Skip to content

SSO, roles & API keys

Administer who can access your Vex Raptor deployment and what they can do.

Single sign-on (OIDC)

On enterprise plans, users authenticate through your identity provider (Okta, Entra ID, Google Workspace, Ping, or any OIDC-compliant IdP).

Configure

  1. In your IdP, create an OIDC application (web) with redirect URI https://<host>/api/v1/auth/oidc/callback.
  2. Set the following in your environment:

    Variable Purpose
    OIDC_ISSUER Your IdP issuer URL
    OIDC_CLIENT_ID Application client ID
    OIDC_CLIENT_SECRET Application client secret
  3. Restart the stack and choose Sign in with SSO on the login screen.

Vex Raptor validates the id-token signature against your IdP's JWKS on every login — it never trusts an unverified token.

Enforce SSO

Once SSO is verified, disable password login for the org so all access flows through your IdP (and its MFA/conditional-access policies).

Provisioning (SCIM)

Where supported, enable SCIM in your IdP to auto-provision and de-provision users and to map IdP groups to Vex Raptor roles. De-provisioning in your IdP revokes access immediately.

Roles (RBAC)

Role Can do Cannot do
Admin Manage users, API keys, org settings, run scans, read all reports
Operator Run scans, read reports in the org Manage users, keys, or org settings

Privileged endpoints require the admin role and return 403 otherwise. Assign the least role that lets someone do their job.

API keys

API keys authenticate automation (CI, scripts) without a user session. Manage them in the console under Org → API keys.

  • Create — name the key by its use (ci-staging, nightly-asm) so you can audit and revoke precisely.
  • Scope — grant only the actions the integration needs.
  • Rotate — issue a new key, deploy it, then revoke the old one. No downtime.
  • Revoke — immediate; the key stops working on the next request.

Keys are sent in the X-Vex-Key header. See Authentication.

Treat keys as secrets

Store API keys in your CI secret store, never in the repo. A leaked key can start scans and read reports for the whole org until revoked.

Audit log

Every privileged action is recorded with actor, timestamp, and org context. Export audit events to your SIEM via the API for retention and alerting.