Server Administration

Using the API

Using the API

Vanta Panel includes a REST API for programmatic account management, authenticated by bearer token. This is ideal for automating provisioning from your own billing system or scripts.

Creating a token

Issue tokens in vWHM → API Tokens. Each token:

  • Carries scopes that limit what it can do.
  • Is shown once at creation and stored only as a SHA-256 hash — save it immediately.
  • Can expire and can be revoked at any time.
  • Records its last-used time and IP on each successful call.

Every mutating API call is written to the vWHM Audit Log.

Scopes

  • accounts:read — list and view accounts.
  • accounts:write — create accounts, suspend/unsuspend, set password, set or clear plan.
  • accounts:delete — terminate accounts (and drop their databases).

A call missing the required scope returns 403 insufficient_scope.

Authentication

The API is served on the user-panel vhost (which has no HTTP Basic Auth). Authenticate every request with your token:

Authorization: Bearer vp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

If your client or proxy strips the Authorization header, send X-Api-Key: <token> instead.

Common endpoints

  • Verify a tokenGET ?api=ping (no scope required).
  • List accountsGET ?api=accounts (accounts:read).
  • View one accountGET ?api=account&user=NAME (accounts:read).
  • Create an accountPOST ?api=accounts with a JSON body (accounts:write). Returns the generated password once if you omit it.
  • Suspend / unsuspendPOST ?api=account&action=suspend or unsuspend (accounts:write).
  • Set passwordPOST ?api=account&action=password (accounts:write).
  • Set / clear planPOST ?api=account&action=plan (accounts:write).
  • TerminateDELETE ?api=account&user=NAME (accounts:delete).

Responses are JSON: success is {"ok":true, ...} and errors are {"ok":false,"error":"<code>"} with an appropriate HTTP status. Generated passwords are returned only once — there is no way to retrieve them later.

Last updated Jul 1, 2026 · Need help?