openapi: 3.1.0 info: title: Vanta API description: >- The Vanta REST API enables organizations to programmatically manage their security compliance posture. The API supports personnel management, vulnerability monitoring, resource scoping, document and test management, control oversight, vendor management, and custom integrations. Vanta helps automate compliance for SOC 2, ISO 27001, HIPAA, PCI DSS, and GDPR frameworks. version: v1 contact: name: Vanta Developer Hub url: https://developer.vanta.com termsOfService: https://www.vanta.com/terms license: name: Proprietary url: https://www.vanta.com/terms servers: - url: https://api.vanta.com description: Vanta API security: - OAuth2: [] paths: /oauth/token: post: operationId: getAccessToken summary: Get Access Token description: >- Obtain an OAuth 2.0 access token using client credentials. Use the returned access_token as a Bearer token in subsequent API requests. tags: - Authentication requestBody: required: true content: application/x-www-form-urlencoded: schema: type: object properties: grant_type: type: string enum: - client_credentials description: OAuth 2.0 grant type client_id: type: string description: Your Vanta client ID client_secret: type: string description: Your Vanta client secret scope: type: string description: Space-separated list of OAuth scopes required: - grant_type - client_id - client_secret responses: '200': description: Access token response content: application/json: schema: $ref: '#/components/schemas/AccessToken' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' /v1/users: get: operationId: listUsers summary: List Active Users description: Retrieve a paginated list of all active users in the organization. tags: - Users parameters: - $ref: '#/components/parameters/pageSize' - $ref: '#/components/parameters/pageCursor' responses: '200': description: Paginated list of active users content: application/json: schema: $ref: '#/components/schemas/UserListResponse' '401': $ref: '#/components/responses/Unauthorized' '429': $ref: '#/components/responses/RateLimited' /v1/people: get: operationId: listPeople summary: List People description: >- Retrieve a paginated list of people in the organization including employment status, security task completion, and training status. tags: - Users parameters: - $ref: '#/components/parameters/pageSize' - $ref: '#/components/parameters/pageCursor' responses: '200': description: Paginated list of people content: application/json: schema: $ref: '#/components/schemas/PersonListResponse' '401': $ref: '#/components/responses/Unauthorized' '429': $ref: '#/components/responses/RateLimited' /v1/vulnerabilities: get: operationId: listVulnerabilities summary: Get Vulnerabilities description: List all vulnerabilities based on selected filters including severity and remediation status. tags: - Vulnerabilities parameters: - $ref: '#/components/parameters/pageSize' - $ref: '#/components/parameters/pageCursor' - name: severity in: query schema: type: string enum: - CRITICAL - HIGH - MEDIUM - LOW - INFORMATIONAL description: Filter by vulnerability severity - name: status in: query schema: type: string enum: - OPEN - REMEDIATED - ACCEPTED description: Filter by remediation status responses: '200': description: Paginated list of vulnerabilities content: application/json: schema: $ref: '#/components/schemas/VulnerabilityListResponse' '401': $ref: '#/components/responses/Unauthorized' '429': $ref: '#/components/responses/RateLimited' /v1/resources/api_endpoint_vulnerability_connectors: get: operationId: listApiEndpointVulnerabilities summary: List API Endpoint Vulnerabilities description: List ApiEndpointVulnerabilityConnectors resources for the given application. tags: - Vulnerabilities parameters: - name: resourceId in: query required: true schema: type: string description: Vanta generated identifier for the given resource - $ref: '#/components/parameters/pageSize' - $ref: '#/components/parameters/pageCursor' responses: '200': description: Paginated list of API endpoint vulnerabilities content: application/json: schema: $ref: '#/components/schemas/ConnectorListResponse' '401': $ref: '#/components/responses/Unauthorized' '429': $ref: '#/components/responses/RateLimited' put: operationId: syncApiEndpointVulnerabilities summary: Sync API Endpoint Vulnerabilities description: Sync all ApiEndpointVulnerabilityConnectors resources for the given application. tags: - Vulnerabilities requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ApiEndpointVulnerabilitySync' responses: '200': description: Sync successful content: application/json: schema: $ref: '#/components/schemas/SyncResponse' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '429': $ref: '#/components/responses/RateLimited' /v1/resources/package_vulnerability_connectors: get: operationId: listPackageVulnerabilities summary: List Package Vulnerabilities description: List PackageVulnerabilityConnectors resources for the given application. tags: - Vulnerabilities parameters: - name: resourceId in: query required: true schema: type: string description: Vanta generated identifier for the given resource - $ref: '#/components/parameters/pageSize' - $ref: '#/components/parameters/pageCursor' responses: '200': description: Paginated list of package vulnerabilities content: application/json: schema: $ref: '#/components/schemas/ConnectorListResponse' '401': $ref: '#/components/responses/Unauthorized' '429': $ref: '#/components/responses/RateLimited' /v1/resources/vulnerable_component: get: operationId: listVulnerableComponents