1 of 2

Team and User Management APIs

Operations for listing, creating, deleting, and updating users and teams.

Overview

These APIs provide an interface for managing users and teams in Veza.

Get Teams
Create Team

Retrieve a list of all teams. This endpoint allows filtering and sorting of the returned teams.

Create a new team, scoped to the specified provider IDs:

The team policy_type determines the scope of integrations for the team. The value can be UNBOUND or PROVIDER_ID_SET:

PROVIDER_ID_SET: Users can only see data and manage integrations for the listed providers, specified by id.
UNBOUND: Users can access all providers, similar to the root team. Users on this team will share a unique set of reports and saved queries.

Fetch details of a specific team by providing the team ID.

Remove a team from the system using the team ID.

Update details of an existing team. The PUT method replaces the entire team entity, while PATCH allows for partial updates.

Create a new user with details such as name, email, and team assignments.

A user object includes basic attributes and team and role assignments:

Change team roles or persona for an existing user. This endpoint supports partial updates.

Retrieve details of a specific user by user ID. You can use "self" instead of an ID to retrieve current user details.

Delete a user from the system by ID.

Returns a paginated list of all roles available in the Veza, including role ID, name, and the associated permissions. Use this operation to get role IDs to assign team roles for users.

Team API Keys

Overview

Team API keys are designed for service accounts that manage Open Authorization API (OAA) integrations assigned to a team. Similar to personal API keys, these keys authenticate API requests, and can be revoked or reinstated to control programmatic access to Veza. Each key is associated with a single team and has the oaa_push role, restricted to specific read and write operations for creating and updating OAA data sources.

Team API keys are limited to the following operations:

Create Custom Provider Data Source

Administrators can create and manage team API keys using the endpoints documented below. Note that Team API Keys are currently provided as an early access feature, and /preview/ API operations are subject to change as capabilities are added or modified.

Method: GET Endpoint: /api/preview/teamkeys

Returns API key details such as last activity time and status. If the query includes a team_id filter expression, only keys for that team are listed.

Note: When using a personal API key for a , the team_id filter is automatically applied. Only root team administrators can view keys across all teams.

Example Request:

Example Response:

Method: POST Endpoint: /api/preview/teamkeys

Create an API key by providing a key name and team team_id. The response includes the access_key, which cannot be retrieved again.

Example Request:

Example Response:

Method: DELETE Endpoint: /api/preview/teamkeys/{id}

Permanently delete a team API key.

Example Request:

Example Response:

Method: POST Endpoint: /api/preview/teamkeys/{id}:revoke

Suspend usage of a team API key, changing the status to INACTIVE.

Example Request:

Example Response:

Method: POST Endpoint: /api/preview/teamkeys/{id}:reinstate

Reinstates a previously revoked team API key, changing the status to ACTIVE.

Example Request:

Example Response:

Method: PATCH Endpoint: /api/preview/teamkeys/{value.id}

Use this operation to update the display name of a team API key.

Example Request:

Example Response:

Team and User Management APIs

Operations for listing, creating, deleting, and updating users and teams.

Overview

These APIs provide an interface for managing users and teams in Veza.

Get Teams
Create Team

Retrieve a list of all teams. This endpoint allows filtering and sorting of the returned teams.

Create a new team, scoped to the specified provider IDs:

The team policy_type determines the scope of integrations for the team. The value can be UNBOUND or PROVIDER_ID_SET:

PROVIDER_ID_SET: Users can only see data and manage integrations for the listed providers, specified by id.
UNBOUND: Users can access all providers, similar to the root team. Users on this team will share a unique set of reports and saved queries.

Fetch details of a specific team by providing the team ID.

Remove a team from the system using the team ID.

Update details of an existing team. The PUT method replaces the entire team entity, while PATCH allows for partial updates.

Create a new user with details such as name, email, and team assignments.

A user object includes basic attributes and team and role assignments:

Change team roles or persona for an existing user. This endpoint supports partial updates.

Retrieve details of a specific user by user ID. You can use "self" instead of an ID to retrieve current user details.

