Developer Platform
Authentication
The authentication and authorization model for the Vestval platform — tokens, scopes and least privilege.
Overview
Every API request is authenticated and every credential is scoped. We use token-based authentication with fine-grained scopes so integrations only get the access they genuinely need.
Authentication is designed around least privilege and rotation: credentials are short-lived where possible, scoped narrowly, and revocable instantly.
What this covers
Token-based
Requests are authenticated with bearer tokens issued to your integration.
Scoped access
Tokens carry fine-grained scopes so an integration only accesses what it needs.
Rotation
Credentials can be rotated and revoked instantly without downtime.
SSO & identity
Enterprise identity via SSO integrates with the platform's access model.
Least privilege
Default scopes are minimal; broader access is explicit and auditable.
Audit logging
Authentication and authorization events are logged for review.
FAQ
Frequently asked
- Requests use scoped bearer tokens issued to your integration, following least-privilege defaults.
Related across the ecosystem