",
    "type": "UNKNOWN_PROVIDER",
    "state": "STARTED",
    "data_plane_id": "string",
    "status": "PENDING",
    "domain": "string"
  }
}

`providers/onelogin`

A OneLogin configuration includes the domain, region, and credentials to use for the connection:

{
  "name": "string",
  "domain": "string",
  "region": "string",
  "client_id": "string",
  "client_secret": "string",
  "data_plane_id": "string"
}

See connecting to OneLogin for steps to generate credentials for Veza-OneLogin API access.

List OneLogin Providers

List OneLogin Providers

GET {{vezaURL}}/api/v1/providers/onelogin

Gets all configured OneLogin providers.

* indicates a required field.

{
  "values": [
    {
      "id": "string",
      "vendor_id": "string",
      "name": "string",
      "type": "UNKNOWN_PROVIDER",
      "state": "STARTED",
      "data_plane_id": "string",
      "status": "PENDING",
      "domain": "string",
      "region": "string",
      "client_id": "string"
    }
  ]
}

Create OneLogin Provider

Create OneLogin Provider

POST {{vezaURL}}/api/v1/providers/onelogin

Submit a new OneLogin provider configuration. See

OneLogin

for more information about enabling Veza access to OneLogin metadata.

* indicates a required field.

Path Parameters

Name

Type

Description

name*

string

The name to show in Veza

domain*

string

Your company's OneLogin domain

region*

string

The region of the Onelogin instance, e.g.

us

client_id*

string

Client ID for the OneLogin key pair

client_secret*

string

Client Secret for the OneLogin ID pair

data_plane_id

string

Insight Point ID to use for the connection

{
  "value": {
    "id": "string",
    "vendor_id": "string",
    "name": "string",
    "type": "UNKNOWN_PROVIDER",
    "state": "STARTED",
    "data_plane_id": "string",
    "status": "PENDING",
    "domain": "string",
    "region": "string",
    "client_id": "string"
  }
}

Get OneLogin Provider

Get OneLogin Provider

GET {{vezaURL}}/api/v1/providers/onelogin/{id}

Return the status and configuration for a single OneLogin provider configuration.

* indicates a required field.

Path Parameters

Name

Type

Description

id*

string

OneLogin provider ID

{
  "value": {
    "id": "string",
    "vendor_id": "string",
    "name": "string",
    "type": "UNKNOWN_PROVIDER",
    "state": "STARTED",
    "data_plane_id": "string",
    "status": "PENDING",
    "domain": "string",
    "region": "string",
    "client_id": "string"
  }
}

Delete OneLogin Provider

Delete Onelogin Provider

DELETE {{vezaURL}}/api/v1/providers/onelogin/{id}

Delete a OneLogin configuration and its discovered entities.

* indicates a required field.

Path Parameters

Name

Type

Description

id*

string

The OneLogin configuration to delete

{}

Update OneLogin Provider

Update OneLogin Provider

PATCH {{VezaURL}}/api/v1/providers/onelogin/{id}

Update a OneLogin provider configuration. You can provide field mask paths to only update specific fields.

* indicates a required field.

Path Parameters

Name

Type

Description

{id}*

string

ID of the OneLogin configuration to update

Query Parameters

Name

Type

Description

update_mask.paths

array[string]

The set of field mask paths

Request Body

Name

Type

Description

name*

string

domain*

string

region*

string

client_id*

string

client_secret*

string

data_plane_id

string

{
  "values": [
    {
      "id": "string",
      "vendor_id": "string",
      "name": "string",
      "type": "UNKNOWN_PROVIDER",
      "state": "STARTED",
      "data_plane_id": "string",
      "status": "PENDING",
      "domain": "string",
      "region": "string",
      "client_id": "string"
    }
  ]
}

Data Sources

Operations for managing data sources including listing, updating, enabling, disabling, and status monitoring

Each cloud provider will have one or more associated data sources. Each represents a discrete instance of a service that Veza connects to for the discovery and extraction of authorization metadata.

The provider under /providers/aws/{id}, for example, may have an associated EC2 data source, represented as:

{
  "id": "6961b032-3fd7-4baa-a230-146d1b70ec27",
  "name": "AWS EC2 (527398259632)",
  "datasource_type": "EXTRACTOR",
  "agent_type": "AWS_EC2",
  "status": "SUCCESS",
  "provider_id": "cd0cf102-e86c-4599-9cbe-64d2c6b83236",
  "path": "AWS/ec2",
  "state": "ENABLED",
  "effective_state": "ENABLED",
  "datasource_config": null,
  "created_at": "2021-10-26T07:10:38Z",
  "updated_at": "2021-10-26T07:10:38Z",
  "synced_at": "2022-01-13T20:53:23Z",
  "parsed_at": "2022-01-13T20:53:29Z"
}

You can use the API to get or update data source records, or enable and disable individual data sources.

Disabling a data source will cancel all pending extractions.

Available Endpoints

Core Data Source Operations

Lifecycle Management Operations

Status and Monitoring

For working with custom applications and Open Authorization API (OAA), see:

List Data Sources

Retrieve all data sources with optional filtering and pagination

Endpoint

GET /api/v1/providers/datasources

Description

Returns the properties and status for all data sources. When filtering is applied, only data sources matching the filter will be returned.

Data sources represent discrete instances of services that Veza connects to for discovery and extraction of authorization metadata. Each cloud provider may have one or more associated data sources.

API Reference

Query Parameters

Parameter

Type

Required?

Description

filter

string

Optional

When present, only returns data sources matching the filter. Available options: name, agent_type, status, state, provider_id, data_provider_id, datasource_type

order_by

string

Optional

Sort results by: name, agent_type, status, state, provider_id, data_provider_id, or datasource_type

page_size

integer

Optional

The maximum number of results to return. Fewer results may be returned even when more pages exist

page_token

string

Optional

The token specifying the specific page of results to retrieve

Request Examples

curl -X GET "$BASE_URL/api/v1/providers/datasources" \
  -H "authorization: Bearer $VEZA_TOKEN"

curl -X GET "$BASE_URL/api/v1/providers/datasources?filter=status+eq+\"SUCCESS\"" \
  -H "authorization: Bearer $VEZA_TOKEN"

curl -X GET "$BASE_URL/api/v1/providers/datasources?page_size=10&order_by=name" \
  -H "authorization: Bearer $VEZA_TOKEN"

Veza expects spaces in URLs encoded as + (?datasource_type+eq+"extractor"). Some libraries encode spaces as %2B by default, which will cause errors.

