Operations for listing, creating, deleting, and updating users and teams.
These APIs provide an interface for managing users and teams in Veza.
Retrieve a list of all teams. This endpoint allows filtering and sorting of the returned teams.
Create a new team, scoped to the specified provider IDs:
{
"name": "AWS Dev Team",
"policy_type": "PROVIDER_ID_SET",
"providers": [
{
"id": "10fc60da-9df6-4495-ae0f-abf92e0bd715",
}
],
"description": "Limited to aws_dev account",
"sso_alias": "AWS Dev Team"
}The team policy_type determines the scope of integrations for the team. The value can be UNBOUND or PROVIDER_ID_SET:
PROVIDER_ID_SET: Users can only see data and manage integrations for the listed providers, specified by id.
UNBOUND: Users can access all providers, similar to the root team. Users on this team will share a unique set of reports and saved queries.
Fetch details of a specific team by providing the team ID.
Remove a team from the system using the team ID.
Update details of an existing team. The PUT method replaces the entire team entity, while PATCH allows for partial updates.
Create a new user with details such as name, email, and team assignments.
A user object includes basic attributes and team and role assignments:
{
"name": "Demo User",
"email": "[email protected]",
"password": "password",
"team_roles": [
{
"team_id": "613df06e-9a40-4331-947c-5c327b54b228",
"role_id": "39b50a23-da71-4d02-8504-21038fe49a2f"
}
]
}Change team roles or persona for an existing user. This endpoint supports partial updates.
Retrieve details of a specific user by user ID. You can use "self" instead of an ID to retrieve current user details.
Delete a user from the system by ID.
Returns a paginated list of all roles available in the Veza, including role ID, name, and the associated permissions. Use this operation to get role IDs to assign team roles for users.
GET /api/v1/teams HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Accept: */*
{
"values": [
{
"id": "text",
"name": "text",
"policy_type": 1,
"providers": [
{
"id": "text",
"name": "text",
"type": 1
}
],
"created_at": "2025-07-13T13:44:17.265Z",
"updated_at": "2025-07-13T13:44:17.265Z",
"description": "text",
"user_count": 1,
"sso_alias": "text"
}
],
"next_page_token": "text",
"has_more": true
}POST /api/v1/teams HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Content-Type: application/json
Accept: */*
Content-Length: 99
{
"name": "text",
"policy_type": 1,
"providers": [
{
"id": "text"
}
],
"description": "text",
"sso_alias": "text"
}{
"value": {
"id": "text",
"name": "text",
"policy_type": 1,
"providers": [
{
"id": "text",
"name": "text",
"type": 1
}
],
"created_at": "2025-07-13T13:44:17.265Z",
"updated_at": "2025-07-13T13:44:17.265Z",
"description": "text",
"user_count": 1,
"sso_alias": "text"
}
}GET /api/v1/teams/{id} HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Accept: */*
{
"value": {
"id": "text",
"name": "text",
"policy_type": 1,
"providers": [
{
"id": "text",
"name": "text",
"type": 1
}
],
"created_at": "2025-07-13T13:44:17.265Z",
"updated_at": "2025-07-13T13:44:17.265Z",
"description": "text",
"user_count": 1,
"sso_alias": "text"
}
}DELETE /api/v1/teams/{id} HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Accept: */*
{}PUT /api/v1/teams/{value.id} HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Content-Type: application/json
Accept: */*
Content-Length: 111
{
"id": "text",
"name": "text",
"policy_type": 1,
"providers": [
{
"id": "text"
}
],
"description": "text",
"sso_alias": "text"
}{
"value": {
"id": "text",
"name": "text",
