Skip to content

REST API

The REST API serves every feature in the dashboard. Authenticate with an API key in the Authorization: Bearer … header. Pagination uses page and page_size; filtering uses query parameters.

https://api.vygl.io

Self-hosted instances use whatever URL points at the API container; for local development that’s typically http://localhost:8000.

Every request needs a bearer token:

GET /api/v1/findings
Host: api.vygl.io
Authorization: Bearer vgl_your_api_key_here

Generate keys at Settings → API Keys. Each key has scopes that control which endpoints it can call — see API Keys for the scope list.

All routes live under /api/v1. Future major versions will get their own prefix; v1 is supported indefinitely.

List endpoints typically accept page (1-based) and page_size. The Findings list defaults to 50 / max 200; other endpoints can have different ceilings — check the response shape per endpoint.

GET /api/v1/findings?page=1&page_size=100

The response includes total, page, page_size, and items[].

Errors return JSON with a detail field:

{
"detail": "API key lacks required scope: triage:write"
}

HTTP status codes follow REST conventions: 200 for success, 400 for validation, 401 for missing auth, 403 for insufficient scopes, 404 for missing resources, 5xx for server errors.

Today the REST API enforces rate limits on a narrow set of endpoints — auth/login and auth/forgot-password (10 and 5 attempts per IP per 15 minutes respectively). General endpoints aren’t rate-limited at the application layer; capacity is shaped by upstream infrastructure. The MCP server has its own tiered limits — see MCP Server Overview for that surface. There are no X-RateLimit-* response headers on REST API responses today.