Response Examples

Standard Response:

{
  "values": [
    {
      "id": "6961b032-3fd7-4baa-a230-146d1b70ec27",
      "name": "AWS EC2 (527398259632)",
      "datasource_type": "EXTRACTOR",
      "agent_type": "AWS_EC2",
      "status": "SUCCESS",
      "provider_id": "cd0cf102-e86c-4599-9cbe-64d2c6b83236",
      "path": "AWS/ec2",
      "state": "ENABLED",
      "effective_state": "ENABLED",
      "created_at": "2021-10-26T07:10:38Z",
      "updated_at": "2021-10-26T07:10:38Z",
      "synced_at": "2022-01-13T20:53:23Z",
      "parsed_at": "2022-01-13T20:53:29Z"
    }
  ],
  "next_page_token": "ec67g",
  "has_more": false
}

Get Data Source

Retrieve status and details for an individual data source

Endpoint

GET /api/v1/providers/datasources/{id}

Description

Returns status and configuration details for an individual data source by its ID.

API Reference

Path Parameters

Parameter

Type

Required?

Description

id

string

Required

The data source ID

Request Examples

curl -X GET "$BASE_URL/api/v1/providers/datasources/6961b032-3fd7-4baa-a230-146d1b70ec27" \
  -H "authorization: Bearer $VEZA_TOKEN"

Response Examples

Standard Response:

{
  "value": {
    "id": "6961b032-3fd7-4baa-a230-146d1b70ec27",
    "name": "AWS EC2 (527398259632)",
    "datasource_type": "EXTRACTOR",
    "agent_type": "AWS_EC2",
    "status": "SUCCESS",
    "provider_id": "cd0cf102-e86c-4599-9cbe-64d2c6b83236",
    "path": "AWS/ec2",
    "state": "ENABLED",
    "effective_state": "ENABLED",
    "datasource_config": null,
    "created_at": "2021-10-26T07:10:38Z",
    "updated_at": "2021-10-26T07:10:38Z",
    "synced_at": "2022-01-13T20:53:23Z",
    "parsed_at": "2022-01-13T20:53:29Z"
  }
}

Update Data Source

Update the name for a given data source ID

Endpoint

Description

Update the name for a given data source ID. This endpoint allows you to modify the display name of an existing data source.

API Reference

Path Parameters

Parameter

Type

Required?

Description

Request Body

Field

Type

Required?

Description

Request Examples

Response Examples

Standard Response:

Disable Data Source

Pause discovery and extraction for a data source

Endpoint

PUT /api/v1/providers/datasources/{id}:disable

Description

Pause discovery and extraction for a data source. This will cancel all pending extractions for the specified data source.

Disabling a data source will cancel all pending extractions and prevent new data from being collected until the data source is re-enabled.

API Reference

Path Parameters

Parameter

Type

Required?

Description

id

string

Required

The data source ID

Request Examples

curl -X PUT "$BASE_URL/api/v1/providers/datasources/6961b032-3fd7-4baa-a230-146d1b70ec27:disable" \
  -H "authorization: Bearer $VEZA_TOKEN"

Response Examples

Standard Response:

{}

Enable Data Source

Resume monitoring and queue the data source for extraction

Endpoint

Description

Resume monitoring and queue the data source for extraction. This will re-enable a previously disabled data source and schedule it for data collection.

API Reference

Path Parameters

Parameter

Type

Required?

Description

Request Examples

Response Examples

Standard Response:

List Lifecycle Manager Datasources

Lists all data sources that have enabled lifecycle management and their supported capabilities

Endpoint

GET /api/v1/providers/datasources/lifecycle_managers

Description

Lists all data sources that have enabled lifecycle management and their detailed capabilities. This endpoint shows which systems can be used as sources of identity information and as targets for access management operations in Veza Lifecycle Management.

Use this endpoint to:

Discover which datasources support lifecycle management
View the capabilities each datasource provides
Get datasource IDs needed for other lifecycle management operations
Identify available actions, syncable attributes, and grantable entitlements for each datasource

API Reference

Query Parameters

Parameter

Type

Required?

Description

filter

string

Optional

When present, only returns data sources matching the filter

order_by

string

Optional

Sort results by specified field

page_size

integer

Optional

The maximum number of results to return. Fewer results may be returned even when more pages exist

page_token

string

Optional

The token specifying the specific page of results to retrieve

Request Examples

curl -X GET "$BASE_URL/api/v1/providers/datasources/lifecycle_managers" \
  -H "authorization: Bearer $VEZA_TOKEN"

curl -X GET "$BASE_URL/api/v1/providers/datasources/lifecycle_managers?page_size=10" \
  -H "authorization: Bearer $VEZA_TOKEN"

Response Examples

{
  "values": [
    {
      "id": "549a4b5e-0328-4c87-a19d-ee8a2926d1aa",
      "name": "Workday Integration", 
      "provider_type": "WORKDAY",
      "external_id": "https://wd5-impl-services1.workday.com/veza_preview",
      "lifecycle_management_enabled": true,
      "supported_capabilities": [
        "IDENTITY_SOURCE",
        "ACCESS_TARGET"
      ]
    },
    {
      "id": "2b1c8d4e-5f2a-4b3c-9e7f-1d2e3f4a5b6c",
      "name": "Active Directory",
      "provider_type": "ACTIVE_DIRECTORY", 
      "external_id": "corp.example.com",
      "lifecycle_management_enabled": true,
      "supported_capabilities": [
        "ACCESS_TARGET"
      ]
    }
  ],
  "has_more": false,
  "next_page_token": ""
}

{
  "values": [
    {
      "id": "549a4b5e-0328-4c87-a19d-ee8a2926d1aa",
      "name": "SCIM Demo Server",
      "provider_type": "SCIM",
      "external_id": "https://scim.example.com",
      "lifecycle_management_enabled": true,
      "supported_capabilities": [
        "ACCESS_TARGET"
      ],
      "available_actions": [
        {
          "action_type": "MANAGE_RELATIONSHIPS",
          "description": "Add or remove user memberships in groups",
          "supported_entity_types": ["User", "Group"],
          "supported_relationship_types": ["MemberOf"]
        }
      ],
      "syncable_attributes": [
        {
          "entity_type": "User",
          "attributes": [
            {
              "name": "userName",
              "type": "string",
              "required": true,
              "description": "Primary identifier for the user"
            },
            {
              "name": "displayName", 
              "type": "string",
              "required": false,
              "description": "Display name for the user"
            },
            {
              "name": "emails",
              "type": "array",
              "required": false,
              "description": "Email addresses associated with the user"
            }
          ]
        },
        {
          "entity_type": "Group",
          "attributes": [
            {
              "name": "displayName",
              "type": "string", 
              "required": true,
              "description": "Display name for the group"
            }
          ]
        }
      ],
      "grantable_entitlements": [
        {
          "entity_type": "Group",
          "entitlement_type": "MemberOf",
          "description": "Grant membership in the specified group"
        }
      ]
    }
  ],
  "has_more": false,
  "next_page_token": ""
}

Response Fields

Basic Datasource Information

id: Unique identifier for the datasource
name: Human-readable name of the datasource
provider_type: The type of integration (e.g., SCIM, WORKDAY, ACTIVE_DIRECTORY)
external_id: External system identifier or endpoint URL
lifecycle_management_enabled: Whether LCM is enabled for this datasource

Supported Capabilities

The supported_capabilities field indicates what operations each datasource can perform:

IDENTITY_SOURCE: Can provide identity information for lifecycle management
ACCESS_TARGET: Can receive and execute access management operations

Available Actions

The available_actions array details specific lifecycle management operations supported:

action_type: Type of action (e.g., MANAGE_RELATIONSHIPS)
description: Human-readable description of the action
supported_entity_types: Entity types this action can work with (User, Group, etc.)
supported_relationship_types: Relationship types this action can manage (MemberOf, etc.)

