REST API

The REST API serves every feature in the dashboard. Authenticate with an API key in the Authorization: Bearer … header. Pagination uses page and page_size; filtering uses query parameters.

Base URL

https://api.vygl.io

Self-hosted instances use whatever URL points at the API container; for local development that’s typically http://localhost:8000.

Authentication

Every request needs a bearer token:

GET /api/v1/findings
Host: api.vygl.io
Authorization: Bearer vgl_your_api_key_here

Generate keys at Settings → API Keys. Each key has scopes that control which endpoints it can call — see API Keys for the scope list.

Versioning

All routes live under /api/v1. Future major versions will get their own prefix; v1 is supported indefinitely.

Pagination

List endpoints accept page (1-based) and page_size (default 50, max 200):

GET /api/v1/findings?page=1&page_size=100

The response includes total, page, page_size, and items[].

Error format

Errors return JSON with a detail field:

{
  "detail": "API key lacks required scope: triage:write"
}

HTTP status codes follow REST conventions: 200 for success, 400 for validation, 401 for missing auth, 403 for insufficient scopes, 404 for missing resources, 429 for rate limits, 5xx for server errors.

Interactive docs

Production has no Swagger UI

Interactive Swagger UI is only enabled on local and self-hosted instances (e.g. http://localhost:8000/docs). It is disabled on the hosted production API to reduce attack surface. The schema reference is published with each release.

Rate limits

The API enforces tiered limits — standard endpoints, dashboard read endpoints, and AI-tier write endpoints each have separate buckets. Rate-limit headers (X-RateLimit-Remaining, X-RateLimit-Reset) are included on every response.

Where to next

• API Keys — create and scope keys
• CLI Reference — the CLI is built on top of the same API
• MCP Server — AI-assistant access uses the same auth