Delete a user from the system by ID.

Returns a paginated list of all roles available in the Veza, including role ID, name, and the associated permissions. Use this operation to get role IDs to assign team roles for users.

Team API Keys

Overview

Team API keys are limited to the following operations:

Create Custom Provider Data Source

Method: GET Endpoint: /api/preview/teamkeys

Returns API key details such as last activity time and status. If the query includes a team_id filter expression, only keys for that team are listed.

Note: When using a personal API key for a , the team_id filter is automatically applied. Only root team administrators can view keys across all teams.

Example Request:

Example Response:

Method: POST Endpoint: /api/preview/teamkeys

Create an API key by providing a key name and team team_id. The response includes the access_key, which cannot be retrieved again.

Example Request:

Example Response:

Method: DELETE Endpoint: /api/preview/teamkeys/{id}

Permanently delete a team API key.

Example Request:

Example Response:

Method: POST Endpoint: /api/preview/teamkeys/{id}:revoke

Suspend usage of a team API key, changing the status to INACTIVE.

Example Request:

Example Response:

Method: POST Endpoint: /api/preview/teamkeys/{id}:reinstate

Reinstates a previously revoked team API key, changing the status to ACTIVE.

Example Request:

Example Response:

Method: PATCH Endpoint: /api/preview/teamkeys/{value.id}

Use this operation to update the display name of a team API key.

Example Request:

Example Response:

patch

Authorizations

AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Path parameters

value.idstringRequired

Query parameters

update_maskstring · field-maskOptional

Body

idstringOptional

namestringOptional

display_namestringOptional

given_namestringOptional

family_namestringOptional

emailstringOptional

enabledbooleanOptional

last_login_atstring · date-timeRead-onlyOptional

last_refresh_atstring · date-timeRead-onlyOptional

created_atstring · date-timeRead-onlyOptional

updated_atstring · date-timeRead-onlyOptional

logins_lifetimestringRead-onlyOptional

auth_provider_typeinteger · enumOptional

auth_provider_idstringOptional

personainteger · enumOptional

can_change_passwordbooleanOptional

User (reflexive) or System may change this user's password

has_mfabooleanOptional

User has MFA enabled

can_change_rolesbooleanOptional

System may change this user's roles

can_disablebooleanOptional

System may disable this user's access to Veza

can_deletebooleanOptional

System may delete this user from Veza

can_edit_namebooleanOptional

System may edit this user's name

can_extend_supportbooleanOptional

System may extend support expiration

can_remove_from_teamsbooleanOptional

System may change this user's team membership

team_idstringOptional

team_namestringRead-onlyOptional

role_idstringOptional

role_namestringRead-onlyOptional

digest_idstringOptional

digest_namestringOptional

frequencyinteger · enumOptional

expires_atstring · date-timeRead-onlyOptional

Responses

200

application/json

idstringOptional

namestringOptional

display_namestringOptional

given_namestringOptional

family_namestringOptional

emailstringOptional

enabledbooleanOptional

last_login_atstring · date-timeRead-onlyOptional

last_refresh_atstring · date-timeRead-onlyOptional

created_atstring · date-timeRead-onlyOptional

updated_atstring · date-timeRead-onlyOptional

logins_lifetimestringRead-onlyOptional

auth_provider_typeinteger · enumOptional

auth_provider_idstringOptional

personainteger · enumOptional

can_change_passwordbooleanOptional

User (reflexive) or System may change this user's password

has_mfabooleanOptional

User has MFA enabled

can_change_rolesbooleanOptional

System may change this user's roles

can_disablebooleanOptional

System may disable this user's access to Veza

can_deletebooleanOptional

System may delete this user from Veza

can_edit_namebooleanOptional

System may edit this user's name

can_extend_supportbooleanOptional

System may extend support expiration

can_remove_from_teamsbooleanOptional

System may change this user's team membership

team_idstringOptional

team_namestringRead-onlyOptional

role_idstringOptional

role_namestringRead-onlyOptional

digest_idstringOptional

digest_namestringOptional

frequencyinteger · enumOptional

expires_atstring · date-timeRead-onlyOptional

idstringOptional

namestringOptional

display_namestringOptional

given_namestringOptional

family_namestringOptional

emailstringOptional

enabledbooleanOptional

last_login_atstring · date-timeRead-onlyOptional

last_refresh_atstring · date-timeRead-onlyOptional

created_atstring · date-timeRead-onlyOptional

updated_atstring · date-timeRead-onlyOptional

logins_lifetimestringRead-onlyOptional

auth_provider_typeinteger · enumOptional

auth_provider_idstringOptional

personainteger · enumOptional

can_change_passwordbooleanOptional

User (reflexive) or System may change this user's password

has_mfabooleanOptional

User has MFA enabled

can_change_rolesbooleanOptional

System may change this user's roles

can_disablebooleanOptional

System may disable this user's access to Veza

can_deletebooleanOptional

System may delete this user from Veza

can_edit_namebooleanOptional

System may edit this user's name

can_extend_supportbooleanOptional

System may extend support expiration

can_remove_from_teamsbooleanOptional

System may change this user's team membership

team_idstringOptional

team_namestringRead-onlyOptional

role_idstringOptional

role_namestringRead-onlyOptional

digest_idstringOptional

digest_namestringOptional

frequencyinteger · enumOptional

expires_atstring · date-timeRead-onlyOptional

default

Default error response

application/json

patch

/api/v1/users/{value.id}

get

Authorizations

AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Path parameters

idstringRequired

Responses

200

application/json

idstringOptional

namestringOptional

display_namestringOptional

given_namestringOptional

family_namestringOptional

emailstringOptional

enabledbooleanOptional

last_login_atstring · date-timeRead-onlyOptional

last_refresh_atstring · date-timeRead-onlyOptional

created_atstring · date-timeRead-onlyOptional

updated_atstring · date-timeRead-onlyOptional

logins_lifetimestringRead-onlyOptional

auth_provider_typeinteger · enumOptional

auth_provider_idstringOptional

personainteger · enumOptional

can_change_passwordbooleanOptional

User (reflexive) or System may change this user's password

has_mfabooleanOptional

User has MFA enabled

can_change_rolesbooleanOptional

System may change this user's roles

can_disablebooleanOptional

System may disable this user's access to Veza

can_deletebooleanOptional

System may delete this user from Veza

can_edit_namebooleanOptional

System may edit this user's name

can_extend_supportbooleanOptional

System may extend support expiration

can_remove_from_teamsbooleanOptional

System may change this user's team membership

team_idstringOptional

team_namestringRead-onlyOptional

role_idstringOptional

role_namestringRead-onlyOptional

digest_idstringOptional

digest_namestringOptional

frequencyinteger · enumOptional

expires_atstring · date-timeRead-onlyOptional

default

Default error response

application/json

get

/api/v1/users/{id}

delete

Authorizations

AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Path parameters

idstringRequired

Responses

200

application/json

idstringOptional

namestringOptional

display_namestringOptional

given_namestringOptional

family_namestringOptional

emailstringOptional

enabledbooleanOptional

last_login_atstring · date-timeRead-onlyOptional

last_refresh_atstring · date-timeRead-onlyOptional

created_atstring · date-timeRead-onlyOptional

updated_atstring · date-timeRead-onlyOptional

logins_lifetimestringRead-onlyOptional

auth_provider_typeinteger · enumOptional

auth_provider_idstringOptional

personainteger · enumOptional

can_change_passwordbooleanOptional

User (reflexive) or System may change this user's password

has_mfabooleanOptional

User has MFA enabled

can_change_rolesbooleanOptional

System may change this user's roles

can_disablebooleanOptional

System may disable this user's access to Veza

can_deletebooleanOptional

System may delete this user from Veza

can_edit_namebooleanOptional

System may edit this user's name

can_extend_supportbooleanOptional

System may extend support expiration

can_remove_from_teamsbooleanOptional

System may change this user's team membership

team_idstringOptional

team_namestringRead-onlyOptional

role_idstringOptional

role_namestringRead-onlyOptional

digest_idstringOptional

digest_namestringOptional

frequencyinteger · enumOptional

expires_atstring · date-timeRead-onlyOptional

default

Default error response

application/json

delete

/api/v1/users/{id}

List API keys for teams

get

Authorizations

AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Query parameters

filterstringOptional

[team_id] String to filter API keys belonging to a specific team. If empty, list all team keys in scope

page_sizeinteger · int32Optional

page_tokenstringOptional

Responses

200

application/json

idstringOptional

The unique identifier of this API key.