Syncable Attributes

The syncable_attributes array shows which entity attributes can be synchronized:

entity_type: The type of entity (User, Group, etc.)
attributes: Array of attribute definitions including:
- name: Attribute name in the target system
- type: Data type (string, array, boolean, etc.)
- required: Whether the attribute is required
- description: Purpose and usage of the attribute

Grantable Entitlements

The grantable_entitlements array shows what access can be granted through this datasource:

entity_type: Type of entity that can grant access (typically Group)
entitlement_type: Type of entitlement relationship (MemberOf, etc.)
description: What access is granted through this entitlement

Get Lifecycle Manager Datasource

Retrieve details for a specific lifecycle management datasource

Endpoint

GET /api/v1/providers/datasources/lifecycle_managers/{id}

Description

Returns detailed information for a specific lifecycle management datasource by its ID, including its supported capabilities, available actions, syncable attributes, and grantable entitlements.

API Reference

Path Parameters

Parameter

Type

Required?

Description

id

string

Required

The lifecycle management datasource ID

Request Examples

curl -X GET "$BASE_URL/api/v1/providers/datasources/lifecycle_managers/549a4b5e-0328-4c87-a19d-ee8a2926d1aa" \
  -H "authorization: Bearer $VEZA_TOKEN"

Response Examples

{
  "value": {
    "id": "549a4b5e-0328-4c87-a19d-ee8a2926d1aa",
    "name": "Workday Integration",
    "provider_type": "WORKDAY",
    "external_id": "https://wd5-impl-services1.workday.com/veza_preview",
    "lifecycle_management_enabled": true,
    "supported_capabilities": [
      "IDENTITY_SOURCE",
      "ACCESS_TARGET"
    ]
  }
}

{
  "value": {
    "id": "549a4b5e-0328-4c87-a19d-ee8a2926d1aa",
    "name": "SCIM Demo Server",
    "provider_type": "SCIM",
    "external_id": "https://scim.example.com",
    "lifecycle_management_enabled": true,
    "supported_capabilities": [
      "ACCESS_TARGET"
    ],
    "available_actions": [
      {
        "action_type": "MANAGE_RELATIONSHIPS",
        "description": "Add or remove user memberships in groups",
        "supported_entity_types": ["User", "Group"],
        "supported_relationship_types": ["MemberOf"]
      }
    ],
    "syncable_attributes": [
      {
        "entity_type": "User",
        "attributes": [
          {
            "name": "userName",
            "type": "string",
            "required": true,
            "description": "Primary identifier for the user"
          },
          {
            "name": "displayName", 
            "type": "string",
            "required": false,
            "description": "Display name for the user"
          },
          {
            "name": "emails",
            "type": "array",
            "required": false,
            "description": "Email addresses associated with the user"
          }
        ]
      },
      {
        "entity_type": "Group",
        "attributes": [
          {
            "name": "displayName",
            "type": "string", 
            "required": true,
            "description": "Display name for the group"
          }
        ]
      }
    ],
    "grantable_entitlements": [
      {
        "entity_type": "Group",
        "entitlement_type": "MemberOf",
        "description": "Grant membership in the specified group"
      }
    ]
  }
}

For detailed information about the response fields, see the List Lifecycle Manager Datasources documentation.

List by Action Type

Find lifecycle management datasources that support specific action types and entity relationships

Endpoint

Description

Returns filtered by their supported action types, entity types, and relationship types. This endpoint helps you find datasources that can perform specific lifecycle management operations.

API Reference

Query Parameters

Parameter

Type

Required?

Description

Action Type Values

Value

Name

Request Examples

Response Examples

Standard Response:

Get Parse Status

Retrieve the parsing status and details for a specific data source

Endpoint

Description

Returns the current parsing status for a specific data source, including information about the last parse operation and any errors that occurred.

API Reference

Path Parameters

Parameter

Type

Required?

Description

Request Examples

Response Examples

Standard Response:

Get Sync Status

Retrieve the synchronization status and details for a specific data source

Endpoint

Description

Returns the current synchronization status for a specific data source, including information about the last sync operation and any errors that occurred during data extraction.

API Reference

Path Parameters

Parameter

Type

Required?

Description

Request Examples

Response Examples

Standard Response:

Data Source Scheduling Configuration

Configure priority scheduling and extraction times for data sources

Overview

The Data Source Scheduling Configuration APIs allow administrators to configure advanced scheduling options for individual data sources, including:

Priority scheduling: Assign priorities (1-100) to ensure extraction jobs are processed ahead of standard data sources
Scheduled extraction times: Define specific times of day when extractions should occur (in 30-minute intervals)
Day-of-week scheduling: Restrict extractions to precise days of the week

These APIs are intended primarily for use with Veza Lifecycle Management to ensure critical data sources (such as HR systems) are refreshed at predictable times to support downstream automation workflows.

Supported Data Source Types: Scheduling configuration is designed for EXTRACTOR and DISCOVERER data source types only. Configuring scheduling for other data source types (such as PARSER) will not work as expected.

