Skip to main content
API keys authenticate requests to the Veto API. Each key is scoped to a workspace and carries a set of permission scopes.
All API key management endpoints require an API key with admin scope.

The API key object

id
string
UUID uniquely identifying the key.
name
string
Human-readable name for the key.
prefix
string
The first 12 characters of the raw key (e.g. veto_a1b2c3d4). Use this to identify which key was used — it is safe to display and log.
scopes
string[]
Permission scopes granted to this key. ["admin"] grants full access. ["read-only"] restricts to non-mutating endpoints.
expiresAt
string | null
ISO 8601 expiration date, or null if the key never expires.
lastUsedAt
string | null
ISO 8601 timestamp of the most recent authenticated request, or null if the key has never been used. Only available on list responses.
createdAt
string
ISO 8601 timestamp of when the key was created.

POST /v1/api-keys

Create a new API key for your workspace.
The raw API key is returned only once in the creation response. Store it immediately in a secure secrets manager — you cannot retrieve it again. Only the prefix is stored by Veto.
name
string
required
Human-readable name to identify this key. Must be between 1 and 255 characters.
scopes
string[]
required
Permission scopes for the key. Use ["admin"] for full access or ["read-only"] for read-only access.
expiresAt
string
Optional expiration date as an ISO 8601 datetime string. If omitted, the key never expires.
Returns 201 with the key metadata and the raw key. The key field is not included in any subsequent responses. 
curl -X POST https://api.veto.tools/v1/api-keys \
  -H "Authorization: Bearer veto_..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production worker",
    "scopes": ["admin"],
    "expiresAt": "2027-01-01T00:00:00.000Z"
  }'

{
  "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "name": "Production worker",
  "prefix": "veto_a1b2c3",
  "scopes": ["admin"],
  "expiresAt": "2027-01-01T00:00:00.000Z",
  "createdAt": "2026-01-15T10:00:00.000Z",
  "key": "veto_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6"
}

GET /v1/api-keys

List all API keys in your workspace. The raw key and its hash are never included in list responses.
limit
number
default:"100"
Maximum number of keys to return. Must be between 1 and 200.
offset
number
default:"0"
Number of keys to skip.
Returns a paginated envelope with key metadata objects. 
curl https://api.veto.tools/v1/api-keys \
  -H "Authorization: Bearer veto_..."

{
  "data": [
    {
      "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
      "name": "Production worker",
      "prefix": "veto_a1b2c3",
      "scopes": ["admin"],
      "expiresAt": "2027-01-01T00:00:00.000Z",
      "lastUsedAt": "2026-01-15T10:30:00.000Z",
      "createdAt": "2026-01-15T10:00:00.000Z"
    }
  ],
  "pagination": {
    "limit": 100,
    "offset": 0,
    "count": 1,
    "total": 1
  }
}

DELETE /v1/api-keys/:id

Revoke an API key. The key is permanently deleted and will no longer authenticate requests. This action cannot be undone. Returns 204 No Content on success. 
curl -X DELETE https://api.veto.tools/v1/api-keys/a1b2c3d4-e5f6-7890-abcd-ef1234567890 \
  -H "Authorization: Bearer veto_..."