VectorGate API Documentation
VectorGate is an edge configuration API for teams that manage routing rules, health checks, and traffic policies across distributed applications.
Edge Rule Control
Create ordered routing rules for regions, headers, methods, and weighted upstream targets.
Health Telemetry
Track upstream availability, regional latency, and policy decisions through event streams.
Scoped Access
Use per-environment keys, route-level permissions, audit logs, and signed webhook delivery.
Global Propagation
Configuration snapshots are versioned and propagated to edge locations with rollback support.
Authentication
All requests must include an API key in the Authorization header using the Bearer scheme. Keys are generated in the VectorGate workspace console.
vg_rk_) for read-only tooling and keep live secret keys server-side only.
GET /v2/rules HTTP/1.1
Host: api.vectorgate.dev
Authorization: Bearer vg_live_sk_v2_Xk9mP3rQ2nL8wT5...
Content-Type: application/jsonKey Types
| Type | Prefix | Description |
|---|---|---|
| Live | vg_live_sk_ | Full access to production resources. Never expose publicly. |
| Test | vg_test_sk_ | Sandbox environment only; no production routing changes are applied. |
| Restricted | vg_rk_ | Read-only or resource-scoped. Suitable for internal tooling. |
Base URL & Versioning
The current stable version is v2. All endpoint paths are relative to:
https://api.vectorgate.dev/v2Breaking changes are released under a new version prefix. Deprecated versions remain available for a minimum of 12 months after the successor ships.
| Version | Status | Sunset |
|---|---|---|
| v2 | Current | - |
| v1 | Deprecated | 2026-09-15 |
Request Format
All request and response bodies are JSON. Set Content-Type: application/json on every write request. Timestamps are Unix seconds (UTC).
Idempotency-Key (UUID v4) on POST requests to safely retry without duplicate route or rule creation. Keys expire after 24 hours.
| Header | Required | Description |
|---|---|---|
Authorization | required | Bearer <api_key> |
Content-Type | required | application/json on write requests |
Idempotency-Key | optional | UUID v4 for safe POST/PATCH retries |
VectorGate-Version | optional | Pin a minor version, e.g. 2024-09-15 |
Rules
A rule describes how matching requests are evaluated at the edge. Active rules are applied in priority order and can be rolled back by snapshot version.
Returns a cursor-paginated list of rules for the authenticated workspace, sorted by priority ascending.
| Parameter | Type | Default | Description |
|---|---|---|---|
limit | integer | 20 | Results per page. Range: 1-100. |
cursor | string | - | Pagination cursor from a previous response. |
route_id | string | - | Filter by route ID. |
status | enum | - | draft | active | paused | archived |
curl https://api.vectorgate.dev/v2/rules \
-H "Authorization: Bearer vg_live_sk_v2_Xk9mP3rQ2nL8wT5" \
-G -d "limit=5" -d "status=active"{
"object": "list",
"data": [
{
"id": "rule_01HX9K3M7PQ6RSTV2W4N8A",
"object": "rule",
"route_id": "rt_01HW2K1M6PC5RSTU1W3M7A",
"name": "EU read traffic",
"priority": 40,
"status": "active",
"created_at": 1714320000,
"updated_at": 1714320047
}
],
"has_more": true,
"next_cursor": "cur_eyJpZCI6Im1zZ18wMUhYOUsifQ"
}Creates a routing rule in draft mode. Publish the route snapshot when the rule set has been reviewed.
| Parameter | Type | Required | Description |
|---|---|---|---|
route_id | string | required | Route that owns the rule. |
name | string | required | Human-readable rule label. |
priority | integer | required | Evaluation priority. Lower numbers run first. |
match | object | required | Path, method, header, or region criteria. |
action | object | required | Forward, redirect, or fixed-response action. |
metadata | object | optional | Arbitrary key-value pairs for audit and search. |
curl https://api.vectorgate.dev/v2/rules \
-X POST \
-H "Authorization: Bearer vg_live_sk_v2_Xk9mP3rQ2nL8wT5" \
-H "Content-Type: application/json" \
-H "Idempotency-Key: 550e8400-e29b-41d4-a716-446655440000" \
-d '{
"route_id": "rt_01HW2K1M6PC5RSTU1W3M7A",
"name": "EU read traffic",
"priority": 40,
"match": { "region": ["eu-central-1"], "method": "GET" },
"action": { "type": "forward", "upstream_id": "up_01J2A8K6" },
"metadata": { "owner": "platform" }
}'{
"id": "rule_01HY3K8M9PQ7RSUV3X5N9B",
"object": "rule",
"route_id": "rt_01HW2K1M6PC5RSTU1W3M7A",
"name": "EU read traffic",
"priority": 40,
"status": "draft",
"metadata": { "owner": "platform" },
"created_at": 1714330512,
"updated_at": null
}Returns the full rule object including version history and current publication status.