Examples

Source of Identity Scheduling

Configure HR system data sources to extract at specific times to ensure identity data is current before provisioning workflows execute:

# Configure Workday to extract weekdays at 6 AM Eastern
curl -X POST "$BASE_URL/api/private/providers/datasources/{workday_datasource_id}/scheduling_config" \
  -H "authorization: Bearer $VEZA_TOKEN" \
  -H "Content-Type: application/json" \
  --data-raw '{
    "priority": 100,
    "timezone": "America/New_York",
    "scheduled_extraction_times": ["06:00:00"],
    "scheduled_days_of_week": ["MONDAY", "TUESDAY", "WEDNESDAY", "THURSDAY", "FRIDAY"]
  }'

Prevent Extraction During Business Hours

Schedule non-critical extractions only on weekends to reduce workload during business hours:

curl -X POST "$BASE_URL/api/private/providers/datasources/{datasource_id}/scheduling_config" \
  -H "authorization: Bearer $VEZA_TOKEN" \
  -H "Content-Type: application/json" \
  --data-raw '{
    "priority": 100,
    "timezone": "America/Los_Angeles",
    "scheduled_extraction_times": ["00:00:00", "12:00:00"],
    "scheduled_days_of_week": ["SATURDAY", "SUNDAY"]
  }'

Endpoints

Method

Endpoint

Description

POST

/api/private/providers/datasources/{datasource_id}/scheduling_config

Create or update scheduling configuration

GET

/api/private/providers/datasources/{datasource_id}/scheduling_config

Get configuration for a specific data source

GET

/api/private/providers/datasources/scheduling_configs

List all scheduling configurations

DELETE

/api/private/providers/datasources/{datasource_id}/scheduling_config

Remove scheduling configuration

Create or Update Scheduling Configuration

Endpoint

POST /api/private/providers/datasources/{datasource_id}/scheduling_config

Description

Creates or updates the scheduling configuration for a specific data source. If a configuration already exists for the data source, it will be updated with the new values; otherwise, a new configuration will be created.

Path Parameters

Parameter

Type

Required?

Description

datasource_id

string (UUID)

Required

The unique identifier of the data source

Request Body

The request body contains the configuration fields directly (no wrapper object needed):

Field

Type

Required?

Description

priority

integer

Required

Priority level (1-100). Must be 100 when scheduled_extraction_times are configured

timezone

string

Conditional

IANA timezone (e.g., America/New_York). Required if scheduled_extraction_times or scheduled_days_of_week are provided

scheduled_extraction_times

array[string]

Optional

Extraction times in HH:MM:SS format. Minutes must be :00 or :30, seconds must be :00. Times must be at least 1 hour apart

scheduled_days_of_week

array[string]

Optional

Days when extractions should run: SUNDAY, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY. Requires scheduled_extraction_times to be set

Note: The datasource_id is specified in the URL path and should not be included in the request body.

Validation Rules

Priority: Must be between 1-100 (where 100 is the highest priority)
- When scheduled_extraction_times are configured, priority must be 100 to ensure jobs are processed closest to the configured times
- Priority 1-99 can be used without schedules for edge cases requiring a higher priority than standard periodic scheduling
- Extraction and parsing jobs are picked up in decreasing order of priority, followed by creation timestamp
Timezone: Required when either scheduled_extraction_times or scheduled_days_of_week are provided. Must be a valid IANA timezone
Extraction times:
- Must be in HH:MM:SS format
- Minutes must be :00 or :30 (30-minute intervals only)
- Seconds must be :00
- Minimum 1-hour gap between adjacent times
Days of the week:
- Requires scheduled_extraction_times to be non-empty
- Automatically sorted (Sunday first)
- Empty array or omitted means all days allowed
System limit: A maximum of 100 data sources can have scheduling configurations (limit will be enforced in a future release)

Request Examples

curl -X POST "$BASE_URL/api/private/providers/datasources/{datasource_id}/scheduling_config" \
  -H "authorization: Bearer $VEZA_TOKEN" \
  -H "Content-Type: application/json" \
  --data-raw '{
    "priority": 100,
    "timezone": "America/New_York",
    "scheduled_extraction_times": ["09:00:00", "13:30:00", "18:30:00"],
    "scheduled_days_of_week": ["MONDAY", "TUESDAY", "WEDNESDAY", "THURSDAY", "FRIDAY"]
  }'

curl -X POST "$BASE_URL/api/private/providers/datasources/{datasource_id}/scheduling_config" \
  -H "authorization: Bearer $VEZA_TOKEN" \
  -H "Content-Type: application/json" \
  --data-raw '{
    "priority": 100
  }'

curl -X POST "$BASE_URL/api/private/providers/datasources/{datasource_id}/scheduling_config" \
  -H "authorization: Bearer $VEZA_TOKEN" \
  -H "Content-Type: application/json" \
  --data-raw '{
    "priority": 100,
    "timezone": "America/Los_Angeles",
    "scheduled_extraction_times": ["09:00:00", "21:00:00"],
    "scheduled_days_of_week": ["SATURDAY", "SUNDAY"]
  }'

Response Examples

Standard Response:

{
  "value": {
    "datasource_id": "019a0f2b-53cd-7c5d-904f-bf2588b876d5",
    "priority": "100",
    "datasource_name": "AWS S3 (527398259632)",
    "datasource_type": "EXTRACTOR",
    "timezone": "America/New_York",
    "scheduled_extraction_times": ["09:00:00", "13:30:00", "18:30:00"],
    "created_at": "2025-10-28T02:34:27.794138246Z",
    "updated_at": "2025-10-31T19:42:43.705828675Z",
    "scheduled_days_of_week": ["MONDAY", "TUESDAY", "WEDNESDAY", "THURSDAY", "FRIDAY"]
  }
}

Error Response (Invalid Time Format):

{
  "code": "INVALID_ARGUMENT",
  "message": "invalid time format '09:15:00': only 00 and 30 minutes of the hour are supported",
  "details": []
}

Error Response (Limit Reached):

{
  "code": "INVALID_ARGUMENT",
  "message": "Cannot create scheduling configuration. Limit of 100 configurations is reached.",
  "details": []
}

Get Scheduling Configuration

Endpoint

GET /api/private/providers/datasources/{datasource_id}/scheduling_config

Description

Retrieves the scheduling configuration for a specific data source.

Path Parameters

Parameter

Type

Required?

Description

datasource_id

string (UUID)

Required

The unique identifier of the data source

Request Examples

curl -X GET "$BASE_URL/api/private/providers/datasources/{datasource_id}/scheduling_config" \
  -H "authorization: Bearer $VEZA_TOKEN"

Response Examples

Standard Response:

{
  "value": {
    "datasource_id": "0199827a-402d-7554-af7b-cb3489b68402",
    "priority": "100",
    "datasource_name": "AWS IAM Volatile (527398259632)",
    "datasource_type": "EXTRACTOR",
    "timezone": "America/New_York",
    "scheduled_extraction_times": ["09:00:00", "13:30:00", "18:30:00"],
    "created_at": "2025-10-10T12:52:11.659562336Z",
    "updated_at": "2025-10-10T12:52:11.659562336Z",
    "scheduled_days_of_week": ["MONDAY", "WEDNESDAY", "FRIDAY"]
  }
}

Error Response (Not Found):

{
  "code": "NOT_FOUND",
  "message": "datasource_scheduling_config not found",
  "details": []
}

List Scheduling Configurations

Endpoint

GET /api/private/providers/datasources/scheduling_configs

Description

Returns all scheduling configurations across all data sources in your organization.

Query Parameters

Parameter

Type

Required?

