Skip to main content
These endpoints read the vendor directory and individual vendor profiles. Reading is available to any authenticated user; creating and editing vendor profiles is a platform-admin operation, because profiles are global and shared across the platform.

List all vendors

GET /vendors/all
Returns all vendors in the directory. Requires a valid user token.
curl https://api.vendexlabs.com/vendors/all \
  -H "Authorization: Bearer <TOKEN>"

Get a vendor

GET /vendor/{id_or_name}
Returns a vendor profile by UUID or canonical name.
curl https://api.vendexlabs.com/vendor/1password \
  -H "Authorization: Bearer <TOKEN>"
The response includes the profile (company details, security posture, privacy, business maturity, scores) and, when available, the latest_grc_assessment — the aggregate and per-domain scores, integration depth, recommendation, evidence summaries, and source citations. See Risk scoring.

Get a vendor’s security instances

GET /vendor/{id_or_name}/security-instances
Returns security-related instances (findings and signals) for the vendor.

Admin: enrichment & manual edits

The following require the platform Admins group, not just an organization role. They operate on global vendor data.
POST /vendor/... (enrichment)
Runs enrichment for one or more vendors. Body includes vendors (names), optional enrichmentSections (basic, additional, maturity, security, privacy, logo, scores), and options like createOnly. Omitting enrichmentSections runs the full pipeline.
PATCH /vendor/{id_or_name}
Applies a partial, manual update (no model calls) to whitelisted profile, security, privacy, and business-maturity fields.
POST /vendors/incident-backfill
Backfills historical incidents for vendors. Returns 202 with a run_id.
DELETE /vendor/{id_or_name}
Removes a vendor profile and related rows. Does not remove global directory entries or customer list memberships.
For most integrations you only need the read endpoints. Enrichment runs automatically when vendors are added through a vendor list.