Vectara REST API v2
The Vectara Platform to context engineer Enterprise Agents. The REST API gives you server-side control with enterprise-grade RBAC, multi-tenancy, and full observability. Build agents that combine Vectara's multimodal retrieval with tool use, structured instructions, and managed sessions — all through simple REST endpoints.
All endpoints live at https://api.vectara.io/v2/<resource> using lowercase, hyphenated paths (e.g. /corpora/:corpus_key/documents).
API conventions
We follow standard REST conventions: GET to read, POST to create, PATCH to update, PUT to replace, and DELETE to remove. Actions that don't map to CRUD verbs use a separate POST /<resource>/<action> path (e.g. POST /corpora/:corpus_key/reset).
Backward compatibility — New fields may be added to any response at any time. Fields are never removed, only deprecated. Clients should ignore unknown fields.
Authentication methods
Every API request must be authenticated using one of these methods:
API Key — Pass your key in the x-api-key header. Create API keys with precise roles for least-privilege access, or use personal API keys that inherit the same roles as your user account.
OAuth 2.0 — Use the client credentials flow to obtain a JWT token from https://auth.vectara.io/oauth2/token, then pass it in the Authorization: Bearer <token> header. Tokens expire after 30 minutes.
Role-based access control
Each endpoint requires specific roles. Vectara uses three role types:
API Roles (account-wide): owner, administrator, corpus_administrator, corpus_developer, corpus_viewer, agent_administrator, agent_developer, agent_viewer, agent_user, pipeline_administrator, pipeline_viewer, viewer.
Corpus Roles (per-corpus): owner, administrator, editor, viewer.
Agent Roles (per-agent): agent_administrator, agent_developer, agent_viewer, agent_user.
A user's effective permissions are the union of their API roles, corpus roles, and agent roles. See Role-based access control for the full role hierarchy.