All API requests to Vastal require authentication using an API key.
API Keys
API keys are scoped tokens that grant access to specific operations. You can create multiple keys with different scopes for different use cases.
Creating an API Key
- Go to Settings > Developer > API Keys
- Click Create Key
- Enter a descriptive name (e.g., "Production Integration")
- Select the required scopes
- Optionally set an expiration date
- Click Create Key
API Key Scopes
| Scope | Description |
|---|---|
read | Read access to tables and rows |
write | Create and update records |
delete | Delete records |
admin | Full administrative access |
Using Your API Key
Include your API key in the Authorization header of every request:
Authorization: Bearer vst_xxxxxxxxxxxxxxxxxxxxxxxxExample Request
curl -X GET "https://api.vastal.com/v1/tables" \
-H "Authorization: Bearer vst_xxxxxxxxxxxxxxxxxxxxxxxx"Key Security Best Practices
- Never expose keys in client-side code - API keys should only be used server-side
- Use minimal scopes - Only request the permissions you need
- Rotate keys regularly - Create new keys and revoke old ones periodically
- Set expiration dates - For temporary integrations, use expiring keys
- Monitor usage - Check the "Last Used" timestamp regularly
Revoking Keys
To revoke a compromised or unused key:
- Go to Settings > Developer > API Keys
- Find the key you want to revoke
- Click the trash icon
- Confirm the revocation
Warning: Revoking a key is immediate and cannot be undone. Any integrations using that key will stop working.
Rate Limits
API requests are rate-limited to ensure fair usage:
| Plan | Rate Limit |
|---|---|
| Starter | 1,000 requests/hour |
| Professional | 10,000 requests/hour |
| Enterprise | Custom limits |
Rate limit headers are included in every response:
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 999
X-RateLimit-Reset: 1640995200