Skip to main content
Notifications
You're all caught up.
View all notifications
OnlyHIPAA
← All documentation

API

The REST API at /api/v1/ lets external tools read and update your compliance data. Authenticate with a Bearer API key:

Authorization: Bearer ohk_...

Scopes

Keys carry explicit scopes. Read scopes (findings:read, assessments:read, remediation:read) gate GET; write scopes (*:write) gate POST/PATCH. Grant only what an integration needs, and set an expiry on write-capable keys.

Reading & writing

  • GET /api/v1/{findings,assessments,remediation} — list with filters + paging (?limit= 1–100, ?offset=).
  • GET /api/v1/{evidence,vendors} — read evidence metadata (never file contents) and vendors/BAAs.
  • GET /api/v1/webhooks — list endpoints; ?catalog=1 lists subscribable events.
  • POST /api/v1/remediation — create a task (returns 201).
  • PATCH /api/v1/{findings,remediation,assessments} — update by id.
  • POST/PATCH/DELETE /api/v1/webhooks — manage webhook endpoints.

Findings and assessments are update-only via the API (findings are generated from assessments; assessments need question/scope setup done in the app).

Conventions

Responses are JSON with a data array plus count/limit/offset (findings and remediation also include total). Errors return a non-2xx status with error and message. Keys are rate-limited to 100 requests/minute (see the X-RateLimit-* response headers). The API is an Enterprise plan feature; create and scope keys in Settings → API.

OnlyHIPAA

Making HIPAA compliance accessible for every healthcare organization.

HIPAA SOC 2 NIST CSF

View our security posture →

Product

  • Frameworks
  • Sherpa AI
  • Risk Analysis
  • Compliance Operations
  • Reporting
  • Integrations & API
  • Pricing

Company

  • About Us
  • Team
  • Mission
  • Contact

Legal

  • Privacy Policy
  • Terms of Service
  • BAA Template
  • Security

Resources

  • Documentation
  • HIPAA Guide
  • Blog
  • Status Page

© 2026 OnlyHIPAA, Inc. All rights reserved.

OnlyHIPAA provides tools to assist with HIPAA compliance but does not constitute legal advice. Consult qualified legal counsel for specific compliance guidance.