Description

datasource_type

string

Optional

Filter by datasource type: EXTRACTOR, DISCOVERER, or PARSER

Request Examples

curl -X GET "$BASE_URL/api/private/providers/datasources/scheduling_configs" \
  -H "authorization: Bearer $VEZA_TOKEN"

curl -X GET "$BASE_URL/api/private/providers/datasources/scheduling_configs?datasource_type=EXTRACTOR" \
  -H "authorization: Bearer $VEZA_TOKEN"

Response Examples

Standard Response:

{
  "values": [
    {
      "datasource_id": "0199827a-3d32-7342-9ccd-2f928ccc6855",
      "priority": "100",
      "datasource_name": "AWS Cognito (527398259632)",
      "datasource_type": "EXTRACTOR",
      "timezone": "America/New_York",
      "scheduled_extraction_times": ["00:00:00", "01:30:00", "03:00:00"],
      "created_at": "1970-01-01T00:00:01.758832260Z",
      "updated_at": "1970-01-01T00:00:01.758832260Z",
      "scheduled_days_of_week": ["MONDAY", "WEDNESDAY", "FRIDAY"]
    },
    {
      "datasource_id": "0199827a-402d-7554-af7b-cb3489b68402",
      "priority": "100",
      "datasource_name": "AWS IAM Volatile (527398259632)",
      "datasource_type": "EXTRACTOR",
      "timezone": "America/New_York",
      "scheduled_extraction_times": ["09:00:00", "13:30:00", "18:30:00"],
      "created_at": "2025-10-10T12:52:11.659562336Z",
      "updated_at": "2025-10-10T12:52:11.659562336Z",
      "scheduled_days_of_week": []
    }
  ]
}

Delete Scheduling Configuration

Endpoint

DELETE /api/private/providers/datasources/{datasource_id}/scheduling_config

Description

Removes the scheduling configuration for a specific data source. The data source will revert to standard scheduling behavior.

Path Parameters

Parameter

Type

Required?

Description

datasource_id

string (UUID)

Required

The unique identifier of the data source

Request Examples

curl -X DELETE "$BASE_URL/api/private/providers/datasources/{datasource_id}/scheduling_config" \
  -H "authorization: Bearer $VEZA_TOKEN"

Response Examples

Standard Response:

{}

List Data Sources - Get data source IDs for configuration
Get Data Source - View data source details and status
Lifecycle Management APIs - Automated identity lifecycle workflows

Cloud Platforms and Data Providers

Operations for listing, adding, and modifying cloud provider configurations

You can manage Veza integrations using the management API and a Veza admin API key.

Provider Types

Veza supports the following provider types:

AWS: Amazon Web Services accounts with support for IAM, S3, RDS, Redshift, and other services
Azure: Microsoft Azure tenants including Active Directory and SharePoint Online
Google Cloud: Google Cloud Platform projects and Google Workspace domains
Snowflake: Snowflake data warehouses and databases
SQL Server: Microsoft SQL Server instances
Trino: Trino clusters with file-based access control

For detailed integration guides, see the Integrations documentation.

Authentication

You will need an API token with administrator permissions to manage provider configurations. See API Authentication for details.

Common Provider Properties

All provider configurations share these common properties:

id (String): Unique identifier for the provider configuration
vendor_id (String): Provider-specific identifier (e.g., AWS account ID)
name (String): Display name for the provider
type (String): Provider type (AWS, AZURE, GOOGLE_CLOUD, etc.)
state (String): Current state (ENABLED, DISABLED)
data_plane_id (String): Insight Point ID used for discovery
status (String): Last discovery status (SUCCESS, PENDING, ERROR)

AWS Providers

AWS Provider Object Schema

AWS provider configurations include account credentials, regions, and service-specific settings:

{
  "id": "883dd869-8762-4187-8767-1c387de14b4b",
  "vendor_id": "123456789010",
  "name": "AWS-Production",
  "type": "AWS",
  "state": "ENABLED",
  "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
  "status": "SUCCESS",
  "account_id": "123456789010",
  "credentials_type": "ASSUME_CUSTOMER_ROLE",
  "access_key_id": "AKIA6FRNZGGIOEBZ6BEA",
  "assume_role_name": "VezaDiscoveryRole",
  "assume_role_external_id": "veza-external-id",
  "regions": [
    "us-east-1",
    "us-west-2",
    "eu-west-1"
  ],
  "db_user": "veza_user",
  "services": [
    "IAM",
    "S3",
    "RDS",
    "REDSHIFT"
  ],
  "s3_bucket_allow_list": ["prod-data-*"],
  "s3_bucket_deny_list": ["temp-*", "test-*"],
  "rds_database_allow_list": ["production"],
  "rds_database_deny_list": ["temp"]
}

AWS Configuration Fields

account_id (String): AWS account ID (12-digit number)
credentials_type (String): Authentication method - STATIC, EC2_INSTANCE_PROFILE, or ASSUME_CUSTOMER_ROLE
access_key_id (String): Access key ID for static credentials
secret_key (String): Secret access key for static credentials
assume_role_name (String): IAM role name for assume role authentication
assume_role_external_id (String): External ID for assume role authentication
regions (Array): List of AWS regions to discover
db_user (String): Database username for RDS/Redshift connections
services (Array): Specific AWS services to discover (empty array = all services)

AWS Service Discovery Options

Available service values for the services array:

IAM: Identity and Access Management
S3: Simple Storage Service
RDS: Relational Database Service
REDSHIFT: Redshift data warehouses
EC2: Elastic Compute Cloud
LAMBDA: Lambda functions
EKS: Elastic Kubernetes Service
COGNITO: Cognito user pools
SECRETS_MANAGER: Secrets Manager
KMS: Key Management Service
DYNAMODB: DynamoDB tables

AWS Resource Filtering

Use allow/deny lists to control which resources are discovered:

s3_bucket_allow_list: S3 bucket names to include (supports wildcards)
s3_bucket_deny_list: S3 bucket names to exclude
rds_database_allow_list: RDS database names to include
rds_database_deny_list: RDS database names to exclude
redshift_database_allow_list: Redshift database ARNs to include
redshift_database_deny_list: Redshift database ARNs to exclude

For detailed AWS setup instructions, see Amazon Web Services Integration.

