Developers, API & MCP Security

Workspace API keys, MCP/API access, scopes, token revocation, workspace isolation, webhook signatures, and audit logging. Last updated: June 24, 2026.

Developer access overview

Vagle AI offers workspace-scoped API access and MCP/API tooling so teams can build dashboards and integrations on top of their own call, lead, and outcome data. This page summarizes how access, tokens, scopes, and write actions are designed to work.

Workspace API keys

Workspace API keys are created per client workspace and are read-only and scope-limited by design. A key is shown in full only once at creation time. After that, only a non-secret prefix and safe metadata (scopes, status, timestamps) are displayed; the secret is stored hashed.

Scopes and read/write separation

Access is limited by scopes such as calls, call detail, analytics, outcomes, and leads. Public read APIs are separated from write actions. Write or mutating actions (for example, connected-tool updates or configuration changes) are handled through authenticated, audited paths and may require approval or confirmation steps.

Workspace isolation

API keys, MCP tokens, and requests are scoped to a single organization and workspace. A token cannot read or act on another workspace’s data. Tools and credentials configured in one workspace are not usable from another.

Token revocation and rotation

Keys can be revoked or rotated at any time from the workspace. Revoking a key immediately stops further access using that secret. Rotating issues a new secret (shown once) and retires the old one.

Webhooks and signatures

Outbound webhooks are sent to URLs you configure and are signed with a per-endpoint signing secret so your server can verify authenticity before trusting an event. Webhook target URLs are validated to block private, internal, and metadata addresses, and the signing secret is shown only once.

Secrets and audit logs

API responses, logs, and tool execution records are designed to exclude raw secrets — API keys, OAuth tokens, webhook secrets, and provider keys are not returned in normal responses. Important actions are recorded in audit logs that capture who did what, without exposing raw secret values.

Support and security contact

For developer questions, API access, or to report a security concern, contact contact@vagle.ai.

Explore next

• Privacy Policy
• Terms and Conditions
• Security
• Acceptable Use
• Contact