1 of 3

Create, Add, Remove Tag

Create, apply, and remove Veza tags

New in 2025.11.24: Bulk tagging operations are now available as part of the private/ API set.

Use these APIs to create, add, and remove Veza tags. These endpoints support bulk onboarding of external tags into Veza Access Graph, environment migrations, and maintaining at scale.

Methods

Promoted Tags

Operations for adding, removing, and listing tags for entity enrichment.

Tag promotion for Access Reviews is currently available in Early Access. Please contact our support team to enable this capability.

Use these APIs to define the tags Veza should treat as customer-defined properties. Access Reviews that involve these entity types will include columns showing the tag name and value.

For example, in AWS, you may automatically tag identities with a 3rd-party security tool, or use tags to label S3 buckets containing sensitive data. When a tag is promoted, Veza Access Reviews will treat the tag as a built-in entity attribute, and show this information for reviewers in an optional column.

Promote tag

Add a promotion rule by specifying its type and key, and the entity types it applies to:

include_entity_types: if true, promote tags for the listed type(s).
exclude_entity_type: if true, promotes tags for all entities except the listed type(s).

You can promote tags for any integration that supports them, such as Snowflake or Google Cloud. Use for integrations that do not support vendor-native tags or when built-in tagging is unavailable. Example tag types:

AWSTag
CookieTag (Veza Tag)
GoogleCloudLabel

Entity types for tag promotion should be concrete types. You can confirm the format by viewing details for any graph node, and checking the Type attribute, for example:

OAA.PagerDuty.User
ActiveDirectoryUser
OAA.custom_idp.IDPUser

Demote tag

Remove a promotion rule for the specified tag key and type. Demotions apply on the next data source parse.

Get all promotion rules for all entity types.

Promoted Tags

Operations for adding, removing, and listing tags for entity enrichment.

Tag promotion for Access Reviews is currently available in Early Access. Please contact our support team to enable this capability.

Use these APIs to define the tags Veza should treat as customer-defined properties. Access Reviews that involve these entity types will include columns showing the tag name and value.

Promote tag

Add a promotion rule by specifying its type and key, and the entity types it applies to:

include_entity_types: if true, promote tags for the listed type(s).
exclude_entity_type: if true, promotes tags for all entities except the listed type(s).

AWSTag
CookieTag (Veza Tag)
GoogleCloudLabel

Entity types for tag promotion should be concrete types. You can confirm the format by viewing details for any graph node, and checking the Type attribute, for example:

OAA.PagerDuty.User
ActiveDirectoryUser
OAA.custom_idp.IDPUser

Demote tag

Remove a promotion rule for the specified tag key and type. Demotions apply on the next data source parse.

Get all promotion rules for all entity types.

Tags

Create, apply, and remove Veza tags

Tagging is a product capability allowing organizations to add additional metadata to the entities (such as users, roles, tables, or any other resource/identity) discovered by Veza.

curl 'https://{{VezaUrl}}/api/v1/graph/nodes/veza_tags' \
  --data-raw '{
      "node_id":"arn:aws:s3:::aws-cloudtrail-logs-527398259632-c98becd0",
      "tags":[
          {"key":"custom_tag","value":"one"}
        ]
    }'

You can filter search results for entities with a given tag, create access workflows based on tags, or use them to add context and notes that other users can view and search by.

To apply a tag, you will need the ID of the node to modify. Calling get query nodes will return IDs as part of the search result. You can also retrieve this value by clicking Show Details for the entity in Access Graph, or checking the ID column from Identity Data Entities or the Query Builder.

Quick Start

Generate a bearer token from .

For the examples below, BASEURL should be the address of your Veza instance, such as https://<org>.vezacloud.com.

Use Get Query Spec Nodes to find Snowflake tables reachable by federated Okta users belonging to the Finance department:

The response will include the table id:

Apply a tag by specifying a key and optional value:

Remove a tag by providing the entity id and the tag key to delete:

Demote Tag

post

Demotes a promoted tag

Authorizations

AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Body

tag_keystringOptional

tag_typeinteger · enumOptional

Responses

200

application/json

objectOptional

default

Default error response

application/json

The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.

codeinteger · int32Optional

The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].

messagestringOptional

A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.

@typestringOptional

The type of the serialized message.

Other propertiesanyOptional

post

/api/preview/graph/tag_promotions:demote

List Tag Promotions

get

List promoted tags

Authorizations

AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Responses

200

application/json

tag_keystringOptional

tag_typeinteger · enumOptional

include_entity_typesstring[]Optional

Only one or the other is accepted, if both are supplied the request is considered invalid. If "include_entity_types" is empty, all types will be included except any that are in "exclude_entity_types".

exclude_entity_typesstring[]Optional

default

Default error response

application/json

codeinteger · int32Optional

The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].

messagestringOptional

@typestringOptional

The type of the serialized message.

Other propertiesanyOptional

get

/api/preview/graph/tag_promotions

Responses

200

application/json

objectOptional

default

Default error response

application/json

codeinteger · int32Optional

The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].

messagestringOptional

@typestringOptional

The type of the serialized message.

Other propertiesanyOptional

Tags

Quick Start

Create, Add, Remove Tag

Methods

Promoted Tags

Promote tag

Demote tag

Promoted Tags

Promote tag

Demote tag

Tags

Quick Start

Create, Add, Remove Tag

Methods

Add Veza Tag

Remove Veza Tag

Bulk Tag Operations

Promote Tag

Demote Tag

List Tag Promotions

Tags

hashtagQuick Start

Create, Add, Remove Tag

hashtagMethods

Promoted Tags

hashtagPromote tag

hashtagDemote tag

hashtagList tag promotions

Promoted Tags

hashtagPromote tag

hashtagDemote tag

hashtagList tag promotions

Tags

hashtagQuick Start

Create, Add, Remove Tag

hashtagMethods

hashtagAdd Veza Tag

hashtagRemove Veza Tag

hashtagBulk Tag Operations

hashtagPromote Tag

hashtagDemote Tag

hashtagList Tag Promotions

Quick Start

Methods

Promote tag

Demote tag

List tag promotions

Promote tag

Demote tag

List tag promotions

Quick Start

Methods

Add Veza Tag

Remove Veza Tag

Bulk Tag Operations

Promote Tag

Demote Tag

List Tag Promotions