Very Good Security

VGS Accounts Management API

The VGS Accounts / control plane API administers organizations and vaults, reads account and access-log details, and manages the resources behind the platform. Authenticated with a Bearer access token obtained from the VGS OAuth2 client-credentials endpoint, with service-account scopes such as vaults:read, vaults:write, organizations:read, and access-logs:read.

GitHub OpenAPI

Documentation

📖
Documentation
https://docs.verygoodsecurity.com/vault/developer-tools/vgs-cli/service-account
📖
APIReference
https://docs.verygoodsecurity.com/vault/platform/iam

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/vgs/refs/heads/main/openapi/vgs-openapi.yml

Other Resources

🔗
PostmanCollection
https://raw.githubusercontent.com/api-evangelist/vgs/refs/heads/main/collections/vgs.postman_collection.json
🔗
OpenCollection
https://raw.githubusercontent.com/api-evangelist/vgs/refs/heads/main/collections/vgs.opencollection.json

OpenAPI Specification

vgs-openapi.yml Raw ↑ 
openapi: 3.0.1
info:
  title: Very Good Security (VGS) API
  description: >-
    Specification of the public Very Good Security (VGS) APIs. Covers the VGS
    Vault HTTP API for tokenization (create / reveal / update / delete aliases)
    served from the verygoodvault.com hosts with HTTP Basic authentication, and
    the VGS Accounts (control plane) API for managing organizations, vaults, and
    routes served from accounts.apps.verygoodsecurity.com with a Bearer access
    token obtained via the OAuth2 client-credentials flow. Endpoint shapes for
    the Vault API mirror the published VGS Vault API reference; Accounts
    resources are modeled from VGS platform / IAM documentation.
  termsOfService: https://www.verygoodsecurity.com/terms
  contact:
    name: VGS Support
    email: support@verygoodsecurity.com
  version: '1.0'
servers:
  - url: https://api.sandbox.verygoodvault.com
    description: Vault API - Sandbox
  - url: https://api.live.verygoodvault.com
    description: Vault API - Live
  - url: https://api.live-eu-1.verygoodvault.com
    description: Vault API - Live EU
  - url: https://accounts.apps.verygoodsecurity.com
    description: Accounts (control plane) API
tags:
  - name: aliases
    description: Tokenization operations on the VGS Vault HTTP API.
  - name: organizations
    description: Organization resources on the VGS Accounts API.
  - name: vaults
    description: Vault resources on the VGS Accounts API.
  - name: routes
    description: Inbound / outbound proxy route resources on the VGS Accounts API.
paths:
  /aliases:
    post:
      operationId: createAliases
      tags:
        - aliases
      summary: Create aliases
      description: >-
        Stores multiple values at once and returns their aliases. May also be
        used to associate additional (secondary) aliases with the same
        underlying data as a reference alias. You cannot reference the same
        alias more than once in a single request.
      security:
        - basicAuth: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateAliasesRequest'
            examples:
              createNew:
                summary: Create a new alias
                value:
                  data:
                    - value: '122105155'
                      classifiers:
                        - bank-account
                      format: UUID
                      storage: PERSISTENT
              reference:
                summary: Reference an existing alias
                value:
                  data:
                    - alias: tok_sandbox_bhtsCwFUzoJMw9rWUfEV5e
                      format: RAW_UUID
                      storage: PERSISTENT
      responses:
        '201':
          description: Created
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    type: array
                    description: List of stored values along with their aliases.
                    items:
                      $ref: '#/components/schemas/RevealedData'
        default:
          $ref: '#/components/responses/ApiErrorsResponse'
    get:
      operationId: revealMultipleAliases
      tags:
        - aliases
      summary: Reveal multiple aliases
      description: >-
        Given a list of aliases, retrieves all associated values stored in the
        vault. This endpoint may expose sensitive data and is disabled by
        default; contact VGS to enable it.
      security:
        - basicAuth: []
      parameters:
        - name: q
          in: query
          required: true
          description: Comma-separated list of aliases to reveal.
          schema:
            type: string
          example: tok_sandbox_5UpnbMvaihRuRwz5QXwBFw,tok_sandbox_9ToiJHedw1nE1Jfx1qYYgz
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    type: object
                    additionalProperties:
                      $ref: '#/components/schemas/RevealedData'
        default:
          $ref: '#/components/responses/ApiErrorsResponse'
  /aliases/{alias}:
    parameters:
      - $ref: '#/components/parameters/alias'
    get:
      operationId: revealAlias
      tags:
        - aliases
      summary: Reveal single alias
      description: >-
        Retrieves a stored value along with its aliases. This endpoint may
        expose sensitive data and is disabled by default; contact VGS to enable
        it.
      security:
        - basicAuth: []
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    type: array
                    minItems: 1
                    maxItems: 1
                    items:
                      $ref: '#/components/schemas/RevealedData'
        default:
          $ref: '#/components/responses/ApiErrorsResponse'
    put:
      operationId: updateAlias
      tags:
        - aliases
      summary: Update data classifiers
      description: Apply new classifiers to the value the specified alias is associated with.
      security:
        - basicAuth: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/UpdateAliasRequest'
      responses:
        '204':
          description: No Content
        default:
          $ref: '#/components/responses/ApiErrorsResponse'
    delete:
      operationId: deleteAlias
      tags:
        - aliases
      summary: Delete alias
      description: Removes a single alias.
      security:
        - basicAuth: []
      responses:
        '204':
          description: No Content