summary: List Vulnerable Components description: List VulnerableComponent resources for the given application. tags: - Vulnerabilities parameters: - name: resourceId in: query required: true schema: type: string description: Vanta generated identifier for the given resource - $ref: '#/components/parameters/pageSize' - $ref: '#/components/parameters/pageCursor' responses: '200': description: Paginated list of vulnerable components content: application/json: schema: $ref: '#/components/schemas/ConnectorListResponse' '401': $ref: '#/components/responses/Unauthorized' '429': $ref: '#/components/responses/RateLimited' /v1/controls: get: operationId: listControls summary: List Controls description: Query information about compliance controls including control language and statuses. tags: - Controls parameters: - $ref: '#/components/parameters/pageSize' - $ref: '#/components/parameters/pageCursor' - name: frameworkId in: query schema: type: string description: Filter controls by framework identifier - name: status in: query schema: type: string enum: - PASSING - FAILING - NEEDS_ATTENTION - NOT_APPLICABLE description: Filter by control status responses: '200': description: Paginated list of controls content: application/json: schema: $ref: '#/components/schemas/ControlListResponse' '401': $ref: '#/components/responses/Unauthorized' '429': $ref: '#/components/responses/RateLimited' /v1/frameworks: get: operationId: listFrameworks summary: List Frameworks description: Query all compliance frameworks configured in the organization. tags: - Controls parameters: - $ref: '#/components/parameters/pageSize' - $ref: '#/components/parameters/pageCursor' responses: '200': description: Paginated list of frameworks content: application/json: schema: $ref: '#/components/schemas/FrameworkListResponse' '401': $ref: '#/components/responses/Unauthorized' '429': $ref: '#/components/responses/RateLimited' /v1/tests: get: operationId: listTests summary: List Tests description: Query and filter test results for compliance frameworks. tags: - Tests parameters: - $ref: '#/components/parameters/pageSize' - $ref: '#/components/parameters/pageCursor' - name: status in: query schema: type: string enum: - PASS - FAIL - DISABLED - NA description: Filter tests by status - name: frameworkId in: query schema: type: string description: Filter tests by framework responses: '200': description: Paginated list of tests content: application/json: schema: $ref: '#/components/schemas/TestListResponse' '401': $ref: '#/components/responses/Unauthorized' '429': $ref: '#/components/responses/RateLimited' /v1/documents: get: operationId: listDocuments summary: List Documents description: Retrieve compliance evidence documents uploaded to Vanta. tags: - Documents parameters: - $ref: '#/components/parameters/pageSize' - $ref: '#/components/parameters/pageCursor' responses: '200': description: Paginated list of documents content: application/json: schema: $ref: '#/components/schemas/DocumentListResponse' '401': $ref: '#/components/responses/Unauthorized' '429': $ref: '#/components/responses/RateLimited' post: operationId: uploadDocument summary: Upload Document description: Upload a compliance evidence document to Vanta. tags: - Documents requestBody: required: true content: multipart/form-data: schema: type: object properties: file: type: string format: binary description: The document file to upload name: type: string description: Name of the document description: type: string description: Description of the document required: - file - name responses: '201': description: Document uploaded successfully content: application/json: schema: $ref: '#/components/schemas/Document' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '429': $ref: '#/components/responses/RateLimited' /v1/vendors: get: operationId: listVendors summary: List Vendors description: Query and manage vendors and their security review information. tags: - Vendors parameters: - $ref: '#/components/parameters/pageSize' - $ref: '#/components/parameters/pageCursor' - name: riskLevel in: query schema: type: string enum: - CRITICAL - HIGH - MEDIUM - LOW description: Filter vendors by risk level responses: '200': description: Paginated list of vendors content: application/json: schema: $ref: '#/components/schemas/VendorListResponse' '401': $ref: '#/components/responses/Unauthorized' '429': $ref: '#/components/responses/RateLimited' post: operationId: createVendor summary: Create Vendor description: Create a new vendor in Vanta for security review tracking. tags: - Vendors requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateVendorRequest' responses: '201': description: Vendor created successfully content: application/json: schema: $ref: '#/components/schemas/Vendor' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '429': $ref: '#/components/responses/RateLimited' /v1/vendors/{vendorId}: get: operationId: getVendor summary: Get Vendor description: Retrieve a specific vendor and its security review details. tags: - Vendors parameters: - name: vendorId in: path required: true schema: type: string description: Unique identifier for the vendor responses: '200': description: Vendor details content: application/json: schema: $ref: '#/components/schemas/Vendor' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' '429': $ref: '#/components/responses/RateLimited' patch: operationId: updateVendor summary: Update Vendor description: Update vendor information and security review details. tags: - Vendors parameters: - name: vendorId in: path required: