API Keys
API keys are organization-scoped credentials with selectable permissions and an optional expiry. The same key powers the CLI, third-party integrations, and the MCP server in static-token mode.
Creating a key
Section titled “Creating a key”- Open Settings → API Keys and click Create Key.
- Give the key a name — something descriptive like “GitHub Actions CI” or “PagerDuty webhook”.
- Optionally set an expiry. Keys without an expiry never expire.
- Click Create. Vygl shows the key once — copy it immediately. The raw key is never displayed again.
Keys start with the vgl_ prefix; the first eight characters are visible in the UI for identification, the rest is secret.
Keys created from the dashboard ship with a default scope set: read, write, scan:read, scan:write, triage:write, memory:write. There’s no UI to narrow that today — for least-privilege keys, mint via the API and pass an explicit scopes array.
Scopes
Section titled “Scopes”| Scope | Grants |
|---|---|
read | Read all resources (findings, projects, scans, dependencies). |
write | Full write access (broader than triage:write / memory:write; reach for it only when needed). |
scan:read | Read scans only. |
scan:write | Submit scans (the typical CI scope). |
triage:write | Change finding status (single and bulk). |
memory:write | Create / edit organizational memory. |
admin | Admin operations (create members, integrations, etc.). |
Most automation needs only scan:write or read. Reach for broader scopes only when you have a specific reason.
Where to put the key
Section titled “Where to put the key”| Use case | How |
|---|---|
| CI / CD pipeline | Set VYGL_API_KEY as a CI secret (GitHub Secrets, GitLab CI variables, Bitbucket repository variables) |
| Local CLI | vygl auth set-key <KEY> stores it at ~/.vygl/credentials (chmod 600) |
| REST API | Authorization: Bearer vgl_... header |
| MCP (editor clients) | The client config file — see IDE Setup |
Rotating keys
Section titled “Rotating keys”There’s no built-in rotation endpoint — to rotate, create a new key, update your systems, then revoke the old one. The two-key window prevents downtime.
Revoking
Section titled “Revoking”From Settings → API Keys, click Revoke on the row. Revocation is immediate; subsequent requests with that key return 401. The audit log preserves the key’s history (who created it, when it was last used, when it was revoked).
Last-used tracking
Section titled “Last-used tracking”Each key shows when it was last used — useful for spotting stale keys that should be retired. Keys unused for 90+ days are good rotation candidates.