Skip to main content

Documentation Index

Fetch the complete documentation index at: https://vanta.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Before you begin

This guide is for Vanta admins managing data inside their own Vanta account. You’ll need:
  • A Manage Vanta API token.
  • The token must have scopes vanta-api.all:read and vanta-api.all:write.
  • The user you’re assigning must already exist in Vanta.
Reassigning many controls at once (e.g. onboarding a new compliance lead)? Skip ahead to Bulk-assign owners.
1

Find the control

Your terminal — call GET /v1/controls and pick the control you want to assign.
Terminal
curl 'https://api.vanta.com/v1/controls?pageSize=100&frameworkMatchesAny=soc2' \
  -H 'Accept: application/json' \
  -H 'Authorization: Bearer YOUR_TOKEN'
Response
{
  "results": {
    "data": [
      {
        "id": "database-replication-utilized",
        "externalId": "BCD-4",
        "name": "Database replication utilized",
        "owner": { "id": "5fc82421a228f6b6f713547d", "displayName": "Admin Admin" }
      }
    ],
    "pageInfo": { "hasNextPage": true, "endCursor": "..." }
  }
}
Copy the id field — not externalId.
Token is expired (one-hour lifetime), missing, or lacks vanta-api.all:read. Mint a fresh one — see Authentication → Tokens expire after one hour.
Filter the response client-side by name or externalId, paginate with pageCursor if hasNextPage is true, or copy the ID directly from the Controls page URL.
2

Get a user

Your terminal — call GET /v1/people to find the user you want to assign as owner. Filter to CURRENT employees so you don’t pick someone who’s offboarded.
Terminal
curl 'https://api.vanta.com/v1/people?pageSize=100&employmentStatusMatchesAny=CURRENT' \
  -H 'Accept: application/json' \
  -H 'Authorization: Bearer YOUR_TOKEN'
Response
{
  "results": {
    "data": [
      {
        "id": "611fd13785dbc71bb89fd401",
        "emailAddress": "developers@vanta.com",
        "name": { "display": "Alejandro Ocampo" },
        "employment": { "status": "CURRENT", "jobTitle": "Security Engineer" }
      }
    ]
  }
}
Copy the id. You’ll send it as userId in the next step. Confirm employment.status is CURRENTFORMER users will be rejected by set-owner.
Filter client-side by emailAddress (most reliable), or paginate with pageCursor if hasNextPage is true. If they’re missing entirely, they may not be provisioned in Vanta yet — check the People page.
They’ve been offboarded and aren’t eligible to own controls. Pick a CURRENT user instead.
3

Assign the owner

Your terminalPOST /v1/controls/{controlId}/set-owner with the user ID in the body.
const CONTROL_ID = "YOUR_CONTROL_ID"; 
const USER_ID = "YOUR_USER_ID";     

const res = await fetch(
  `https://api.vanta.com/v1/controls/${CONTROL_ID}/set-owner`,
  {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      Authorization: "Bearer YOUR_TOKEN",
    },
    body: JSON.stringify({ userId: USER_ID }),
  },
);
console.log(await res.json());
Expected response (200) — the full control object with the new owner:
{
  "id": "database-replication-utilized",
  "externalId": "BCD-4",
  "name": "Database replication utilized",
  "owner": {
    "id": "611fd13785dbc71bb89fd401",
    "emailAddress": "developers@vanta.com",
    "displayName": "Alejandro Ocampo"
  },
  "domains": ["BUSINESS_CONTINUITY_&_DISASTER_RECOVERY"]
}
set-owner overwrites any existing owner.
The control ID is wrong. Most often this is because you copied externalId (e.g. BCD-4) instead of id (e.g. database-replication-utilized). Re-run Step 1 and copy id.
The userId is invalid or the user is ineligible — typically because their employment.status is FORMER. Re-fetch with employmentStatusMatchesAny=CURRENT and pick a different user.
Your token has vanta-api.all:read but not vanta-api.all:write. Mint a token with both scopes.
Unassign with null. Pass { "userId": null } to remove the owner without replacing them.

Congratulations

You’ve assigned a Vanta user as the accountable owner of a framework control. That user will now receive notifications and reminders for the control, and the change is captured in your audit log.

Next steps

Offboard people

Reassign every control owned by a departing teammate before you remove them.

Subscribe to webhooks

React in real time when ownership or control status changes.

Try it in Postman

Import the collection and run set-owner against a sandbox in seconds.

Manage Vanta API reference

Browse every Manage Vanta endpoint — controls, tests, documents, people.