Skip to content

API Keys

API keys are organization-scoped credentials with selectable permissions and an optional expiry. The same key powers the CLI, third-party integrations, and the MCP server in static-token mode.

  1. Open Settings → API Keys and click Create Key.
  2. Give the key a name — something descriptive like “GitHub Actions CI” or “PagerDuty webhook”.
  3. Optionally set an expiry. Keys without an expiry never expire.
  4. Click Create. Vygl shows the key once — copy it immediately. The raw key is never displayed again.

Keys start with the vgl_ prefix; the first eight characters are visible in the UI for identification, the rest is secret.

Keys created from the dashboard ship with a default scope set: read, write, scan:read, scan:write, triage:write, memory:write. There’s no UI to narrow that today — for least-privilege keys, mint via the API and pass an explicit scopes array.

ScopeGrants
readRead all resources (findings, projects, scans, dependencies).
writeFull write access (broader than triage:write / memory:write; reach for it only when needed).
scan:readRead scans only.
scan:writeSubmit scans (the typical CI scope).
triage:writeChange finding status (single and bulk).
memory:writeCreate / edit organizational memory.
adminAdmin operations (create members, integrations, etc.).

Most automation needs only scan:write or read. Reach for broader scopes only when you have a specific reason.

Use caseHow
CI / CD pipelineSet VYGL_API_KEY as a CI secret (GitHub Secrets, GitLab CI variables, Bitbucket repository variables)
Local CLIvygl auth set-key <KEY> stores it at ~/.vygl/credentials (chmod 600)
REST APIAuthorization: Bearer vgl_... header
MCP (editor clients)The client config file — see IDE Setup

There’s no built-in rotation endpoint — to rotate, create a new key, update your systems, then revoke the old one. The two-key window prevents downtime.

From Settings → API Keys, click Revoke on the row. Revocation is immediate; subsequent requests with that key return 401. The audit log preserves the key’s history (who created it, when it was last used, when it was revoked).

Each key shows when it was last used — useful for spotting stale keys that should be retired. Keys unused for 90+ days are good rotation candidates.