Authorize using OAuth

For private integrations, we use the client credentials grant type to authorize your script or batch job to send resources to your Vanta instance.

Unlike other OAuth grant types, there is no need for an authorization step, because private integrations are intended for your organization only and are never used by a third party. The client ID and secret obtained in the previous step are submitted to Vanta's token endpoint directly in exchange for an access token.

To obtain your access token, submit a POST request to the following token URL with the information below in the body:

https://api.vanta.com/oauth/token

  • client_id: this can be found on the developer console.

  • client_secret: this was copied when you first created your application. (Ensure this is stored securely on your server.)

  • scope: the list of permissions you would like for your token, separated by spaces.

  • grant_type: This should always be set to "client_credentials".

    📘

    Scopes

    Scopes define the set of permissions your application can request. We support the following scopes:

    • connectors.self:write-resource - Allows you to send resources to Vanta
    • connectors.self:read-resource - Allows your application to read the resources you previously sent to Vanta

    You will likely want both of these scopes for your application. The read scope is useful for ensuring that the data you've sent has successfully made its way into Vanta.

curl -X POST -H 'Content-Type: application/json' -d \
'{    
  "client_id": "vci_my_client_id",
  "client_secret": "vcs_my_client_secret",
  "scope": "connectors.self:write-resource connectors.self:read-resource",
  "grant_type": "client_credentials"
}' https://api.vanta.com/oauth/token

You'll receive the following response

{    
  "access_token": "[some_access_token]"`,
  "expires_in": 3600,
  "token_type": "Bearer"
}
  • access_token is used in future requests to send data to Vanta.
  • expires_at is in seconds and describes when the generated access token will expire (currently 1 hour).

Please note that no refresh tokens are issued for private apps. Simply submit a new client credentials request as above to receive a new access token once the original token expires.