Skip to main content

API endpoints

The Vasco API is hosted on a dedicated subdomain for each client. Replace <client> in every URL below with the slug provided by Vasco (for example acme).

Two GraphQL endpoints are exposed side by side:

EndpointPathAuthenticationUse
Authenticated API/graphql/JWT Bearer tokenAll business operations: accounts, users, investments, KYC, transactions...
Public API/public/graphql/None (token optional)Sign-up, password reset, environment configuration

Each endpoint is available in two environments.

Production

APIURL
Authenticatedhttps://api.<client>.vasco.fund/graphql/
Publichttps://api.<client>.vasco.fund/public/graphql/

Preproduction

Preproduction is isolated from production data — use it for integration testing.

APIURL
Authenticatedhttps://api.preprod.<client>.vasco.fund/graphql/
Publichttps://api.preprod.<client>.vasco.fund/public/graphql/

Headers

Requests to the authenticated endpoint must include a JWT in the Authorization header:

Authorization: Bearer <YOUR_TOKEN_HERE>
Content-Type: application/json

See the Authentication guide for how to obtain a token.

The public endpoint accepts the same Authorization header but does not require it — anonymous requests are allowed for the operations it exposes.

Choosing the right endpoint

  • No user context yet (registration, password reset, fetching feature flags before login) → Public API. See the available operations under the Public API section of the API Reference.
  • Acting on behalf of a logged-in user (any business workflow) → Authenticated API. Browse the Queries, Mutations, and Types sections of the API Reference.