Base URL
The API is served from your deployment’s API gateway. Throughout these docs we use:Authentication
Requests are authenticated with a bearer token issued by Amazon Cognito. Send it in theAuthorization header:
Organization scope
Most endpoints operate on a single organization, identified by anaccount-id query parameter (your organization’s UUID):
individual to work with personal (non-organization) data scoped to the authenticated user.
Roles & permissions
Access is governed by the caller’s role in the organization. Each role includes the ones below it.| Role | API access |
|---|---|
| Viewer | Read (GET) list, metrics, assessment, and subscriber data. |
| Member | Viewer access plus writes to vendors, lists, assessments, and documents. |
| Admin | Member access plus membership management. |
| Owner | Full control, including assigning the owner role. |
A separate platform admin group gates global vendor operations (bulk enrichment and manual vendor edits). This is distinct from your organization role — see the Vendors endpoints marked admin only.
Conventions
- Format — Request and response bodies are JSON. Send
Content-Type: application/jsonon writes. - IDs — Resources are identified by UUIDs. Vendors can also be addressed by canonical name.
- Timeouts — The API gateway enforces a 30-second integration timeout. Long operations (like large CSV imports) are chunked — send them in batches and follow the
has_more/next_row_offsetcursors in the response. - Errors — Standard HTTP status codes:
400invalid request,401missing/invalid token,403insufficient role,404not found,409conflict. Error responses include a message describing the problem.
Next
Vendors
Read the vendor directory and vendor profiles.
Vendor lists
Manage the vendors your organization tracks.
Assessments
Create and update assessments and evidence.
Metrics
Portfolio posture, incidents, and history.
