API endpoints
The Vasco API is hosted on a dedicated subdomain for each client. Replace <client> in every URL below with the slug provided by Vasco (for example acme).
Two GraphQL endpoints are exposed side by side:
| Endpoint | Path | Authentication | Use |
|---|---|---|---|
| Authenticated API | /graphql/ | JWT Bearer token | All business operations: accounts, users, investments, KYC, transactions... |
| Public API | /public/graphql/ | None (token optional) | Sign-up, password reset, environment configuration |
Each endpoint is available in two environments.
Production
| API | URL |
|---|---|
| Authenticated | https://api.<client>.vasco.fund/graphql/ |
| Public | https://api.<client>.vasco.fund/public/graphql/ |
Preproduction
Preproduction is isolated from production data — use it for integration testing.
| API | URL |
|---|---|
| Authenticated | https://api.preprod.<client>.vasco.fund/graphql/ |
| Public | https://api.preprod.<client>.vasco.fund/public/graphql/ |
Headers
Requests to the authenticated endpoint must include a JWT in the Authorization header:
Authorization: Bearer <YOUR_TOKEN_HERE>
Content-Type: application/json
See the Authentication guide for how to obtain a token.
The public endpoint accepts the same Authorization header but does not require it — anonymous requests are allowed for the operations it exposes.
Choosing the right endpoint
- No user context yet (registration, password reset, fetching feature flags before login) → Public API. See the available operations under the Public API section of the API Reference.
- Acting on behalf of a logged-in user (any business workflow) → Authenticated API. Browse the Queries, Mutations, and Types sections of the API Reference.