"policy_type": 1,
"providers": [
{
"id": "text",
"name": "text",
"type": 1
}
],
"created_at": "2025-07-13T13:44:17.265Z",
"updated_at": "2025-07-13T13:44:17.265Z",
"description": "text",
"user_count": 1,
"sso_alias": "text"
}
}PATCH /api/v1/teams/{value.id} HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Content-Type: application/json
Accept: */*
Content-Length: 111
{
"id": "text",
"name": "text",
"policy_type": 1,
"providers": [
{
"id": "text"
}
],
"description": "text",
"sso_alias": "text"
}{
"value": {
"id": "text",
"name": "text",
"policy_type": 1,
"providers": [
{
"id": "text",
"name": "text",
"type": 1
}
],
"created_at": "2025-07-13T13:44:17.265Z",
"updated_at": "2025-07-13T13:44:17.265Z",
"description": "text",
"user_count": 1,
"sso_alias": "text"
}
}POST /api/v1/users HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Content-Type: application/json
Accept: */*
Content-Length: 250
{
"name": "text",
"email": "text",
"password": "text",
"persona": 1,
"team_roles": [
{
"team_id": "text",
"role_id": "text"
}
],
"digest_settings": [
{
"digest_id": "text",
"digest_name": "text",
"frequency": 1
}
],
"given_name": "text",
"family_name": "text",
"display_name": "text"
}{
"id": "text"
}PATCH /api/v1/users/{value.id} HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Content-Type: application/json
Accept: */*
Content-Length: 473
{
"id": "text",
"name": "text",
"display_name": "text",
"given_name": "text",
"family_name": "text",
"email": "text",
"enabled": true,
"auth_provider_type": 1,
"persona": 1,
"options": {
"can_change_password": true,
"has_mfa": true,
"can_change_roles": true,
"can_disable": true,
"can_delete": true,
"can_edit_name": true,
"can_extend_support": true,
"can_remove_from_teams": true
},
"team_roles": [
{
"team_id": "text",
"role_id": "text"
}
],
"digest_settings": [
{
"digest_id": "text",
"digest_name": "text",
"frequency": 1
}
]
}{
"value": {
"id": "text",
"name": "text",
"display_name": "text",
"given_name": "text",
"family_name": "text",
"email": "text",
"enabled": true,
"last_login_at": "2025-07-13T13:44:17.265Z",
"last_refresh_at": "2025-07-13T13:44:17.265Z",
"created_at": "2025-07-13T13:44:17.265Z",
"updated_at": "2025-07-13T13:44:17.265Z",
"logins_lifetime": "text",
"auth_provider_type": 1,
"persona": 1,
"options": {
"can_change_password": true,
"has_mfa": true,
"can_change_roles": true,
"can_disable": true,
"can_delete": true,
"can_edit_name": true,
"can_extend_support": true,
"can_remove_from_teams": true
},
"team_roles": [
{
"team_id": "text",
"team_name": "text",
"role_id": "text",
"role_name": "text"
}
],
"digest_settings": [
{
"digest_id": "text",
"digest_name": "text",
"frequency": 1
}
],
"expires_at": "2025-07-13T13:44:17.265Z"
}
}GET /api/v1/users/{id} HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Accept: */*
{
"id": "text",
"name": "text",
"display_name": "text",
"given_name": "text",
"family_name": "text",
"email": "text",
"enabled": true,
"last_login_at": "2025-07-13T13:44:17.265Z",
"last_refresh_at": "2025-07-13T13:44:17.265Z",
"created_at": "2025-07-13T13:44:17.265Z",
"updated_at": "2025-07-13T13:44:17.265Z",
"logins_lifetime": "text",
"auth_provider_type": 1,
"persona": 1,
"options": {
"can_change_password": true,
"has_mfa": true,
"can_change_roles": true,
"can_disable": true,
"can_delete": true,
"can_edit_name": true,
"can_extend_support": true,
"can_remove_from_teams": true
},
"team_roles": [
{
"team_id": "text",
"team_name": "text",
"role_id": "text",
"role_name": "text"
}
],
"digest_settings": [
{
"digest_id": "text",
"digest_name": "text",
