Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.vin.gs/llms.txt

Use this file to discover all available pages before exploring further.

All /api/v1/* routes and POST /api/mcp require an Authorization header: 
Authorization: Bearer <token>
The service validates the token and only returns data for the authenticated Vings user.

Token types

OAuth access tokens

User access tokens from the Vings OAuth flow or from a signed-in Vings session (for example, your app after the user signs in). Use the token value in the Authorization header.

Vings personal access tokens (PAT)

Tokens prefixed with vng_pat_. Create and manage them in your Vings account settings. PATs include explicit Vings scopes and only access your data. Send the token in the Authorization header the same way as an OAuth access token. Cookie-based auth across subdomains is not supported on this API in v1.

OAuth protected-resource metadata

MCP and REST clients that support RFC 9728 discovery can read:
URLResource
GET /api/.well-known/oauth-protected-resourceREST API
GET /api/.well-known/oauth-protected-resource/mcpMCP at /api/mcp
The metadata includes authorization_servers for the Vings OAuth issuer used for sign-in and consent. Unauthenticated POST /api/mcp requests return 401 with a WWW-Authenticate challenge pointing at the MCP metadata URL. Standard OIDC scopes (openid, email, profile) apply at authorize time. Vings data scopes are stored on the OAuth client and shown on the Vings consent screen.

Vings scopes

When a bearer token includes vings_scopes, scope, or scopes claims, REST routes and MCP tools enforce the matching permissions. PATs always include scoped access.
ScopeAccess
profile:readUser profile
transactions:readTransactions
cashflow:readCashflow summaries
spending:readSpending aggregates
budgets:readBudgets
banks:readConnected banks status
wallets:readWallet-related data
portfolio:readPortfolio
preferences:readPreferences

OpenAPI security

The live OpenAPI document defines bearerAuth (http + bearer). Use the API Reference playground: enter your token in the auth control, then call GET /v1/me to verify.

Security practices

  • Do not send tokens in query strings or logs.
  • Financial responses are not cached (Cache-Control: no-store).
  • Per-user rate limits apply to REST and MCP; transaction search and portfolio endpoints have stricter limits than aggregate routes.
  • This API exposes only user-scoped read access—no admin or service credentials.