Response - 200 OK{
"id": "rule_01HX9K3M7PQ6RSTV2W4N8A",
"object": "rule",
"status": "active",
"events": [
{ "type": "created", "at": 1714320000 },
{ "type": "validated", "at": 1714320008 },
{ "type": "published", "at": 1714320047 }
],
"published_at": 1714321204,
"created_at": 1714320000
}Archives a draft or paused rule. Returns 422 rule_published if the active snapshot still depends on it.
{
"id": "rule_01HX9K3M7PQ6RSTV2W4N8A",
"object": "rule",
"status": "archived",
"archived_at": 1714325000
}Routes
Routes define public hostnames, upstream pools, and policy boundaries for edge traffic. Configure health checks, fallback targets, and TLS settings at the route level.
Returns all routes configured for the authenticated workspace.
Response - 200 OK{
"object": "list",
"data": [
{
"id": "rt_01HW2K1M6PC5RSTU1W3M7A",
"object": "route",
"name": "Public API",
"hostname": "api.example.net",
"mode": "balanced",
"enabled": true,
"created_at": 1710000000
},
{
"id": "rt_01HW4N2P8RF7TUVW3X6Q9B",
"object": "route",
"name": "Asset Gateway",
"hostname": "assets.example.net",
"mode": "cache_first",
"enabled": true,
"created_at": 1710100000
}
]
}Creates a new route. Required fields in config depend on the chosen traffic mode and TLS policy.
| Parameter | Type | Required | Description |
|---|---|---|---|
name | string | required | Human-readable label for this route. |
hostname | string | required | Public hostname handled by the route. |
mode | enum | required | balanced | cache_first | origin_first |
config | object | required | Health check, TLS, and fallback settings. |
Partially updates a route. Only supplied fields are changed and a new draft snapshot is created.
Requestcurl https://api.vectorgate.dev/v2/routes/rt_01HW2K1M6PC5RSTU1W3M7A \
-X PATCH \
-H "Authorization: Bearer vg_live_sk_v2_Xk9mP3rQ2nL8wT5" \
-H "Content-Type: application/json" \
-d '{ "mode": "cache_first" }'Webhooks
VectorGate sends a signed POST to your endpoint whenever a tracked configuration or route event occurs. Configure endpoints in the workspace console or via the Webhooks API.
timestamp + "." + raw_body using your signing secret and compare to the VectorGate-Signature header. Reject requests that fail.
Signature Verification
import hmac, hashlib
def verify_webhook(payload: bytes, signature: str, secret: str) -> bool:
timestamp, received = signature.split(",", 1)
msg = f"{timestamp}.{payload.decode()}"
computed = hmac.new(secret.encode(), msg.encode(), hashlib.sha256).hexdigest()
return hmac.compare_digest(computed, received)Event Types
| Event | Description |
|---|---|
rule.created | Rule accepted and stored in draft state. |
rule.validated | Rule passed syntax and policy checks. |
route.published | Route snapshot published to the edge network. |
route.rollback | Route restored to an earlier snapshot. |
upstream.failed | Health checks marked an upstream unavailable. |
upstream.recovered | Health checks marked an upstream healthy again. |
Webhook Payload
All events share a common envelope with an event-specific data object.
{
"id": "evt_01HZ1K4N8PQ8RSUV4Y6O0C",
"object": "event",
"type": "route.published",
"created_at": 1714320047,
"data": {
"route_id": "rt_01HW2K1M6PC5RSTU1W3M7A",
"snapshot_id": "snap_01HZ1K4N8PQ8RSUV4Y6O0C",
"region": "global",
"published_at": 1714320047
}
}Error Codes
VectorGate uses standard HTTP status codes. Error responses always include a JSON body with a machine-readable code and a human-readable message.
