API Keys

API keys are organization-scoped credentials with selectable permissions and an optional expiry. The same key powers the CLI, third-party integrations, and the MCP server in static-token mode.

Creating a key

1. Open Settings → API Keys and click Create Key.
2. Give the key a name — something descriptive like “GitHub Actions CI” or “PagerDuty webhook”.
3. Pick scopes (see below).
4. Optionally set an expiry. Keys without an expiry never expire.
5. Click Create. Vygl shows the key once — copy it immediately. The raw key is never displayed again.

Keys start with the vgl_ prefix; the first eight characters are visible in the UI for identification, the rest is secret.

Scopes

Scope	Grants
read	Read all resources (findings, projects, scans, dependencies)
write	Full write access (rare — prefer narrower scopes)
scan:read	Read scans only
scan:write	Submit scans (the typical CI scope)
triage:write	Change finding status, add comments
memory:write	Create / edit organizational memory
admin	Admin operations (create members, integrations, etc.)

Most automation needs only scan:write or read. Reach for broader scopes only when you have a specific reason.

Where to put the key

Use case	How
CI / CD pipeline	Set VYGL_API_KEY as a CI secret (GitHub Secrets, GitLab CI variables, Bitbucket repository variables)
Local CLI	vygl auth set-key <KEY> stores it at ~/.vygl/credentials (chmod 600)
REST API	Authorization: Bearer vgl_... header
MCP (editor clients)	The client config file — see IDE Setup

Rotating keys

There’s no built-in rotation endpoint — to rotate, create a new key, update your systems, then revoke the old one. The two-key window prevents downtime.

Revoking

From Settings → API Keys, click Revoke on the row. Revocation is immediate; subsequent requests with that key return 401. The audit log preserves the key’s history (who created it, when it was last used, when it was revoked).

Last-used tracking

Each key shows when it was last used — useful for spotting stale keys that should be retired. Keys unused for 90+ days are good rotation candidates.

Treat keys as bearer secrets

Anyone with the raw key can use it. If a key is exposed in version control, a screenshot, or a Slack message, revoke it immediately and rotate. Vygl’s audit log records every API call by key, so you can correlate suspicious activity to a leaked key after the fact.

No IP allowlisting yet

Restricting a key to specific source IPs isn’t supported today. For sensitive integrations, prefer narrow scopes and short expiries over broad-scope long-lived keys.