All pages
Powered by GitBook
1 of 1

Loading...

Team API Keys

Overview

Team API keys are designed for service accounts that manage Open Authorization API (OAA) integrations assigned to a team. Similar to personal API keys, these keys authenticate API requests, and can be revoked or reinstated to control programmatic access to Veza. Each key is associated with a single team and has the oaa_push role, restricted to specific read and write operations for creating and updating OAA data sources.

Team API keys are limited to the following operations:

  • Create Custom Provider Data Source

  • Push Custom Provider Data Source

  • Delete Custom Provider Data Source

  • Get Custom Provider Data Source

  • List Custom Provider Templates

  • List Custom Providers

  • List Custom Provider Data Sources

  • Push Custom Provider CSV Data Source

  • Get User

Administrators can create and manage team API keys using the endpoints documented below. Note that Team API Keys are currently provided as an early access feature, and /preview/ API operations are subject to change as capabilities are added or modified.

List Team API Keys

Method: GET Endpoint: /api/preview/teamkeys

Returns API key details such as last activity time and status. If the query includes a team_id filter expression, only keys for that team are listed.

Note: When using a personal API key for a non-root team, the team_id filter is automatically applied. Only root team administrators can view keys across all teams.

Example Request:

curl -X GET "https://<base-url>/api/preview/teamkeys?filter=team_id+eq+%2260437fa0-15ab-4c1f-a211-010543ac8a89%22" \
 -H "accept: application/json"

Example Response:

{
  "values": [
    {
      "id": "54807783-c5ec-4efd-9d1b-853bada658dd",
      "access_key": "",
      "name": "AWS Team Key",
      "created_at": "2024-06-25T08:30:17.087351612Z",
      "last_access_at": "2024-06-25T08:30:17.087351612Z",
      "status": "ACTIVE",
      "team_id": "60437fa0-15ab-4c1f-a211-010543ac8a89"
    }
  ],
  "next_page_token": ""
}

Create Team API Key

Method: POST Endpoint: /api/preview/teamkeys

Create an API key by providing a key name and team team_id. The response includes the access_key, which cannot be retrieved again.

Example Request:

curl -X POST "https://<base-url>/api/preview/teamkeys" \
 -H "accept: application/json" \
 -H "content-type: application/json" \
 -d '{"name":"New Team API Key","team_id":"60437fa0-15ab-4c1f-a211-010543ac8a89"}'

Example Response:

{
  "value": {
    "id": "7ddd5e0c-29cd-41c5-b41f-884b2d24b05d",
    "access_key": "<access key>",
    "name": "New Team API Key",
    "created_at": "2024-08-26T21:29:59.409761363Z",
    "last_access_at": "2024-08-26T21:29:59.409761363Z",
    "status": "ACTIVE",
    "team_id": "60437fa0-15ab-4c1f-a211-010543ac8a89"
  }
}

Remove Team API Key

Method: DELETE Endpoint: /api/preview/teamkeys/{id}

Permanently delete a team API key.

Example Request:

curl -X DELETE "https://<base-url>/api/preview/teamkeys/7ddd5e0c-29cd-41c5-b41f-884b2d24b05d" \
 -H "accept: application/json"

Example Response:

{
  "value": {
    "id": "7ddd5e0c-29cd-41c5-b41f-884b2d24b05d",
    "access_key": "",
    "name": "Updated API Key",
    "created_at": "2024-08-26T21:29:59.409761363Z",
    "last_access_at": "2024-08-26T21:29:59.409761363Z",
    "status": "INACTIVE",
    "team_id": "60437fa0-15ab-4c1f-a211-010543ac8a89"
  }
}

Revoke Team API Key

Method: POST Endpoint: /api/preview/teamkeys/{id}:revoke

Suspend usage of a team API key, changing the status to INACTIVE.

Example Request:

curl -X POST "https://<base-url>/api/preview/teamkeys/7ddd5e0c-29cd-41c5-b41f-884b2d24b05d:revoke" \
 -H "accept: application/json"

Example Response:

{}

Reinstate Team API Key

Method: POST Endpoint: /api/preview/teamkeys/{id}:reinstate

Reinstates a previously revoked team API key, changing the status to ACTIVE.

Example Request:

curl -X POST "https://<base-url>/api/preview/teamkeys/7ddd5e0c-29cd-41c5-b41f-884b2d24b05d:reinstate" \
 -H "accept: application/json"

Example Response:

{}

Update Team API Key

Method: PATCH Endpoint: /api/preview/teamkeys/{value.id}

Use this operation to update the display name of a team API key.

