Skip to main content
Your API key grants full access to your workspace. Store it in an environment variable — never hardcode it in source code.
API keys authenticate requests to the Veto REST API and SDK. You can create multiple keys per workspace, which makes it easy to rotate them without downtime and scope them to least privilege.

Key format

Veto API keys start with veto_ followed by 32 hex characters: 
veto_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4
After creation, only the first 12 characters (the prefix) are stored and displayed. The full key is shown exactly once.

Key scopes

ScopeAccess
adminFull access — create, update, and delete agents, policies, and API keys
read-onlyRead access — query agents, policies, and audit logs; cannot create or modify anything
POST /v1/authorize works with both admin and read-only keys. You can use a read-only key in your agent runtime and reserve the admin key for your control plane.

Creating a key

From the dashboard

1

Open API Keys settings

Go to Settings → API Keys in the Veto dashboard.
2

Click New API Key

Click New API Key to open the creation dialog.
3

Name and scope the key

Give the key a descriptive name (e.g., production-server) and select a scope: admin or read-only.
4

Copy the key

Copy the key immediately — it is displayed once and never stored in plaintext. Close the dialog only after you’ve saved it somewhere secure.

Via the API

curl -X POST https://api.veto.tools/v1/api-keys \
  -H "Authorization: Bearer veto_..." \
  -H "Content-Type: application/json" \
  -d '{"name": "production-server", "scopes": ["admin"]}'
The response includes a key field with the raw key. Store it immediately — subsequent calls to GET /v1/api-keys return only the prefix.

Using a key

Pass the key as a Bearer token in every request: 
Authorization: Bearer veto_...
With the SDK: 
const veto = new VetoClient({ apiKey: process.env.VETO_API_KEY! });

Rotating keys

Veto supports multiple active keys per workspace, so you can rotate without downtime:
1

Create a new key

Create a new key in Settings → API Keys or via POST /v1/api-keys.
2

Update your application

Deploy your application with the new key set in your environment.
3

Verify the new key is working

Confirm requests are succeeding with the new key before proceeding.
4

Revoke the old key

Once traffic has shifted, revoke the old key from Settings → API Keys.

Revoking a key

From the dashboard: Go to Settings → API Keys and click Revoke next to the key you want to remove. Via the API: 
curl -X DELETE https://api.veto.tools/v1/api-keys/{id} \
  -H "Authorization: Bearer veto_..."
A successful revocation returns 204 No Content. Revoked keys are immediately invalid — any request using them will return 401 Unauthorized.

Rate limits

Each API key is limited to 600 requests per minute. Every response includes rate limit headers:
HeaderDescription
X-RateLimit-LimitMaximum requests allowed per minute
X-RateLimit-RemainingRequests remaining in the current window
X-RateLimit-ResetUnix timestamp when the window resets
If you exceed the limit, the API returns 429 Too Many Requests with a Retry-After header indicating how many seconds to wait before retrying.