AWS API Operations

List AWS Providers

Create AWS Provider

Get AWS Provider

Update AWS Provider

Delete AWS Provider

Get AWS Trust Policy

Check AWS Policy

Azure Providers

Azure Provider Object Schema

Azure provider configurations include tenant authentication and service settings:

{
  "id": "fa04e92f-6e0d-4285-ba58-86a20c6941ff",
  "vendor_id": "contoso.onmicrosoft.com",
  "name": "Azure-Production",
  "type": "AZURE",
  "state": "ENABLED",
  "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
  "status": "SUCCESS",
  "tenant_id": "12345678-1234-1234-1234-123456789012",
  "client_id": "87654321-4321-4321-4321-210987654321",
  "services": [
    "AZUREAD",
    "SHAREPOINT",
    "SQLSERVER"
  ],
  "gather_guest_users": true,
  "gather_disabled_users": false,
  "gather_personal_sites": true,
  "domains": ["contoso.com"],
  "sql_server_database_allow_list": ["production"],
  "sql_server_database_deny_list": ["temp"]
}

Azure Configuration Fields

tenant_id (String): Azure Active Directory tenant ID
client_id (String): Application (client) ID for service principal
client_secret (String): Client secret for authentication
auth_certificate (String): Certificate for SharePoint app-only access
auth_certificate_password (String): Certificate password
services (Array): Azure services to discover
gather_guest_users (Boolean): Include guest users in discovery
gather_disabled_users (Boolean): Include disabled users
gather_personal_sites (Boolean): Include personal SharePoint sites
domains (Array): Specific domains to discover

For detailed Azure setup instructions, see Azure Integration.

Azure API Operations

List Azure Providers

Create Azure Provider

Get Azure Provider

Update Azure Provider

Delete Azure Provider

Google Cloud Providers

Google Cloud Provider Object Schema

Google Cloud provider configurations include service account credentials and project settings:

{
  "id": "fa04e92f-6e0d-4285-ba58-86a20c6941ff",
  "vendor_id": "gcp-project-id",
  "name": "GCP-Production",
  "type": "GOOGLE_CLOUD",
  "state": "ENABLED",
  "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
  "status": "SUCCESS",
  "customer_id": "C01234567",
  "workspace_email": "[email protected]",
  "project_allow_list": ["prod-project-1", "prod-project-2"],
  "project_deny_list": ["test-*"],
  "domain_allow_list": ["company.com"],
  "domain_deny_list": [],
  "services": [
    "IAM",
    "STORAGE",
    "COMPUTE",
    "WORKSPACE",
    "BIGQUERY"
  ],
  "dataset_allow_list": ["analytics", "reporting"],
  "dataset_deny_list": ["temp_*"]
}

Google Cloud Configuration Fields

credentials_json (String): Service account key JSON
customer_id (String): Google Workspace customer ID
workspace_email (String): Workspace user email for service account impersonation
project_allow_list (Array): GCP project names to include
project_deny_list (Array): GCP project names to exclude
domain_allow_list (Array): Workspace domains to include
domain_deny_list (Array): Workspace domains to exclude
dataset_allow_list (Array): BigQuery dataset names to include
dataset_deny_list (Array): BigQuery dataset names to exclude

For detailed Google Cloud setup instructions, see Google Cloud Integration.

Google Cloud API Operations

List Google Cloud Providers

Create Google Cloud Provider

Get Google Cloud Provider

Update Google Cloud Provider

Delete Google Cloud Provider

Snowflake Providers

Snowflake Provider Object Schema

Snowflake provider configurations include connection details and database filtering:

{
  "id": "fa04e92f-6e0d-4285-ba58-86a20c6941ff",
  "vendor_id": "xy12345.us-east-1",
  "name": "Snowflake-Production",
  "type": "SNOWFLAKE",
  "state": "ENABLED",
  "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
  "status": "SUCCESS",
  "account_locator": "xy12345",
  "region": "us-east-1",
  "cloud": "aws",
  "user": "veza_user",
  "role": "VEZA_ROLE",
  "warehouse": "COMPUTE_WH",
  "database_allow_list": ["PROD_DB", "ANALYTICS_DB"],
  "database_deny_list": ["TEMP_DB", "TEST_DB"]
}

Snowflake Configuration Fields

account_locator (String): Snowflake account locator (e.g., "xy12345")
region (String): Cloud region for the Snowflake account
cloud (String): Cloud provider ("aws", "azure", or "gcp")
user (String): Snowflake username for authentication
password (String): Password for the Snowflake user
role (String): Snowflake role to use for queries
warehouse (String): Default warehouse for compute
database_allow_list (Array): Database names to include
database_deny_list (Array): Database names to exclude

For detailed Snowflake setup instructions, see Snowflake Integration.

Snowflake API Operations

List Snowflake Providers

Create Snowflake Provider

Get Snowflake Provider

Update Snowflake Provider

Delete Snowflake Provider

SQL Server Providers

SQL Server Provider Object Schema

SQL Server provider configurations include connection details and database filtering:

{
  "id": "90112ed7-47e7-48e6-9f05-c02d19d7f137",
  "vendor_id": "sqlserver.company.com",
  "name": "SQL-Production",
  "type": "SQL_SERVER",
  "state": "ENABLED",
  "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
  "status": "SUCCESS",
  "host": "sqlserver.company.com",
  "port": 1433,
  "username": "veza_user",
  "database_allow_list": ["ProductionDB", "AnalyticsDB"],
  "database_deny_list": ["TempDB", "TestDB"],
  "schema_allow_list": ["dbo", "analytics"],
  "schema_deny_list": ["temp"]
}

SQL Server Configuration Fields

host (String): SQL Server hostname or IP address
port (Integer): Port number (typically 1433)
username (String): SQL Server username
password (String): Password for authentication
database_allow_list (Array): Database names to include
database_deny_list (Array): Database names to exclude
schema_allow_list (Array): Schema names to include
schema_deny_list (Array): Schema names to exclude

For detailed SQL Server setup instructions, see SQL Server Integration.

SQL Server API Operations

List SQL Server Providers

Create SQL Server Provider

Get SQL Server Provider

Update SQL Server Provider

Delete SQL Server Provider

Trino Providers

Trino Provider Object Schema

Trino provider configurations include cluster connection details and S3 access control file settings:

{
  "id": "fa04e92f-6e0d-4285-ba58-86a20c6941ff",
  "vendor_id": "trino.company.com",
  "name": "Trino-Production",
  "type": "TRINO",
  "state": "ENABLED",
  "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
  "status": "SUCCESS",
  "host": "trino.company.com",
  "port": 8080,
  "username": "veza_user",
  "aws_s3_object_config": {
    "access_key": "AKIA...",
    "region": "us-east-1",
    "bucket": "trino-config",
    "object": "access-control.properties",
    "credentials_type": "STATIC",
    "assume_role_name": "",
    "account_id": ""
  },
  "ssl_certificate": "-----BEGIN CERTIFICATE-----\n..."
}

Trino Configuration Fields

host (String): Trino coordinator hostname
port (Integer): Trino coordinator port (typically 8080 or 8443)
username (String): Trino username
password (String): Password for authentication
aws_s3_object_config (Object): S3 configuration for access control file
ssl_certificate (String): TLS certificate for secure connections

S3 Object Configuration

The aws_s3_object_config object contains:

access_key (String): AWS access key ID
secret_key (String): AWS secret access key
region (String): S3 bucket region
bucket (String): S3 bucket name
object (String): Path to access control file
credentials_type (String): Authentication method
assume_role_name (String): IAM role name (for assume role)
assume_role_external_id (String): External ID for assume role
account_id (String): AWS account ID

For detailed Trino setup instructions, see Trino Integration.

