Authentication

API Keys

API keys are the primary way to authenticate with the VectorLay API. Each key is scoped to your organization and can be created or revoked from the dashboard.

# Include your API key in the Authorization header
curl -H "Authorization: Bearer vl_your_api_key" \
  https://api.vectorlay.com/v1/clusters

Key format

API keys follow the format vl_ followed by 32 random characters. Keys are shown once at creation time and cannot be retrieved later.

Key management

Create: Generate new keys from the dashboard API Keys page
Name: Give keys descriptive names (e.g., "production", "ci-cd")
Revoke: Immediately disable a key if compromised
Rotate: Create a new key, update your services, then revoke the old one

Organization Roles

VectorLay uses role-based access control within organizations:

Owner

Full access. Can manage billing, members, API keys, and all resources. One per organization.

Admin

Can manage clusters, API keys, and invite members. Cannot modify billing or delete the organization.

Member

Can create and manage their own clusters. Can view organization resources.

SSH Keys

For SSH access to your VMs, add SSH public keys to your organization settings. All organization members' keys are authorized on every VM in the organization.

# Connect to your VM via SSH
ssh <vm-id>@ssh.vectorlay.com

Security Best Practices

Never commit API keys to source control
Use environment variables or secret managers
Rotate keys regularly and after team member departures
Use the minimum required role for each team member
Revoke unused keys promptly