Authentication
The Vendo API uses API keys for authentication. Each API key is scoped to a single account and provides full access to that account’s resources.
Creating an API Key
- Navigate to your team’s Settings page
- Click on API Keys in the settings menu
- Click Create API Key
- Enter a descriptive name (e.g., “Production CI/CD”, “Analytics Script”)
- Copy and securely store the generated key
Important: The full API key is only shown once when created. Store it securely — you cannot retrieve it later.
API Key Format
Vendo API keys follow this format:
vendo_sk_<random-string>Example:
vendo_sk_lnSL4NOPmiOvM9uDBWKPMoUmP7WP-H5nIq1iivXfYXIThe vendo_sk_ prefix identifies it as a Vendo secret key.
Using Your API Key
Include your API key in the Authorization header of every request:
curl -H "Authorization: Bearer YOUR_API_KEY" \
https://app.vendodata.com/api/v1/appsExample in Different Languages
JavaScript (fetch)
const response = await fetch('https://app.vendodata.com/api/v1/apps', {
headers: {
'Authorization': 'Bearer YOUR_API_KEY',
'Content-Type': 'application/json'
}
});
const data = await response.json();Python (requests)
import requests
response = requests.get(
'https://app.vendodata.com/api/v1/apps',
headers={'Authorization': 'Bearer YOUR_API_KEY'}
)
data = response.json()Node.js (axios)
const axios = require('axios');
const response = await axios.get('https://app.vendodata.com/api/v1/apps', {
headers: { 'Authorization': 'Bearer YOUR_API_KEY' }
});
const data = response.data;Authentication Errors
| Status Code | Error Code | Description |
|---|---|---|
| 401 | UNAUTHORIZED | Missing or invalid API key |
| 403 | FORBIDDEN | API key lacks required permissions |
Missing API Key
{
"error": {
"code": "UNAUTHORIZED",
"message": "Missing API key. Include Authorization: Bearer <your-api-key>"
}
}Invalid API Key
{
"error": {
"code": "UNAUTHORIZED",
"message": "Invalid API key. The key may be expired, revoked, or incorrect."
}
}Managing API Keys
Viewing Keys
From the API Keys settings page, you can see:
- Key name and prefix (first 12 characters)
- Creation date
- Last used date
- Status (active/inactive)
Rolling (Rotating) Keys
To rotate an API key:
- Click the … menu on the key row
- Select Roll Key
- Copy the new key immediately
- Update your applications with the new key
Rolling creates a new key and immediately revokes the old one. Plan for brief downtime or coordinate the update across your systems.
Revoking Keys
To permanently disable an API key:
- Click the … menu on the key row
- Select Revoke Key
- Confirm the action
Revoked keys cannot be restored. Any application using the key will immediately lose access.
Security Best Practices
- Never commit API keys to version control — Use environment variables or secrets management
- Use descriptive names — Name keys by purpose (e.g., “GitHub Actions”, “Zapier Integration”)
- Rotate keys periodically — Roll keys every 90 days or after team member changes
- Use separate keys per environment — Create distinct keys for development, staging, and production
- Monitor usage — Check “Last Used” dates to identify unused keys for cleanup
Environment Variables
We recommend storing your API key in an environment variable:
Bash / Zsh
export VENDO_API_KEY="vendo_sk_your-key-here"Using in scripts
curl -H "Authorization: Bearer $VENDO_API_KEY" \
https://app.vendodata.com/api/v1/apps.env file
VENDO_API_KEY=vendo_sk_your-key-hereTip: Add
.envto your.gitignoreto prevent accidental commits.