"frequency": 1
}
],
"expires_at": "2025-07-13T13:44:17.265Z"
}DELETE /api/v1/users/{id} HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Accept: */*
{
"value": {
"id": "text",
"name": "text",
"display_name": "text",
"given_name": "text",
"family_name": "text",
"email": "text",
"enabled": true,
"last_login_at": "2025-07-13T13:44:17.265Z",
"last_refresh_at": "2025-07-13T13:44:17.265Z",
"created_at": "2025-07-13T13:44:17.265Z",
"updated_at": "2025-07-13T13:44:17.265Z",
"logins_lifetime": "text",
"auth_provider_type": 1,
"persona": 1,
"options": {
"can_change_password": true,
"has_mfa": true,
"can_change_roles": true,
"can_disable": true,
"can_delete": true,
"can_edit_name": true,
"can_extend_support": true,
"can_remove_from_teams": true
},
"team_roles": [
{
"team_id": "text",
"team_name": "text",
"role_id": "text",
"role_name": "text"
}
],
"digest_settings": [
{
"digest_id": "text",
"digest_name": "text",
"frequency": 1
}
],
"expires_at": "2025-07-13T13:44:17.265Z"
}
}GET /api/v1/roles HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Accept: */*
{
"roles": [
{
"id": "text",
"name": "text",
"permissions": [
"text"
]
}
],
"next_page_token": "text",
"has_more": true
}Team API keys are designed for service accounts that manage Open Authorization API (OAA) integrations assigned to a team. Similar to personal API keys, these keys authenticate API requests, and can be revoked or reinstated to control programmatic access to Veza. Each key is associated with a single team and has the oaa_push role, restricted to specific read and write operations for creating and updating OAA data sources.
Team API keys are limited to the following operations:
Administrators can create and manage team API keys using the endpoints documented below. Note that Team API Keys are currently provided as an early access feature, and /preview/ API operations are subject to change as capabilities are added or modified.
Method: GET Endpoint: /api/preview/teamkeys
Returns API key details such as last activity time and status. If the query includes a team_id filter expression, only keys for that team are listed.
Note: When using a personal API key for a non-root team, the team_id filter is automatically applied. Only root team administrators can view keys across all teams.
Example Request:
curl -X GET "https://<base-url>/api/preview/teamkeys?filter=team_id+eq+%2260437fa0-15ab-4c1f-a211-010543ac8a89%22" \
-H "accept: application/json"Example Response:
{
"values": [
{
"id": "54807783-c5ec-4efd-9d1b-853bada658dd",
"access_key": "",
"name": "AWS Team Key",
"created_at": "2024-06-25T08:30:17.087351612Z",
"last_access_at": "2024-06-25T08:30:17.087351612Z",
"status": "ACTIVE",
"team_id": "60437fa0-15ab-4c1f-a211-010543ac8a89"
}
],
"next_page_token": ""
}Method: POST Endpoint: /api/preview/teamkeys
Create an API key by providing a key name and team team_id. The response includes the access_key, which cannot be retrieved again.
Example Request:
curl -X POST "https://<base-url>/api/preview/teamkeys" \
-H "accept: application/json" \
-H "content-type: application/json" \
-d '{"name":"New Team API Key","team_id":"60437fa0-15ab-4c1f-a211-010543ac8a89"}'Example Response:
{
"value": {
"id": "7ddd5e0c-29cd-41c5-b41f-884b2d24b05d",
"access_key": "<access key>",
"name": "New Team API Key",
"created_at": "2024-08-26T21:29:59.409761363Z",
"last_access_at": "2024-08-26T21:29:59.409761363Z",
"status": "ACTIVE",
"team_id": "60437fa0-15ab-4c1f-a211-010543ac8a89"
}
}Method: DELETE Endpoint: /api/preview/teamkeys/{id}
Permanently delete a team API key.