true schema: type: string description: Unique identifier for the vendor requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateVendorRequest' responses: '200': description: Vendor updated successfully content: application/json: schema: $ref: '#/components/schemas/Vendor' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' '429': $ref: '#/components/responses/RateLimited' /v1/resources: get: operationId: listResources summary: List Resources description: List all monitored resources in scope for compliance. tags: - Resources parameters: - $ref: '#/components/parameters/pageSize' - $ref: '#/components/parameters/pageCursor' - name: resourceType in: query schema: type: string description: Filter by resource type (e.g., Computer, Repository, CloudResource) responses: '200': description: Paginated list of resources content: application/json: schema: $ref: '#/components/schemas/ResourceListResponse' '401': $ref: '#/components/responses/Unauthorized' '429': $ref: '#/components/responses/RateLimited' /v1/computers: get: operationId: listComputers summary: List Monitored Computers description: >- List all monitored computers with compliance status including screenlock, encryption, antivirus, and password management status. tags: - Resources parameters: - $ref: '#/components/parameters/pageSize' - $ref: '#/components/parameters/pageCursor' - name: complianceStatus in: query schema: type: string enum: - COMPLIANT - NON_COMPLIANT description: Filter computers by compliance status responses: '200': description: Paginated list of monitored computers content: application/json: schema: $ref: '#/components/schemas/ComputerListResponse' '401': $ref: '#/components/responses/Unauthorized' '429': $ref: '#/components/responses/RateLimited' /v1/integrations: get: operationId: listIntegrations summary: List Integrations description: List all configured integrations and their connection status. tags: - Integrations parameters: - $ref: '#/components/parameters/pageSize' - $ref: '#/components/parameters/pageCursor' responses: '200': description: Paginated list of integrations content: application/json: schema: $ref: '#/components/schemas/IntegrationListResponse' '401': $ref: '#/components/responses/Unauthorized' '429': $ref: '#/components/responses/RateLimited' /v1/resources/custom: post: operationId: createCustomResource summary: Create Custom Resource description: >- Push custom resource data from non-integrated systems using custom resource schemas to extend Vanta's compliance monitoring. tags: - Integrations requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateCustomResourceRequest' responses: '201': description: Custom resource created content: application/json: schema: $ref: '#/components/schemas/CustomResource' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '429': $ref: '#/components/responses/RateLimited' components: securitySchemes: OAuth2: type: oauth2 flows: clientCredentials: tokenUrl: https://api.vanta.com/oauth/token scopes: vanta.read: Read access to Vanta data vanta.write: Write access to Vanta data connectors.self:read-resource: Read connector resources connectors.self:write-resource: Write connector resources auditor-api.audit:read: Read audit data auditor-api.auditor:read: Read auditor data parameters: pageSize: name: pageSize in: query schema: type: integer minimum: 1 maximum: 100 default: 10 description: Number of items to return per page (1-100) pageCursor: name: pageCursor in: query schema: type: string description: Cursor for pagination — start from the item following this cursor responses: BadRequest: description: Bad request — invalid parameters or request body content: application/json: schema: $ref: '#/components/schemas/Error' Unauthorized: description: Unauthorized — missing or invalid access token content: application/json: schema: $ref: '#/components/schemas/Error' NotFound: description: Resource not found content: application/json: schema: $ref: '#/components/schemas/Error' RateLimited: description: Rate limit exceeded content: application/json: schema: $ref: '#/components/schemas/Error' schemas: AccessToken: type: object properties: access_token: type: string description: OAuth 2.0 access token for API requests token_type: type: string description: Token type (Bearer) expires_in: type: integer description: Token expiration time in seconds scope: type: string description: Granted scopes PageInfo: type: object properties: pageSize: type: integer description: Number of items returned nextPageCursor: type: string nullable: true description: Cursor for the next page of results hasNextPage: type: boolean description: Whether there are more items after this page Error: type: object properties: error: type: string description: Error code message: type: string description: Human-readable error description details: type: array items: type: string description: Additional error details User: type: object properties: id: type: string description: Unique identifier for the user email: type: string format: email description: User email address displayName: type: string description: User display name role: type: string description: User role in the organization isActive: type: boolean description: Whether the user account is active createdAt: type: string format: date-time description: Timestamp when user was created UserListResponse: type: object properties: data: type: array items: $ref: '#/components/schemas/User' pageInfo: $ref: '#/components/schemas/PageInfo' Person: type: object properties: id: type: string description: Unique identifier