Trino API Operations

List Trino Providers

Create Trino Provider

Get Trino Provider

Update Trino Provider

Delete Trino Provider

Error Handling

All provider API operations return standard HTTP status codes:

200 OK: Request successful
400 Bad Request: Invalid request parameters or payload
401 Unauthorized: Invalid or missing API token
403 Forbidden: Insufficient permissions
404 Not Found: Provider configuration not found
409 Conflict: Provider configuration already exists
500 Internal Server Error: Server error

Error responses include a descriptive message and error code:

{
  "error": {
    "code": "INVALID_CREDENTIALS",
    "message": "The provided credentials are invalid or expired",
    "details": "AWS STS AssumeRole failed with error: Access denied"
  }
}

Best Practices

When managing provider configurations:

Use descriptive names that identify the environment and purpose
Implement least privilege by configuring only necessary services and resources
Use allow lists rather than deny lists when possible for better security
Test configurations in development environments before production
Monitor discovery status regularly to ensure successful data collection
Rotate credentials according to your organization's security policies
Use assume role authentication for AWS providers when possible
Configure resource filtering to limit discovery scope and improve performance

Identity Providers

API endpoints for configuring Okta and OneLogin

You can manage Veza Identity Provider integrations using the management API and a Veza admin API key.

AzureAD and Google Workspace identities are discovered by adding the associated Google Cloud account or Azure tenant as a cloud provider.

providers/activedirectory
providers/okta
providers/onelogin

`providers/activedirectory`

See the configuration guide for the prerequisite steps to integrate Active Directory with Veza. An AD configuration has the following parameters:

{
  "ad_fqdn": "FQDN.NAME.ON.CERT",
  "name": "Test-AD",
  "host": "FQDN.FOR.DOMAIN.CONTROLLER",
  "port": 636,
  "ldaps_certificate": "Base64 Encoded String of PEM format",
  "username": "ADMIN",
  "password": "PASSWORD",
  "domains": ["FQDN.OF.DOMAIN"],
  "data_plane_id": "DATAPLAN_ID"
}

List Active Directory Providers

curl --location --request GET '/api/v1/providers/activedirectory' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer TOKEN'

The response will include all existing configurations, in the format:

{
    "values": [
        {
            "id": "interation-GUID",
            "vendor_id": "domain.controller.FQDN",
            "name": "ad_cct01",
            "type": "ACTIVE_DIRECTORY",
            "state": "ENABLED",
            "data_plane_id": "insight-point-GUID",
            "status": "SUCCESS",
            "host": "domain.controller.FQDN",
            "port": 636,
            "username": "read.only",
            "domains": [
                "corp.cookie.ai"
            ],
            "ad_fqdn": "cct01-ad-01.corp.cookie.ai",
            "identity_mapping_configuration": null
        }
    ]
}

Create Active Directory Provider

curl --location --request POST '/api/v1/providers/activedirectory' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
  "ad_fqdn": "FQDN.NAME.ON.CERT",
  "name": "Test-AD",
  "host": "FQDN.FOR.DOMAIN.CONTROLLER",
  "port": 636,
  "ldaps_certificate": "Base64 Encoded String of PEM format",
  "username": "ADMIN",
  "password": "PASSWORD",
  "domains": ["FQDN.OF.DOMAIN"],
  "data_plane_id": "DATAPLAN_ID"
}'

Get Active Directory Provider

curl --location --request POST '/api/v1/providers/activedirectory' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
  "ad_fqdn": "FQDN.NAME.ON.CERT",
  "name": "Test-AD",
  "host": "FQDN.FOR.DOMAIN.CONTROLLER",
  "port": 636,
  "ldaps_certificate": "Base64 Encoded String of PEM format",
  "username": "ADMIN",
  "password": "PASSWORD",
  "domains": ["FQDN.OF.DOMAIN"],
  "data_plane_id": "DATAPLAN_ID"
}'

Delete Active Directory Provider

curl --location --request DELETE '/api/v1/providers/activedirectory/{{provider_id}}' \
--header 'Authorization: Bearer TOKEN'

Update Active Directory Provider

curl --location --request PATCH '/api/v1/providers/azure/{{provider_id}}' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
    "port": 636
}'

`providers/okta`

An Okta configuration includes connection information and credentials, as well as any limits on apps and domains to extract:

{
  "id": "string",
  "domain": "string",
  "region": "string",
  "token": "string",
  "gather_all_applications": true,
  "domain_allow_list": [
    "string"
  ],
  "domain_deny_list": [
    "string"
  ],
  "app_allow_list": [
    "string"
  ],
  "app_deny_list": [
    "string"
  ]
}

See the Okta integration guide for more details on retrieving an Okta API token and registering your domain with Veza.

List Okta Providers

List Okta Providers

GET {{vezaURL}}/api/v1/providers/okta

Get the configuration and status for all configured Okta integrations.

* indicates a required field.

{
  "values": [
    {
      "id": "string",
      "vendor_id": "string",
      "name": "string",
      "type": "UNKNOWN_PROVIDER",
      "state": "STARTED",
      "data_plane_id": "string",
      "status": "PENDING",
      "domain": "string"
    }
  ]
}

Create Okta Provider

Create Okta Provider

POST {{vezaURL}}/api/v1/providers/okta

Submit a new Okta provider configuration.

* indicates a required field.

Request Body

Name

Type

Description

name*

string

Name for the Okta Provider

domain*

string

Okta domain

region*

string

The Okta region

us

data_plane_id

string

Provide if connecting via an Insight Point

token*

string

Okta API token

gather_all_applications

boolean

Whether to extract all apps or only selected

domain_allow_list

string list

Domains to explicitly allow

domain_deny_list

string list

Domains to exclude from discovery

app_allow_list

string list

Apps to explicitly allow

app_deny_list

string list

Apps to exclude from discovery

{
  "values": [
    {
      "id": "string",
      "vendor_id": "string",
      "name": "string",
      "type": "UNKNOWN_PROVIDER",
      "state": "STARTED",
      "data_plane_id": "string",
      "status": "PENDING",
      "domain": "string"
    }
  ]
}

Get Okta Provider

Get Okta Provider

GET {{vezaURL}}/api/v1/providers/okta/{id}

Get an individual Okta provider configuration.

* indicates a required field.