        default:
          $ref: '#/components/responses/ApiErrorsResponse'
  /organizations:
    get:
      operationId: listOrganizations
      tags:
        - organizations
      summary: List organizations
      description: >-
        Reads basic organization details accessible to the authenticated
        service account (requires the organizations:read scope). Served from the
        VGS Accounts control plane.
      security:
        - bearerAuth: []
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    type: array
                    items:
                      $ref: '#/components/schemas/Organization'
        default:
          $ref: '#/components/responses/ApiErrorsResponse'
  /organizations/{organizationId}:
    parameters:
      - $ref: '#/components/parameters/organizationId'
    get:
      operationId: getOrganization
      tags:
        - organizations
      summary: Get organization
      description: Retrieves a single organization by identifier (organizations:read scope).
      security:
        - bearerAuth: []
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Organization'
        default:
          $ref: '#/components/responses/ApiErrorsResponse'
  /vaults:
    get:
      operationId: listVaults
      tags:
        - vaults
      summary: List vaults
      description: >-
        Lists the vaults in the organization, including name and identifier
        (requires the vaults:read scope).
      security:
        - bearerAuth: []
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    type: array
                    items:
                      $ref: '#/components/schemas/Vault'
        default:
          $ref: '#/components/responses/ApiErrorsResponse'
    post:
      operationId: createVault
      tags:
        - vaults
      summary: Create vault
      description: Creates a new vault in the organization (requires the vaults:write scope).
      security:
        - bearerAuth: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/VaultCreateRequest'
      responses:
        '201':
          description: Created
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Vault'
        default:
          $ref: '#/components/responses/ApiErrorsResponse'
  /vaults/{vaultId}:
    parameters:
      - $ref: '#/components/parameters/vaultId'
    get:
      operationId: getVault
      tags:
        - vaults
      summary: Get vault
      description: Retrieves a single vault by identifier (vaults:read scope).
      security:
        - bearerAuth: []
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Vault'
        default:
          $ref: '#/components/responses/ApiErrorsResponse'
  /vaults/{vaultId}/routes:
    parameters:
      - $ref: '#/components/parameters/vaultId'
    get:
      operationId: listRoutes
      tags:
        - routes
      summary: List routes
      description: >-
        Lists inbound and outbound proxy routes configured on the vault
        (requires the routes:read scope).
      security:
        - bearerAuth: []
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    type: array
                    items:
                      $ref: '#/components/schemas/Route'
        default:
          $ref: '#/components/responses/ApiErrorsResponse'
    post:
      operationId: createRoute
      tags:
        - routes
      summary: Create route
      description: >-
        Creates an inbound (reverse) or outbound (forward) proxy route on the
        vault that redacts or reveals sensitive data in transit (requires the
        routes:write scope).
      security:
        - bearerAuth: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Route'
      responses:
        '201':
          description: Created
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Route'
        default:
          $ref: '#/components/responses/ApiErrorsResponse'
  /vaults/{vaultId}/routes/{routeId}:
    parameters:
      - $ref: '#/components/parameters/vaultId'
      - $ref: '#/components/parameters/routeId'
    get:
      operationId: getRoute
      tags:
        - routes
      summary: Get route
      description: Retrieves a single route by identifier (routes:read scope).
      security:
        - bearerAuth: []
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Route'
        default:
          $ref: '#/components/responses/ApiErrorsResponse'
    put:
      operationId: updateRoute
      tags:
        - routes
      summary: Update route
      description: Replaces a route configuration on the vault (routes:write scope).
      security:
        - bearerAuth: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Route'
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Route'
        default:
          $ref: '#/components/responses/ApiErrorsResponse'
    delete:
      operationId: deleteRoute
      tags:
        - routes
      summary: Delete route
      description: Removes a route from the vault (routes:write scope).
      security:
        - bearerAuth: []
      responses:
        '204':
          description: No Content
        default:
          $ref: '#/components/responses/ApiErrorsResponse'
components:
  securitySchemes:
    basicAuth:
      type: http
      scheme: basic
      description: >-
        HTTP Basic authentication used by the VGS Vault HTTP API. Username and
        password are the vault access credentials generated in the VGS
        dashboard.
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: >-
        Bearer access token used by the VGS Accounts API. Obtain the token from
        the OAuth2 client-credentials endpoint at
        https://auth.verygoodsecurity.com/auth/realms/vgs/protocol/openid-connect/token
        using a service-account client id and secret, then pass it as
        Authorization: Bearer <token>.
  parameters:
    alias:
      name: alias
      in: path
      required: true
      description: Alias to operate on.
      schema:
        type: string
      example: tok_sandbox_bhtsCwFUzoJMw9rWUfEV5e
    organizationId:
      name: organizationId
      in: path
      required: true
      description: Organization identifier.
      schema:
        type: string
    vaultId:
      name: vaultId
      in: path
      required: true
      description: Vault identifier.
      schema:
        type: string
      example: tntabcdefg
    routeId:
      name: routeId
      in: path
      required: true