for the person email: type: string format: email description: Person email address displayName: type: string description: Person display name employmentStatus: type: string enum: - EMPLOYEE - CONTRACTOR - TERMINATED description: Employment status securityTasksOverdue: type: integer description: Number of overdue security tasks trainingCompleted: type: boolean description: Whether security training has been completed backgroundCheckCompleted: type: boolean description: Whether background check has been completed PersonListResponse: type: object properties: data: type: array items: $ref: '#/components/schemas/Person' pageInfo: $ref: '#/components/schemas/PageInfo' Vulnerability: type: object properties: id: type: string description: Unique vulnerability identifier title: type: string description: Vulnerability title description: type: string description: Detailed vulnerability description severity: type: string enum: - CRITICAL - HIGH - MEDIUM - LOW - INFORMATIONAL description: Vulnerability severity level status: type: string enum: - OPEN - REMEDIATED - ACCEPTED description: Remediation status cvssScore: type: number format: float description: CVSS score (0-10) cveId: type: string description: CVE identifier if applicable remediationSlaDate: type: string format: date-time nullable: true description: SLA deadline for remediation discoveredAt: type: string format: date-time description: When the vulnerability was discovered remediatedAt: type: string format: date-time nullable: true description: When the vulnerability was remediated affectedResources: type: array items: type: string description: List of affected resource IDs VulnerabilityListResponse: type: object properties: data: type: array items: $ref: '#/components/schemas/Vulnerability' pageInfo: $ref: '#/components/schemas/PageInfo' ConnectorListResponse: type: object properties: data: type: array items: type: object additionalProperties: true pageInfo: $ref: '#/components/schemas/PageInfo' ApiEndpointVulnerabilitySync: type: object properties: resourceId: type: string description: Vanta generated identifier for the resource vulnerabilities: type: array items: type: object properties: endpoint: type: string description: API endpoint path method: type: string description: HTTP method severity: type: string enum: - CRITICAL - HIGH - MEDIUM - LOW description: type: string description: Vulnerability description required: - resourceId - vulnerabilities SyncResponse: type: object properties: synced: type: integer description: Number of records synced message: type: string description: Sync result message Control: type: object properties: id: type: string description: Unique control identifier name: type: string description: Control name description: type: string description: Control description and requirements status: type: string enum: - PASSING - FAILING - NEEDS_ATTENTION - NOT_APPLICABLE description: Current control status frameworkId: type: string description: Framework this control belongs to ownerId: type: string nullable: true description: User ID of the control owner testCount: type: integer description: Number of tests associated with this control passingTestCount: type: integer description: Number of passing tests ControlListResponse: type: object properties: data: type: array items: $ref: '#/components/schemas/Control' pageInfo: $ref: '#/components/schemas/PageInfo' Framework: type: object properties: id: type: string description: Unique framework identifier name: type: string description: Framework name (e.g., SOC 2, ISO 27001, HIPAA) description: type: string description: Framework description status: type: string enum: - IN_PROGRESS - READY_FOR_AUDIT - CERTIFIED description: Overall framework readiness status controlCount: type: integer description: Total number of controls in this framework passingControlCount: type: integer description: Number of passing controls FrameworkListResponse: type: object properties: data: type: array items: $ref: '#/components/schemas/Framework' pageInfo: $ref: '#/components/schemas/PageInfo' Test: type: object properties: id: type: string description: Unique test identifier name: type: string description: Test name description: type: string description: What this test checks status: type: string enum: - PASS - FAIL - DISABLED - NA description: Current test status controlId: type: string description: Associated control identifier frameworkId: type: string description: Associated framework identifier lastRunAt: type: string format: date-time nullable: true description: When this test was last executed TestListResponse: type: object properties: data: type: array items: $ref: '#/components/schemas/Test' pageInfo: $ref: '#/components/schemas/PageInfo' Document: type: object properties: id: type: string description: Unique document identifier name: type: string description: Document name description: type: string nullable: true description: Document description mimeType: type: string description: Document MIME type sizeBytes: type: integer description: Document size in bytes uploadedAt: type: string format: date-time description: When the document was uploaded uploadedBy: type: string description: User ID who uploaded the document downloadUrl: type: string format: uri description: Temporary URL to download the document DocumentListResponse: type: object properties: data: type: array items: $ref: '#/components/schemas/Document' pageInfo: $ref: '#/components/schemas/PageInfo' Vendor: type: object properties: id: type: string description: Unique vendor identifier name: type: