Skip to main content
POST
/
audits
/
{auditId}
/
information-requests
/
{requestId}
/
flag-evidence
TypeScript
import { Vanta } from "vanta-auditor-api-sdk";

const vanta = new Vanta({
  bearerAuth: process.env["VANTA_BEARER_AUTH"] ?? "",
});

async function run() {
  const result = await vanta.audits.flagInformationRequestEvidence({
    auditId: "<id>",
    requestId: "<id>",
    flagInformationRequestEvidenceInput: {
      auditorEmail: "<value>",
      reason: "<value>",
    },
  });

  console.log(result);
}

run();
{
  "id": "6890e473dce1da5d8406f5e7",
  "uniqueId": "1466132",
  "additionalControlIds": [],
  "approvalStatus": "NEEDS_EVIDENCE",
  "cadence": "ANNUALLY",
  "frameworkCodes": [
    "SOC2_CC6.1"
  ],
  "description": "Provide the data deletion evidence for a sample of terminated customers",
  "dueDate": "2025-10-28T00:00:00.000Z",
  "evidenceCaptureDate": "2025-10-28T00:00:00.000Z",
  "requestId": null,
  "requestType": "SAMPLE",
  "title": "Terminated Customer Deletion Evidence",
  "creationDate": "2025-08-01T12:34:56.000Z",
  "modificationDate": "2025-08-02T08:00:00.000Z",
  "deletionDate": null,
  "ownerAssignment": {
    "type": "user",
    "id": "507f1f77bcf86cd799439011",
    "displayName": "John Doe"
  }
}

Documentation Index

Fetch the complete documentation index at: https://vanta.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Path Parameters

auditId
string
required
requestId
string
required

Body

application/json

Input for flagging evidence on an information request, indicating issues that need to be addressed. This changes the request's approvalStatus to a flagged state and creates an activity log entry.

The customer will be notified and can resubmit evidence after addressing the issues.

auditorEmail
string
required

Email of the auditor flagging the evidence. Must match an existing Vanta user who belongs to the audit firm making the API request.

reason
string
required

Detailed explanation of what issues were found with the evidence. This reason is visible to the customer and guides them on what to fix. Must be at least 1 character.

Response

200 - application/json

Ok

Information Request resource representing a single request for audit evidence from a customer.

An information request is created by an auditor and shared with the customer organization. The customer then uploads evidence, which the auditor reviews and either approves or flags for issues.

id
string
required

The unique identifier for the information request within Vanta's system. This is the primary identifier used in all API endpoints. Format: ObjectId as a string (e.g., "6890e473dce1da5d8406f5e7")

uniqueId
string
required

External unique ID to prevent duplicates across different audit systems. Used for idempotency when syncing data between external audit management systems and Vanta. Unlike id, this value is provided by the external system.

additionalControlIds
string[]
required

Additional control IDs beyond those automatically mapped from framework codes. Allows manual association with specific controls when automatic mapping is insufficient. Each ID should reference a valid control in your audit framework.

approvalStatus
enum<string>
required

Current approval status tracking the request's lifecycle through evidence submission and auditor review.

Available options:
NEEDS_EVIDENCE,
READY_FOR_AUDIT,
AUDITOR_APPROVED,
AUDITOR_FLAGGED
cadence
enum<string>
required

How frequently this information request recurs (e.g., annual password policy reviews). Null for one-time requests.

Available options:
ANNUALLY,
BIANNUALLY,
MONTHLY,
QUARTERLY
frameworkCodes
string[]
required

The framework codes this request addresses. Links the request to specific compliance requirements. Can be an empty array if no framework codes are associated. These codes correspond to standards like SOC 2, ISO 27001, etc.

description
string | null
required

Detailed description explaining what evidence is needed and why. Should provide clear instructions to help the customer understand what to submit.

dueDate
string<date-time> | null
required

The deadline by which the customer must fulfill this request. Null if no specific deadline is set. Format: ISO 8601 UTC timestamp.

evidenceCaptureDate
string<date-time> | null
required

The earliest date for which evidence should be captured. Evidence dated before this date may not be accepted. Null if not restricted. Format: ISO 8601 UTC timestamp.

requestId
string | null
required

Non-unique external reference ID for this request. Unlike uniqueId which must be unique, requestId is for display/reference purposes only (e.g., "REQ-123"). Null if not provided.

requestType
enum<string>
required

Defines the scope of evidence required.

Available options:
POINT_IN_TIME,
POPULATION,
SAMPLE
title
string
required

Short, descriptive title summarizing what is being requested.

creationDate
string<date-time>
required

Timestamp when the request was created in the system. Format: ISO 8601 UTC timestamp.

modificationDate
string<date-time>
required

Timestamp when the request was last modified. Format: ISO 8601 UTC timestamp.

deletionDate
string<date-time> | null
required

Timestamp when the request was soft-deleted. Null if the request has not been deleted. Soft deletes allow retaining history while hiding the request from normal operations. Format: ISO 8601 UTC timestamp.

ownerAssignment
object
required

Resource owner (user or team) assigned to this information request. Returns null if no resource owner is assigned.