REST API and Security

Revo exposes a full REST API for triggering and managing workflows, secured with long lived scoped tokens, IP and domain allowlisting, webhook signature verification, multi layer rate limiting, and encryption at rest.

How it works

You generate a long lived access token in the API settings and pick exactly the scopes the integration needs, from reading a single workflow to full workspace access. You then configure which IP ranges and domains can use each token, so a leaked credential alone is not enough to make a request.

External systems trigger any workflow through REST endpoints. Each request is authenticated, scope checked, signature verified, rate limited, and audit logged. Incoming webhooks are verified against a signed signature computed from the payload and a shared secret, and requests that fail any check are rejected before any workflow runs and recorded in the trigger log.

Key capabilities

• Full REST API for triggering workflows, listing and managing workflows, retrieving runs and execution logs, configuring webhooks, and querying analytics.
• Long lived access tokens with custom scopes that rotate or revoke independently.
• IP and domain allowlisting per token, checked before the token itself.
• Trusted signature verification on every incoming webhook.
• Multi layer rate limiting at the API layer and the workflow layer, both configurable.
• Encryption at rest for every variable, secret, and credential using workspace specific keys.

Tips