Error Object
{
"error": {
"code": "route_disabled",
"message": "The specified route is currently disabled.",
"param": "route_id",
"request_id": "req_01HZ3P6Q9RF4STUW5Z8R1D"
}
}HTTP Status Codes
| Status | Meaning |
|---|---|
| 200 OK | Request succeeded. |
| 201 Created | Resource created successfully. |
| 400 Bad Request | Malformed JSON or missing required parameters. |
| 401 Unauthorized | Missing or invalid API key. |
| 403 Forbidden | Key does not have the required scope. |
| 404 Not Found | Resource does not exist or belongs to another org. |
| 409 Conflict | Duplicate idempotency key with a different body. |
| 422 Unprocessable | Request is well-formed but semantically invalid. |
| 429 Too Many Requests | Rate limit exceeded. See Retry-After header. |
| 500 Internal Error | Unexpected server error. Retry with exponential back-off. |
Application Error Codes
| Code | HTTP | Description |
|---|---|---|
invalid_api_key | 401 | Key format is invalid or has been revoked. |
insufficient_scope | 403 | Key lacks the required permission for this operation. |
resource_not_found | 404 | The requested resource ID does not exist. |
route_disabled | 422 | The target route has been disabled. |
rule_published | 422 | Rule cannot be archived while used by the active snapshot. |
priority_conflict | 400 | A rule with the same priority already exists on the route. |
rate_limit_exceeded | 429 | Request rate limit reached. Check Retry-After. |
Rate Limits
Limits are enforced per API key using a sliding window. Responses always include current limit state in response headers.
| Header | Description |
|---|---|
X-RateLimit-Limit | Maximum requests allowed in the current window. |
X-RateLimit-Remaining | Requests remaining in the current window. |
X-RateLimit-Reset | Unix timestamp when the window resets. |
Retry-After | Seconds to wait before retrying (on 429 only). |
Limits by Plan
| Plan | Requests / min | Routes |
|---|---|---|
| Free | 60 | 3 |
| Starter | 300 | 25 |
| Growth | 1 200 | 250 |
| Enterprise | Custom | Unlimited |
POST /v2/rules uses a separate per-route mutation limit in addition to the global API limit. Contact support to request higher thresholds.
SDKs & Libraries
Official client libraries are maintained for the most popular languages. Community libraries are listed in the GitHub org.
| Language | Install | Version |
|---|---|---|
| Node.js / TypeScript | npm install @vectorgate/sdk | 3.1.0 |
| Python | pip install vectorgate-sdk | 2.4.1 |
| Go | go get github.com/vectorgate/vectorgate-go | 1.8.0 |
| Ruby | gem install vectorgate-sdk | 1.3.2 |
| PHP | composer require vectorgate/sdk | 2.0.0 |
Node.js Quick Start
import VectorGate from "@vectorgate/sdk";
const client = new VectorGate({ apiKey: process.env.VECTORGATE_API_KEY! });
const rule = await client.rules.create({
route_id: "rt_01HW2K1M6PC5RSTU1W3M7A",
name: "EU read traffic",
priority: 40,
match: { region: ["eu-central-1"], method: "GET" },
});
console.log(rule.id); // "rule_01HY3K8M9PQ7RSUV3X5N9B"Python Quick Start
import vectorgate, os
client = vectorgate.Client(api_key=os.environ["VECTORGATE_API_KEY"])
rule = client.rules.create(
route_id="rt_01HW2K1M6PC5RSTU1W3M7A",
name="EU read traffic",
priority=40,
match={"region": ["eu-central-1"], "method": "GET"},
)
print(rule.id) # "rule_01HY3K8M9PQ7RSUV3X5N9B"Changelog
v2.4 - 2026-01-14
- Added snapshot diffing for route publication workflows.
- New webhook event:
upstream.recoveredfor health check recovery. - Rate-limit headers now use the
X-RateLimit-*naming convention. - Deprecated
v1API; sunset date 2026-09-15.
v2.3 - 2025-08-20
- Weighted upstream support for gradual traffic migration.
- Restricted API keys with per-resource and per-method scopes.
- Improved webhook retry policy with 5 attempts and exponential back-off.
v2.2 - 2025-03-05
- Cache-first route mode.
- Added
metadatafield to rule objects. - New
route.rollbackwebhook event.