Skip to main content

Documentation Index

Fetch the complete documentation index at: https://vanta.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

The Auditor API is for audit firms conducting audits of their customers’ Vanta tenants. Use it to list active audits, pull controls and evidence, manage information requests, and review the resources, personnel, and monitored computers in scope for each engagement.

Who is this API for?

This API is for registered Vanta Audit Partners — audit firms running SOC 2, ISO, HIPAA, and other engagements through Vanta. It is not available to Vanta customers automating their own tenant or to ISVs building marketplace integrations.
You are…Use this API to…
An audit firm / auditor with a Vanta Audit Partner registrationList your active audits, pull controls and evidence, create and respond to information requests, and feed audit data into your own audit-management tooling.
Don’t see the Auditor API option in your Vanta navigation? Your firm needs to be set up as a Vanta Audit Partner first — contact your Vanta representative.

When to use this API

Reach for Auditor endpoints when you want to:
  • List and inspect audits assigned to your firm — pull controls, framework codes, in-scope people, and monitored computers.
  • Manage information requests (IRs) programmatically — create custom IRs, accept or flag evidence, comment on items, and share the IR list with the customer.
  • Pull evidence attached to audits and IRs into your own review workflow or audit-management platform.
  • Create custom controls and evidence requests that supplement Vanta’s built-in audit scaffolding.
New to the API? Walk through the Conduct an Audit quickstart to register an auditor application, get an access token, and list your first audit.

Authentication

Auditor applications use the client credentials OAuth flow. Create an application from the Auditor API section of Vanta app (visible only to registered audit partners), then exchange your client_id and client_secret for an access_token. See the Conduct an Audit quickstart for the full flow, including token expiration and rotation.

Scopes

ScopeGrants
auditor-api.audit:readGET access to the audit endpoints.
auditor-api.audit:writeWrite access to the audit endpoints (create custom controls, manage IRs, accept evidence, etc.).
auditor-api.auditor:readGET access to the auditor endpoints.
auditor-api.auditor:writeWrite access to the auditor endpoints.
Request only the scopes your tool needs.

Base URL

Use https://api.vanta.com, or https://api.vanta-gov.com if you’re on Vanta Gov. See Base URLs for details.

Pagination

List endpoints use cursor-based pagination via the pageSize and pageCursor query parameters. To page through results:
  1. Make the initial request, optionally setting pageSize (defaults vary by endpoint).
  2. Check results.pageInfo.hasNextPage in the response.
  3. If true, pass results.pageInfo.endCursor as the pageCursor in your next request.
  4. Repeat until hasNextPage is false.
Responses are wrapped as: 
{
  "results": {
    "data": [ /* ... */ ],
    "pageInfo": {
      "endCursor": "...",
      "hasNextPage": true,
      "hasPreviousPage": false,
      "startCursor": "..."
    }
  }
}

Rate limits

Endpoint groupLimit
All POST or PATCH requests10 / minute
Audit sampling endpoints10 / minute
List audit evidence URLs600 / minute
All other endpoints (default)250 / minute
OAuth (/oauth/token)5 / minute
Exceeding a limit returns 429 Too Many Requests. Back off and retry after a short delay.

Common workflows

Conduct an audit

Register an auditor application and pull your first audit data.

List audits

Enumerate the audits assigned to your firm.

Manage information requests

Create, update, and accept evidence on IRs.

Review audit evidence

Pull evidence attached to controls and IRs.

Tools

Postman Collection

Import the collection to explore endpoints quickly.

SDKs

Official client libraries for the Vanta API.