Server Administration
Using the API
Using the API
Vanta Panel includes a REST API for programmatic account management, authenticated by bearer token. This is ideal for automating provisioning from your own billing system or scripts.
Creating a token
Issue tokens in vWHM → API Tokens. Each token:
- Carries scopes that limit what it can do.
- Is shown once at creation and stored only as a SHA-256 hash — save it immediately.
- Can expire and can be revoked at any time.
- Records its last-used time and IP on each successful call.
Every mutating API call is written to the vWHM Audit Log.
Scopes
accounts:read— list and view accounts.accounts:write— create accounts, suspend/unsuspend, set password, set or clear plan.accounts:delete— terminate accounts (and drop their databases).
A call missing the required scope returns 403 insufficient_scope.
Authentication
The API is served on the user-panel vhost (which has no HTTP Basic Auth). Authenticate every request with your token:
Authorization: Bearer vp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
If your client or proxy strips the Authorization header, send X-Api-Key: <token> instead.
Common endpoints
- Verify a token —
GET ?api=ping(no scope required). - List accounts —
GET ?api=accounts(accounts:read). - View one account —
GET ?api=account&user=NAME(accounts:read). - Create an account —
POST ?api=accountswith a JSON body (accounts:write). Returns the generated password once if you omit it. - Suspend / unsuspend —
POST ?api=account&action=suspendorunsuspend(accounts:write). - Set password —
POST ?api=account&action=password(accounts:write). - Set / clear plan —
POST ?api=account&action=plan(accounts:write). - Terminate —
DELETE ?api=account&user=NAME(accounts:delete).
Responses are JSON: success is {"ok":true, ...} and errors are {"ok":false,"error":"<code>"} with an appropriate HTTP status. Generated passwords are returned only once — there is no way to retrieve them later.