string description: Vendor company name url: type: string format: uri nullable: true description: Vendor website URL riskLevel: type: string enum: - CRITICAL - HIGH - MEDIUM - LOW description: Inherent risk level residualRiskLevel: type: string enum: - CRITICAL - HIGH - MEDIUM - LOW nullable: true description: Residual risk level after controls reviewStatus: type: string enum: - NOT_STARTED - IN_PROGRESS - APPROVED - REJECTED description: Security review status hasContract: type: boolean description: Whether a contract exists with the vendor hasDpa: type: boolean description: Whether a Data Processing Agreement exists createdAt: type: string format: date-time description: When this vendor was added nextReviewDate: type: string format: date nullable: true description: Date of next scheduled security review VendorListResponse: type: object properties: data: type: array items: $ref: '#/components/schemas/Vendor' pageInfo: $ref: '#/components/schemas/PageInfo' CreateVendorRequest: type: object required: - name - riskLevel properties: name: type: string description: Vendor company name url: type: string format: uri description: Vendor website URL riskLevel: type: string enum: - CRITICAL - HIGH - MEDIUM - LOW description: Inherent risk level description: type: string description: Vendor description and use case UpdateVendorRequest: type: object properties: name: type: string description: Vendor company name url: type: string format: uri description: Vendor website URL riskLevel: type: string enum: - CRITICAL - HIGH - MEDIUM - LOW description: Inherent risk level reviewStatus: type: string enum: - NOT_STARTED - IN_PROGRESS - APPROVED - REJECTED description: Security review status Resource: type: object properties: id: type: string description: Unique resource identifier type: type: string description: Resource type (Computer, Repository, CloudResource, etc.) name: type: string description: Resource name ownerId: type: string nullable: true description: User ID of the resource owner inScope: type: boolean description: Whether this resource is in compliance scope createdAt: type: string format: date-time description: When this resource was first observed ResourceListResponse: type: object properties: data: type: array items: $ref: '#/components/schemas/Resource' pageInfo: $ref: '#/components/schemas/PageInfo' Computer: type: object properties: id: type: string description: Unique computer identifier hostname: type: string description: Computer hostname osName: type: string description: Operating system name osVersion: type: string description: Operating system version userId: type: string nullable: true description: Assigned user ID screenlockEnabled: type: boolean description: Whether screenlock is enabled diskEncryptionEnabled: type: boolean description: Whether disk encryption is enabled antivirusInstalled: type: boolean description: Whether antivirus software is installed passwordManagerInstalled: type: boolean description: Whether password manager is installed isCompliant: type: boolean description: Overall compliance status lastCheckedAt: type: string format: date-time nullable: true description: Last time compliance was checked ComputerListResponse: type: object properties: data: type: array items: $ref: '#/components/schemas/Computer' pageInfo: $ref: '#/components/schemas/PageInfo' Integration: type: object properties: id: type: string description: Unique integration identifier name: type: string description: Integration name type: type: string description: Integration type (GitHub, AWS, GCP, Jira, etc.) status: type: string enum: - CONNECTED - DISCONNECTED - ERROR description: Current connection status lastSyncAt: type: string format: date-time nullable: true description: Last successful sync timestamp IntegrationListResponse: type: object properties: data: type: array items: $ref: '#/components/schemas/Integration' pageInfo: $ref: '#/components/schemas/PageInfo' CreateCustomResourceRequest: type: object required: - resourceType - resourceId - data properties: resourceType: type: string description: Custom resource type identifier resourceId: type: string description: Unique identifier for this resource instance data: type: object additionalProperties: true description: Resource-type-specific data fields displayName: type: string description: Human-readable name for the resource CustomResource: type: object properties: id: type: string description: Vanta-generated resource identifier resourceType: type: string description: Custom resource type resourceId: type: string description: External resource identifier displayName: type: string nullable: true description: Human-readable resource name data: type: object additionalProperties: true description: Resource data fields createdAt: type: string format: date-time description: Creation timestamp updatedAt: type: string format: date-time description: Last update timestamp tags: - name: Authentication description: OAuth 2.0 token management - name: Users description: User and personnel management - name: Vulnerabilities description: Vulnerability tracking and remediation management - name: Controls description: Compliance controls and framework management - name: Tests description: Automated test results and evidence - name: Documents description: Compliance evidence document management - name: Vendors description: Third-party vendor security review management - name: Resources description: Monitored resource management and scoping - name: Integrations description: Integration configuration and status management