SSO, roles & API keys¶
Administer who can access your Vex Raptor deployment and what they can do.
Single sign-on (OIDC)¶
On enterprise plans, users authenticate through your identity provider (Okta, Entra ID, Google Workspace, Ping, or any OIDC-compliant IdP).
Configure¶
- In your IdP, create an OIDC application (web) with redirect URI
https://<host>/api/v1/auth/oidc/callback. -
Set the following in your environment:
Variable Purpose OIDC_ISSUERYour IdP issuer URL OIDC_CLIENT_IDApplication client ID OIDC_CLIENT_SECRETApplication client secret -
Restart the stack and choose Sign in with SSO on the login screen.
Vex Raptor validates the id-token signature against your IdP's JWKS on every login — it never trusts an unverified token.
Enforce SSO
Once SSO is verified, disable password login for the org so all access flows through your IdP (and its MFA/conditional-access policies).
Provisioning (SCIM)¶
Where supported, enable SCIM in your IdP to auto-provision and de-provision users and to map IdP groups to Vex Raptor roles. De-provisioning in your IdP revokes access immediately.
Roles (RBAC)¶
| Role | Can do | Cannot do |
|---|---|---|
| Admin | Manage users, API keys, org settings, run scans, read all reports | — |
| Operator | Run scans, read reports in the org | Manage users, keys, or org settings |
Privileged endpoints require the admin role and return 403 otherwise. Assign
the least role that lets someone do their job.
API keys¶
API keys authenticate automation (CI, scripts) without a user session. Manage them in the console under Org → API keys.
- Create — name the key by its use (
ci-staging,nightly-asm) so you can audit and revoke precisely. - Scope — grant only the actions the integration needs.
- Rotate — issue a new key, deploy it, then revoke the old one. No downtime.
- Revoke — immediate; the key stops working on the next request.
Keys are sent in the X-Vex-Key header. See Authentication.
Treat keys as secrets
Store API keys in your CI secret store, never in the repo. A leaked key can start scans and read reports for the whole org until revoked.
Audit log¶
Every privileged action is recorded with actor, timestamp, and org context. Export audit events to your SIEM via the API for retention and alerting.