Skip to main content

Overview

The VantaPrism Customer API authenticates every request with a static API key. There is no OAuth flow, session, or token exchange for the Customer API — generate a key once from your dashboard and send it on every request. The only unauthenticated endpoints are:
  • GET /v1/health
  • GET /v1/health/ready
Every other /v1/* endpoint requires a valid key.

Key format

vp_<env>_<prefix>.<secret>
  • envlive (production, billed against your plan) or test (sandbox dataset, same validation rules)
  • prefix — 8 hex characters, identifies the key (safe to log)
  • secret — 40 hex characters, the actual credential — never log this
Example: vp_live_3f9a1c2d.8b2e4f6a1d9c0e3f7b5a2d8c4e6f1a9b3d7c5e2f0a8b6d4c The full key is shown once, at creation time, in your dashboard. Only the hash of the secret is stored server-side — if you lose a key, you must revoke it and create a new one.

Sending your key

Two header styles are accepted — use whichever fits your HTTP client better. 
curl https://api.vantaprism.me/v1/account \
  -H "api-key: vp_live_3f9a1c2d.8b2e4f6a1d9c0e3f7b5a2d8c4e6f1a9b3d7c5e2f0a8b6d4c"
If both headers are present, api-key takes precedence. If neither is present, every protected endpoint returns:
401 Unauthorized
{
  "error": {
    "code": "INVALID_API_KEY",
    "message": "API key required (api-key header or Authorization: Bearer)"
  }
}
with a WWW-Authenticate: Bearer response header.

Scopes

Each API key is issued with a set of scopes that gate access to specific endpoint groups. Your key’s tier (free / pro / ultra) determines which scopes are available — see Rate Limits & Tiers for the full per-tier scope table.
ScopeGrants access to
search:domainDomain search, company exposure, domain overview/assets/timeline, top-exposed
search:loginEmail and username search, /v1/data/credentials
search:ipIP/CIDR search
search:stealerStealer-ID search, PC-name search, victim profile lookup
search:passwordPassword search
search:fileFile search, victim file listings
search:keywordKeyword search and keyword → URLs
search:advancedAdvanced search, third-party risk
infection-analysisAI infection analysis (ultra only)
view:cookies / view:autofill / view:cards / view:wallets / view:ftp / view:keychain / view:history / view:commandsThe corresponding /v1/data/* category and victim sub-resource
Every endpoint’s reference page documents its required scope. Calling an endpoint your key lacks the scope for returns:
403 Forbidden
{
  "error": {
    "code": "FORBIDDEN_SCOPE",
    "message": "Your API key does not have scope: 'view:keychain'"
  }
}

Other authentication error codes

HTTP statuscodeMeaning
401INVALID_API_KEYMissing, malformed, or unrecognized key
403KEY_REVOKEDKey has been revoked
403KEY_LOCKEDKey is temporarily locked (e.g. after repeated abuse)
403CUSTOMER_INACTIVEYour account is currently disabled
403FORBIDDEN_SCOPEKey is valid but lacks the required scope for this endpoint
See Errors for the full catalog covering every endpoint.

CORS

If you’re calling the API directly from a browser, the following are allowed cross-origin:
  • Methods: GET, POST, PATCH, DELETE
  • Headers: Authorization, Content-Type, api-key
Your origin must be on the allowed-origins list for your account — contact support to add a browser origin.

Rotating a key

Revoke the old key and generate a new one from your API Access dashboard. Revoked keys immediately start returning 403 KEY_REVOKED — there is no grace period, so deploy the new key before revoking the old one.