      description: Route identifier.
      schema:
        type: string
  responses:
    ApiErrorsResponse:
      description: Something went wrong
      content:
        application/json:
          schema:
            type: object
            properties:
              errors:
                type: array
                minItems: 1
                items:
                  $ref: '#/components/schemas/ApiError'
  schemas:
    ApiError:
      type: object
      properties:
        status:
          type: integer
          description: HTTP status code.
        title:
          type: string
          description: High-level reason of why the request failed.
        detail:
          type: string
          description: Explanation of what exactly went wrong.
        href:
          type: string
          description: Request URL.
    AliasFormat:
      type: string
      description: Format of the generated alias string.
      enum:
        - FPE_ACC_NUM_T_FOUR
        - FPE_ALPHANUMERIC_ACC_NUM_T_FOUR
        - FPE_SIX_T_FOUR
        - FPE_SSN_T_FOUR
        - FPE_T_FOUR
        - NUM_LENGTH_PRESERVING
        - PFPT
        - RAW_UUID
        - UUID
      example: UUID
    Alias:
      type: object
      properties:
        alias:
          type: string
          description: Opaque string used to substitute the raw value.
          example: tok_sandbox_bhtsCwFUzoJMw9rWUfEV5e
        format:
          $ref: '#/components/schemas/AliasFormat'
    RevealedData:
      type: object
      properties:
        value:
          type: string
          description: Decrypted value stored in the vault.
          example: '122105155'
        classifiers:
          type: array
          description: List of tags the value is classified with.
          items:
            type: string
          example:
            - bank-account
        aliases:
          type: array
          description: List of aliases associated with the value.
          items:
            $ref: '#/components/schemas/Alias'
        created_at:
          type: string
          format: date-time
          description: Creation time, in UTC.
          example: '2019-05-15T12:30:45Z'
        storage:
          type: string
          enum:
            - PERSISTENT
            - VOLATILE
          default: PERSISTENT
          description: >-
            Storage medium. VOLATILE persists data in an in-memory store for one
            hour, required for PCI-compliant storage of card security codes.
    CreateAliasesRequestNew:
      type: object
      required:
        - value
        - format
      properties:
        value:
          type: string
          description: Raw value to encrypt and store in the vault.
          example: '122105155'
        classifiers:
          type: array
          description: List of tags to classify the value with.
          items:
            type: string
          example:
            - bank-account
        format:
          $ref: '#/components/schemas/AliasFormat'
        storage:
          type: string
          enum:
            - PERSISTENT
            - VOLATILE
          default: PERSISTENT
          description: Storage medium to use.
    CreateAliasesRequestReference:
      type: object
      required:
        - alias
        - format
      properties:
        alias:
          type: string
          description: Existing alias to use as a reference.
          example: tok_sandbox_bhtsCwFUzoJMw9rWUfEV5e
        format:
          $ref: '#/components/schemas/AliasFormat'
    CreateAliasesRequest:
      type: object
      required:
        - data
      properties:
        data:
          type: array
          minItems: 1
          maxItems: 20
          items:
            oneOf:
              - $ref: '#/components/schemas/CreateAliasesRequestNew'
              - $ref: '#/components/schemas/CreateAliasesRequestReference'
    UpdateAliasRequest:
      type: object
      required:
        - data
      properties:
        data:
          type: object
          required:
            - classifiers
          properties:
            classifiers:
              type: array
              description: List of tags to classify the value with.
              items:
                type: string
              example:
                - credit-cards
                - PII
    Organization:
      type: object
      properties:
        id:
          type: string
          description: Organization identifier.
        name:
          type: string
          description: Organization name.
        type:
          type: string
          description: Resource type.
          example: organizations
    Vault:
      type: object
      properties:
        id:
          type: string
          description: Vault identifier (tenant id).
          example: tntabcdefg
        name:
          type: string
          description: Human-readable vault name.
        environment:
          type: string
          enum:
            - SANDBOX
            - LIVE
          description: Vault environment.
        organization_id:
          type: string
          description: Owning organization identifier.
    VaultCreateRequest:
      type: object
      required:
        - name
        - environment
      properties:
        name:
          type: string
          description: Human-readable vault name.
        environment:
          type: string
          enum:
            - SANDBOX
            - LIVE
          description: Vault environment to create.
        organization_id:
          type: string
          description: Owning organization identifier.
    Route:
      type: object
      properties:
        id:
          type: string
          description: Route identifier.
        type:
          type: string
          enum:
            - INBOUND
            - OUTBOUND
          description: >-
            INBOUND (reverse) proxy routes sit between clients and your server;
            OUTBOUND (forward) proxy routes sit between your server and third
            parties.
        protocol:
          type: string
          enum:
            - HTTP
          description: Proxy protocol.
        host_endpoint:
          type: string
          description: Upstream host pattern the route applies to.
        tags:
          type: object
          additionalProperties:
            type: string
          description: Arbitrary tags applied to the route.