access_keystringRead-onlyOptional

Base64 encoded access token. Only available when creating a key

namestringOptional

User provided name for this key

created_atstring · date-timeRead-onlyOptional

ISO-8601 timestamp of when this key was created

last_access_atstring · date-timeRead-onlyOptional

ISO-8601 timestamp of when this key was last updated

statusinteger · enumRead-onlyOptional

Status of the key. Key is ACTIVE or INACTIVE. API keys can only be used when they are ACTIVE

team_idstringOptional

Team ID that this key belongs to

team_namestringRead-onlyOptional

Team Name that this key belongs to

next_page_tokenstringOptional

default

Default error response

application/json

get

/api/preview/teamkeys

Update team API key metadata

patch

Authorizations

AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Path parameters

value.idstringRequired

Query parameters

update_maskstring · field-maskOptional

Body

API Key

idstringOptional

The unique identifier of this API key.

access_keystringRead-onlyOptional

Base64 encoded access token. Only available when creating a key

namestringOptional

User provided name for this key

created_atstring · date-timeRead-onlyOptional

ISO-8601 timestamp of when this key was created

last_access_atstring · date-timeRead-onlyOptional

ISO-8601 timestamp of when this key was last updated

statusinteger · enumRead-onlyOptional

Status of the key. Key is ACTIVE or INACTIVE. API keys can only be used when they are ACTIVE

team_idstringOptional

Team ID that this key belongs to

team_namestringRead-onlyOptional

Team Name that this key belongs to

Responses

200

application/json

idstringOptional

The unique identifier of this API key.

access_keystringRead-onlyOptional

Base64 encoded access token. Only available when creating a key

namestringOptional

User provided name for this key

created_atstring · date-timeRead-onlyOptional

ISO-8601 timestamp of when this key was created

last_access_atstring · date-timeRead-onlyOptional

ISO-8601 timestamp of when this key was last updated

statusinteger · enumRead-onlyOptional

Status of the key. Key is ACTIVE or INACTIVE. API keys can only be used when they are ACTIVE

team_idstringOptional

Team ID that this key belongs to

team_namestringRead-onlyOptional

Team Name that this key belongs to

default

Default error response

application/json

patch

/api/preview/teamkeys/{value.id}

{
  "value": {
    "id": "text",
    "name": "text",
    "display_name": "text",
    "given_name": "text",
    "family_name": "text",
    "email": "text",
    "enabled": true,
    "last_login_at": "2026-06-18T03:51:32.430Z",
    "last_refresh_at": "2026-06-18T03:51:32.430Z",
    "created_at": "2026-06-18T03:51:32.430Z",
    "updated_at": "2026-06-18T03:51:32.430Z",
    "logins_lifetime": "text",
    "auth_provider_type": 1,
    "auth_provider_id": "text",
    "persona": 1,
    "options": {
      "can_change_password": true,
      "has_mfa": true,
      "can_change_roles": true,
      "can_disable": true,
      "can_delete": true,
      "can_edit_name": true,
      "can_extend_support": true,
      "can_remove_from_teams": true
    },
    "team_roles": [
      {
        "team_id": "text",
        "team_name": "text",
        "role_id": "text",
        "role_name": "text"
      }
    ],
    "digest_settings": [
      {
        "digest_id": "text",
        "digest_name": "text",
        "frequency": 1
      }
    ],
    "expires_at": "2026-06-18T03:51:32.430Z"
  },
  "old_value": {
    "id": "text",
    "name": "text",
    "display_name": "text",
    "given_name": "text",
    "family_name": "text",
    "email": "text",
    "enabled": true,
    "last_login_at": "2026-06-18T03:51:32.430Z",
    "last_refresh_at": "2026-06-18T03:51:32.430Z",
    "created_at": "2026-06-18T03:51:32.430Z",
    "updated_at": "2026-06-18T03:51:32.430Z",
    "logins_lifetime": "text",
    "auth_provider_type": 1,
    "auth_provider_id": "text",
    "persona": 1,
    "options": {
      "can_change_password": true,
      "has_mfa": true,
      "can_change_roles": true,
      "can_disable": true,
      "can_delete": true,
      "can_edit_name": true,
      "can_extend_support": true,
      "can_remove_from_teams": true
    },
    "team_roles": [
      {
        "team_id": "text",
        "team_name": "text",
        "role_id": "text",
        "role_name": "text"
      }
    ],
    "digest_settings": [
      {
        "digest_id": "text",
        "digest_name": "text",
        "frequency": 1
      }
    ],
    "expires_at": "2026-06-18T03:51:32.430Z"
  }
}