Example Request:
curl -X DELETE "https://<base-url>/api/preview/teamkeys/7ddd5e0c-29cd-41c5-b41f-884b2d24b05d" \
-H "accept: application/json"Example Response:
{
"value": {
"id": "7ddd5e0c-29cd-41c5-b41f-884b2d24b05d",
"access_key": "",
"name": "Updated API Key",
"created_at": "2024-08-26T21:29:59.409761363Z",
"last_access_at": "2024-08-26T21:29:59.409761363Z",
"status": "INACTIVE",
"team_id": "60437fa0-15ab-4c1f-a211-010543ac8a89"
}
}Method: POST Endpoint: /api/preview/teamkeys/{id}:revoke
Suspend usage of a team API key, changing the status to INACTIVE.
Example Request:
curl -X POST "https://<base-url>/api/preview/teamkeys/7ddd5e0c-29cd-41c5-b41f-884b2d24b05d:revoke" \
-H "accept: application/json"Example Response:
{}Method: POST Endpoint: /api/preview/teamkeys/{id}:reinstate
Reinstates a previously revoked team API key, changing the status to ACTIVE.
Example Request:
curl -X POST "https://<base-url>/api/preview/teamkeys/7ddd5e0c-29cd-41c5-b41f-884b2d24b05d:reinstate" \
-H "accept: application/json"Example Response:
{}Method: PATCH Endpoint: /api/preview/teamkeys/{value.id}
Use this operation to update the display name of a team API key.
Example Request:
curl -X PATCH "https://<base-url>/api/preview/teamkeys/7ddd5e0c-29cd-41c5-b41f-884b2d24b05d" \
-H "accept: application/json"\
-H "content-type: application/json" \
-d '{"name":"Updated API Key"}'Example Response:
{
"value": {
"id": "7ddd5e0c-29cd-41c5-b41f-884b2d24b05d",
"access_key": "",
"name": "Updated API Key",
"created_at": "2024-08-26T21:29:59.409761363Z",
"last_access_at": "2024-08-26T21:29:59.409761363Z",
"status": "ACTIVE",
"team_id": "60437fa0-15ab-4c1f-a211-010543ac8a89"
}
}[team_id] String to filter API keys belonging to a specific team. If empty, list all team keys in scope
GET /api/preview/teamkeys HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Accept: */*
{
"values": [
{
"id": "text",
"access_key": "text",
"name": "text",
"created_at": "2025-07-13T13:44:17.265Z",
"last_access_at": "2025-07-13T13:44:17.265Z",
"status": 1,
"team_id": "text",
"team_name": "text"
}
],
"next_page_token": "text"
}Human friendly name
Service account's team ID
POST /api/preview/teamkeys HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Content-Type: application/json
Accept: */*
Content-Length: 32
{
"name": "text",
"team_id": "text"
}{
"value": {
"id": "text",
"access_key": "text",
"name": "text",
"created_at": "2025-07-13T13:44:17.265Z",
"last_access_at": "2025-07-13T13:44:17.265Z",
"status": 1,
"team_id": "text",
"team_name": "text"
}
}DELETE /api/preview/teamkeys/{id} HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Accept: */*
{
"value": {
"id": "text",
"access_key": "text",
"name": "text",
"created_at": "2025-07-13T13:44:17.265Z",
"last_access_at": "2025-07-13T13:44:17.265Z",
"status": 1,
"team_id": "text",
"team_name": "text"
}
}API Key
The unique identifier of this API key.
Base64 encoded access token. Only available when creating a key
User provided name for this key
ISO-8601 timestamp of when this key was created
ISO-8601 timestamp of when this key was last updated
Status of the key. Key is ACTIVE or INACTIVE. API keys can only be used when they are ACTIVE
Team ID that this key belongs to
Team Name that this key belongs to
PATCH /api/preview/teamkeys/{value.id} HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Content-Type: application/json
Accept: */*
Content-Length: 44
{
"id": "text",
"name": "text",
"team_id": "text"
}{
"value": {
"id": "text",
"access_key": "text",
"name": "text",
"created_at": "2025-07-13T13:44:17.265Z",
"last_access_at": "2025-07-13T13:44:17.265Z",
"status": 1,
"team_id": "text",
"team_name": "text"
}
}