Example Request:

curl -X PATCH "https://<base-url>/api/preview/teamkeys/7ddd5e0c-29cd-41c5-b41f-884b2d24b05d" \
 -H "accept: application/json"\
 -H "content-type: application/json" \
 -d '{"name":"Updated API Key"}'

Example Response:

{
  "value": {
    "id": "7ddd5e0c-29cd-41c5-b41f-884b2d24b05d",
    "access_key": "",
    "name": "Updated API Key",
    "created_at": "2024-08-26T21:29:59.409761363Z",
    "last_access_at": "2024-08-26T21:29:59.409761363Z",
    "status": "ACTIVE",
    "team_id": "60437fa0-15ab-4c1f-a211-010543ac8a89"
  }
}

List API keys for teams

get
Authorizations
Query parameters
filterstringOptional

[team_id] String to filter API keys belonging to a specific team. If empty, list all team keys in scope

page_sizeinteger · int32Optional
page_tokenstringOptional
Responses
200
OK
application/json
default
Default error response
application/json
get
GET /api/preview/teamkeys HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Accept: */*
{
  "values": [
    {
      "id": "text",
      "access_key": "text",
      "name": "text",
      "created_at": "2025-07-03T08:46:33.118Z",
      "last_access_at": "2025-07-03T08:46:33.118Z",
      "status": 1,
      "team_id": "text",
      "team_name": "text"
    }
  ],
  "next_page_token": "text"
}

Create a new team API key for a service account

post
Authorizations
Body
namestringOptional

Human friendly name

team_idstringOptional

Service account's team ID

Responses
200
OK
application/json
default
Default error response
application/json
post
POST /api/preview/teamkeys HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Content-Type: application/json
Accept: */*
Content-Length: 32

{
  "name": "text",
  "team_id": "text"
}
{
  "value": {
    "id": "text",
    "access_key": "text",
    "name": "text",
    "created_at": "2025-07-03T08:46:33.118Z",
    "last_access_at": "2025-07-03T08:46:33.118Z",
    "status": 1,
    "team_id": "text",
    "team_name": "text"
  }
}

Remove team API Key

delete
Authorizations
Path parameters
idstringRequired
Responses
200
OK
application/json
default
Default error response
application/json
delete
DELETE /api/preview/teamkeys/{id} HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Accept: */*
{
  "value": {
    "id": "text",
    "access_key": "text",
    "name": "text",
    "created_at": "2025-07-03T08:46:33.118Z",
    "last_access_at": "2025-07-03T08:46:33.118Z",
    "status": 1,
    "team_id": "text",
    "team_name": "text"
  }
}

Revoke team API Key

post
Authorizations
Path parameters
idstringRequired
Responses
200
OK
application/json
Responseobject
default
Default error response
application/json
post
POST /api/preview/teamkeys/{id}:revoke HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Accept: */*
{}

Reinstate a revoked team API Key

post
Authorizations
Path parameters
idstringRequired
Responses
200
OK
application/json
Responseobject
default
Default error response
application/json
post
POST /api/preview/teamkeys/{id}:reinstate HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Accept: */*
{}

Update team API key metadata

patch
Authorizations
Path parameters
value.idstringRequired
Query parameters
update_maskstring · field-maskOptional
Body

API Key

idstringOptional

The unique identifier of this API key.

access_keystringRead-onlyOptional

Base64 encoded access token. Only available when creating a key

namestringOptional

User provided name for this key

created_atstring · date-timeRead-onlyOptional

ISO-8601 timestamp of when this key was created

last_access_atstring · date-timeRead-onlyOptional

ISO-8601 timestamp of when this key was last updated

statusinteger · enumRead-onlyOptional

Status of the key. Key is ACTIVE or INACTIVE. API keys can only be used when they are ACTIVE

team_idstringOptional

Team ID that this key belongs to

team_namestringRead-onlyOptional

Team Name that this key belongs to

Responses
200
OK
application/json
default
Default error response
application/json
patch
PATCH /api/preview/teamkeys/{value.id} HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Content-Type: application/json
Accept: */*
Content-Length: 44

{
  "id": "text",
  "name": "text",
  "team_id": "text"
}
{
  "value": {
    "id": "text",
    "access_key": "text",
    "name": "text",
    "created_at": "2025-07-03T08:46:33.118Z",
    "last_access_at": "2025-07-03T08:46:33.118Z",
    "status": 1,
    "team_id": "text",
    "team_name": "text"
  }
}