{
  "value": {
    "id": "text",
    "name": "text",
    "display_name": "text",
    "given_name": "text",
    "family_name": "text",
    "email": "text",
    "enabled": true,
    "last_login_at": "2026-06-18T03:51:32.430Z",
    "last_refresh_at": "2026-06-18T03:51:32.430Z",
    "created_at": "2026-06-18T03:51:32.430Z",
    "updated_at": "2026-06-18T03:51:32.430Z",
    "logins_lifetime": "text",
    "auth_provider_type": 1,
    "auth_provider_id": "text",
    "persona": 1,
    "options": {
      "can_change_password": true,
      "has_mfa": true,
      "can_change_roles": true,
      "can_disable": true,
      "can_delete": true,
      "can_edit_name": true,
      "can_extend_support": true,
      "can_remove_from_teams": true
    },
    "team_roles": [
      {
        "team_id": "text",
        "team_name": "text",
        "role_id": "text",
        "role_name": "text"
      }
    ],
    "digest_settings": [
      {
        "digest_id": "text",
        "digest_name": "text",
        "frequency": 1
      }
    ],
    "expires_at": "2026-06-18T03:51:32.430Z"
  },
  "old_value": {
    "id": "text",
    "name": "text",
    "display_name": "text",
    "given_name": "text",
    "family_name": "text",
    "email": "text",
    "enabled": true,
    "last_login_at": "2026-06-18T03:51:32.430Z",
    "last_refresh_at": "2026-06-18T03:51:32.430Z",
    "created_at": "2026-06-18T03:51:32.430Z",
    "updated_at": "2026-06-18T03:51:32.430Z",
    "logins_lifetime": "text",
    "auth_provider_type": 1,
    "auth_provider_id": "text",
    "persona": 1,
    "options": {
      "can_change_password": true,
      "has_mfa": true,
      "can_change_roles": true,
      "can_disable": true,
      "can_delete": true,
      "can_edit_name": true,
      "can_extend_support": true,
      "can_remove_from_teams": true
    },
    "team_roles": [
      {
        "team_id": "text",
        "team_name": "text",
        "role_id": "text",
        "role_name": "text"
      }
    ],
    "digest_settings": [
      {
        "digest_id": "text",
        "digest_name": "text",
        "frequency": 1
      }
    ],
    "expires_at": "2026-06-18T03:51:32.430Z"
  }
}

Team and User Management APIs

Overview

Team API Keys

Overview

Team and User Management APIs

Overview

Get Teams

Create Team

Get Team

Delete Team

Update Team

Create User

Update User

Get User

Delete User

List Roles

Team API Keys

Overview

List Team API Keys

Create Team API Key

Remove Team API Key

Revoke Team API Key

Reinstate Team API Key

Update Team API Key

List API keys for teams

Create a new team API key for a service account

Remove team API Key

Revoke team API Key

Reinstate a revoked team API Key

Update team API key metadata