Vanta Connections

Vanta connections let agents call the Vanta API to inspect controls, evidence, vendors, and audits in your Vanta workspace. Authentication uses OAuth 2.0 Client Credentials — Firetiger exchanges client ID and secret for an access token at request time and refreshes it automatically.

Recommended: Create and manage connections via the web UI at https://ui.cloud.firetiger.com/settings/connections

Setup

  1. In the Vanta web app, open Settings → API & Integrations
  2. Create a new API client and copy the client ID and client secret
  3. Note the scopes you select — they determine which API endpoints the connection can call

Connection Parameters

Authentication

Vanta only supports OAuth Client Credentials.

"oauth_client_credentials": {
  "token_url": "https://api.vanta.com/oauth/token",
  "client_id": "<client-id>",
  "client_secret": "<client-secret>",
  "scopes": "vanta-api.all:read"
}
Field Description
token_url Vanta’s token endpoint — https://api.vanta.com/oauth/token
client_id API client ID from Vanta
client_secret API client secret from Vanta
scopes Space-separated scopes (e.g., vanta-api.all:read)

Optional Parameters

Parameter Type Description Default
read_only bool Advisory hint to the agent that only GET requests are allowed — not enforced by the proxy. Scope the OAuth client to read-only scopes for a hard guarantee false

Example Connection 

{
  "display_name": "Vanta Compliance",
  "description": "Vanta compliance API — control status, evidence, and vendor lookups",
  "connection_details": {
    "vanta": {
      "oauth_client_credentials": {
        "token_url": "https://api.vanta.com/oauth/token",
        "client_id": "<client-id>",
        "client_secret": "<client-secret>",
        "scopes": "vanta-api.all:read"
      },
      "read_only": true
    }
  }
}

Best Practices

  • Request only the scopes agents needvanta-api.all:read is fine for read-heavy workflows; avoid write scopes unless an agent must modify state in Vanta
  • Enable read_only: true for any agent that doesn’t need to mutate evidence or controls
  • Rotate client secrets periodically in the Vanta dashboard; the OAuth token cache will pick up the new secret on the next refresh
This site uses Just the Docs, a documentation theme for Jekyll.