Path Parameters

Name

Type

Description

id*

string

The Okta provider configuration ID

{
  "value": {
    "id": "string",
    "vendor_id": "string",
    "name": "string",
    "type": "UNKNOWN_PROVIDER",
    "state": "STARTED",
    "data_plane_id": "string",
    "status": "PENDING",
    "domain": "string"
  }
}

Delete Okta Provider

Delete Okta Provider

DELETE {{vezaURL}}/api/v1/providers/okta/{id}

Delete an Okta provider, removing all associated entities from Veza.

* indicates a required field.

Path Parameters

Name

Type

Description

string

ID of the configuration to delete

{}

Update Okta Provider

Update Okta Provider

PATCH {{vezaURL}}/api/v1/providers/okta/{id}

Update an existing provider configuration with new properties.

* indicates a required field.

Path Parameters

Name

Type

Description

{id}*

string

The Okta provider configuration ID

Query Parameters

Name

Type

Description

update_mask.paths

array[string]

the set of field mask paths

Request Body

Name

Type

Description

domain

string

region

string

token

string

{
  "value": {
    "id": "string",
    "vendor_id": "string",
    "name": "string",
    "type": "UNKNOWN_PROVIDER",
    "state": "STARTED",
    "data_plane_id": "string",
    "status": "PENDING",
    "domain": "string"
  }
}

`providers/onelogin`

A OneLogin configuration includes the domain, region, and credentials to use for the connection:

{
  "name": "string",
  "domain": "string",
  "region": "string",
  "client_id": "string",
  "client_secret": "string",
  "data_plane_id": "string"
}

See connecting to OneLogin for steps to generate credentials for Veza-OneLogin API access.

List OneLogin Providers

List OneLogin Providers

GET {{vezaURL}}/api/v1/providers/onelogin

Gets all configured OneLogin providers.

* indicates a required field.

{
  "values": [
    {
      "id": "string",
      "vendor_id": "string",
      "name": "string",
      "type": "UNKNOWN_PROVIDER",
      "state": "STARTED",
      "data_plane_id": "string",
      "status": "PENDING",
      "domain": "string",
      "region": "string",
      "client_id": "string"
    }
  ]
}

Create OneLogin Provider

Create OneLogin Provider

POST {{vezaURL}}/api/v1/providers/onelogin

Submit a new OneLogin provider configuration. See

OneLogin

for more information about enabling Veza access to OneLogin metadata.

* indicates a required field.

Path Parameters

Name

Type

Description

name*

string

The name to show in Veza

domain*

string

Your company's OneLogin domain

region*

string

The region of the Onelogin instance, e.g.

us

client_id*

string

Client ID for the OneLogin key pair

client_secret*

string

Client Secret for the OneLogin ID pair

data_plane_id

string

Insight Point ID to use for the connection

{
  "value": {
    "id": "string",
    "vendor_id": "string",
    "name": "string",
    "type": "UNKNOWN_PROVIDER",
    "state": "STARTED",
    "data_plane_id": "string",
    "status": "PENDING",
    "domain": "string",
    "region": "string",
    "client_id": "string"
  }
}

Get OneLogin Provider

Get OneLogin Provider

GET {{vezaURL}}/api/v1/providers/onelogin/{id}

Return the status and configuration for a single OneLogin provider configuration.

* indicates a required field.

Path Parameters

Name

Type

Description

id*

string

OneLogin provider ID

{
  "value": {
    "id": "string",
    "vendor_id": "string",
    "name": "string",
    "type": "UNKNOWN_PROVIDER",
    "state": "STARTED",
    "data_plane_id": "string",
    "status": "PENDING",
    "domain": "string",
    "region": "string",
    "client_id": "string"
  }
}

Delete OneLogin Provider

Delete Onelogin Provider

DELETE {{vezaURL}}/api/v1/providers/onelogin/{id}

Delete a OneLogin configuration and its discovered entities.

* indicates a required field.

Path Parameters

Name

Type

Description

id*

string

The OneLogin configuration to delete

{}

Update OneLogin Provider

Update OneLogin Provider

PATCH {{VezaURL}}/api/v1/providers/onelogin/{id}

Update a OneLogin provider configuration. You can provide field mask paths to only update specific fields.

* indicates a required field.

Path Parameters

Name

Type

Description

{id}*

string

ID of the OneLogin configuration to update

Query Parameters

Name

Type

Description

update_mask.paths

array[string]

The set of field mask paths

Request Body

Name

Type

Description

name*

string

domain*

string

region*

string

client_id*

string

client_secret*

string

data_plane_id

string

{
  "values": [
    {
      "id": "string",
      "vendor_id": "string",
      "name": "string",
      "type": "UNKNOWN_PROVIDER",
      "state": "STARTED",
      "data_plane_id": "string",
      "status": "PENDING",
      "domain": "string",
      "region": "string",
      "client_id": "string"
    }
  ]
}

Integration APIs

Authentication

Sample Integrations and Tools

Open Authorization APIs

Enable/Disable Providers

Enable Provider

Disable Provider

Cloud Platforms and Data Providers

Provider Types

Authentication

Common Provider Properties

AWS Providers

AWS Provider Object Schema

AWS Configuration Fields

AWS Service Discovery Options

AWS Resource Filtering

AWS API Operations

List AWS Providers

Create AWS Provider

Get AWS Provider

Update AWS Provider

Delete AWS Provider

Get AWS Trust Policy

Check AWS Policy

Azure Providers

Azure Provider Object Schema

Azure Configuration Fields

Azure API Operations

List Azure Providers

Create Azure Provider

Get Azure Provider

Update Azure Provider

Delete Azure Provider

Google Cloud Providers

Google Cloud Provider Object Schema

Google Cloud Configuration Fields

Google Cloud API Operations

List Google Cloud Providers

Create Google Cloud Provider

Get Google Cloud Provider

Update Google Cloud Provider

Delete Google Cloud Provider

Snowflake Providers

Snowflake Provider Object Schema

Snowflake Configuration Fields

Snowflake API Operations

List Snowflake Providers

Create Snowflake Provider

Get Snowflake Provider

Update Snowflake Provider

Delete Snowflake Provider

SQL Server Providers

SQL Server Provider Object Schema

SQL Server Configuration Fields

SQL Server API Operations

List SQL Server Providers

Create SQL Server Provider

Get SQL Server Provider

Update SQL Server Provider

Delete SQL Server Provider

Trino Providers

Trino Provider Object Schema

Trino Configuration Fields

S3 Object Configuration

Trino API Operations

List Trino Providers

Create Trino Provider

Get Trino Provider

Update Trino Provider

Delete Trino Provider

Error Handling

Best Practices

Related Documentation

Disable AWS Services using Provider Management APIs

Overview

Before you start

Disable specific AWS services across providers

Step 1: Discover your current AWS providers

Step 2: Identify target providers and services

Step 3: Test with a single provider

`providers/activedirectory`

`providers/okta`

`providers/onelogin`