Data Tokens (Vecto)
Data tokens authenticate requests to the Vecto vector storage API. They're separate from Platform API tokens, which authenticate against the platform's GraphQL and REST endpoints.
You create and manage data tokens from the Tokens page in any project.
Token Types
Vecto has three token types, each with different privileges:
| Operation | PUBLIC | USAGE | ACCOUNT_MANAGEMENT |
|---|---|---|---|
| Lookup data | yes | yes | yes |
| Ingest data | no | yes | yes |
| Edit data and attributes | no | yes | yes |
| Management operations | no | no | yes |
| Metrics operations | no | no | yes |
| Create / modify / delete tokens | no | no | yes |
| Create / modify / delete vector spaces | no | no | yes |
When to Use Each Type
- PUBLIC — Lookup-only. Use for public-facing applications where only reads are needed (search UIs, demos, embedded search widgets).
- USAGE — Read + write within specific vector spaces. Use for application backends that need to ingest and update data but shouldn't manage infrastructure.
- ACCOUNT_MANAGEMENT — Full control. Use for administrative tools, automation that provisions vector spaces, or any code that manages tokens.
Scoping
- PUBLIC and USAGE tokens can be scoped to one or more specific vector spaces — pick which spaces the token can access when you create it.
- ACCOUNT_MANAGEMENT tokens automatically have access to all vector spaces in the project. You can't scope them.
Rule of Thumb
Choose the least privileged token that still does the job.
A leaked PUBLIC token is annoying. A leaked ACCOUNT_MANAGEMENT token can let an attacker delete your entire vector index.
tip
Store tokens in your secret manager, not in source control. Rotate them when team members leave or when you suspect exposure.
Related
- Create a Platform API Token — for authenticating against the platform API (GraphQL, REST)
- Create a Vector Space — start managing knowledge bases