The REST API at /api/v1/ lets external tools read and update your compliance data. Authenticate with a Bearer API key:
Authorization: Bearer ohk_...
Keys carry explicit scopes. Read scopes (findings:read, assessments:read, remediation:read) gate GET; write scopes (*:write) gate POST/PATCH. Grant only what an integration needs, and set an expiry on write-capable keys.
GET /api/v1/{findings,assessments,remediation} — list with filters + paging (?limit= 1–100, ?offset=).GET /api/v1/{evidence,vendors} — read evidence metadata (never file contents) and vendors/BAAs.GET /api/v1/webhooks — list endpoints; ?catalog=1 lists subscribable events.POST /api/v1/remediation — create a task (returns 201).PATCH /api/v1/{findings,remediation,assessments} — update by id.POST/PATCH/DELETE /api/v1/webhooks — manage webhook endpoints.Findings and assessments are update-only via the API (findings are generated from assessments; assessments need question/scope setup done in the app).
Responses are JSON with a data array plus count/limit/offset (findings and remediation also include total). Errors return a non-2xx status with error and message. Keys are rate-limited to 100 requests/minute (see the X-RateLimit-* response headers). The API is an Enterprise plan feature; create and scope keys in Settings → API.