Authentication

Four ways to authenticate with the Velocity API.

Workspace API Keys

Workspace API keys grant access to a single workspace's resources. Create a key from Settings → API Keys, then include it in the Authorization header:

Authorization: Bearer vel_your_api_key_here
X-Workspace-Slug: your-workspace

Workspace keys are prefixed with vel_ and stored as SHA-256 hashes. The full key is displayed only once at creation time. Each key has scoped permissions — you can create read-only or read-write keys. The workspace is automatically resolved from the key, but you can also pass X-Workspace-Slug to be explicit.

Workspace Key Scopes

Scope	Description
`issues:read`	Read issues and comments
`issues:write`	Create, update, delete issues
`projects:read`	Read projects, cycles, milestones
`projects:write`	Create and modify projects
`documents:read`	Read documents
`documents:write`	Create and modify documents
`workspace:read`	Read workspace settings and members
`workspace:admin`	Manage workspace settings

Personal API Keys

Personal API keys are user-level keys that work across all workspaces you belong to. Create a key from Settings → Account → Personal API Keys:

Authorization: Bearer velu_your_personal_key_here
X-Workspace-Slug: target-workspace

Personal keys are prefixed with velu_ (note the ufor “user”). Unlike workspace keys, they do not auto-resolve a workspace — pass the X-Workspace-Slug header to target a specific workspace. Without the header, only user-level operations (like listing workspaces or reading your profile) are available.

Personal Key Scopes

Scope	Description
`user:read`	Read your own profile
`user:write`	Update your own profile
`workspaces:list`	List workspaces you belong to
`workspaces:create`	Create new workspaces
`workspaces:update`	Update workspace settings
`workspaces:delete`	Delete workspaces
`admin`	Full user-level access

When to use which key?

Use workspace keys (vel_) for automations and integrations that only need access to one workspace. Use personal keys (velu_) for CLI tools, scripts, or applications that need to operate across multiple workspaces or manage your user profile.

OAuth 2.0

For third-party applications, use OAuth 2.0 with PKCE. Register an OAuth app from Settings → OAuth Apps to get a client ID and secret.

Authorization Flow

Redirect to authorize

GET https://velocity.quest/oauth/consent
  ?client_id=your_client_id
  &redirect_uri=https://yourapp.com/callback
  &response_type=code
  &scope=issues:read issues:write
  &state=random_state
  &code_challenge=your_challenge
  &code_challenge_method=S256

Exchange code for tokens

POST https://velocity.quest/api/oauth/token
Content-Type: application/json

{
  "grant_type": "authorization_code",
  "code": "auth_code_from_callback",
  "redirect_uri": "https://yourapp.com/callback",
  "client_id": "your_client_id",
  "code_verifier": "your_verifier"
}

Use the access token

Authorization: Bearer access_token_here

Refreshing Tokens

Access tokens expire after 1 hour. Use the refresh token to get a new one:

POST https://velocity.quest/api/oauth/token
Content-Type: application/json

{
  "grant_type": "refresh_token",
  "refresh_token": "your_refresh_token",
  "client_id": "your_client_id"
}

Session Tokens

The web application uses Supabase session tokens (JWTs) passed in the Authorization header. This method is used internally by the Velocity web client and is not recommended for external integrations.

Recommendation

Use workspace API keys for single-workspace integrations. Use personal API keys for cross-workspace tools and scripts. Use OAuth 2.0 for third-party applications that act on behalf of users.