Vanta exposes three APIs, each with its own audience, auth flow, and scopes. Pick the one that matches what you’re building — every API-specific detail (scopes, pagination, rate limits, workflows) lives in its overview.Documentation Index
Fetch the complete documentation index at: https://vanta.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Manage Vanta
Automate your own Vanta tenant — controls, documents, vendors, personnel, tests.
Build Integrations
Push data into customer Vanta tenants — for marketplace partners and private connectors.
Conduct an Audit
For Vanta Audit Partners — pull audit data and manage information requests.
New to the API? Start with a quickstart to get authenticated and make your first call.
Base URLs
Use the base URL that matches your Vanta instance. Most customers usehttps://api.vanta.com. If you use Vanta Government Cloud you must use the Vanta Gov base URL.
| Product | Base URL |
|---|---|
| Vanta | https://api.vanta.com |
| Vanta Government Cloud | https://api.vanta-gov.com |
Authentication
All requests require anAuthorization: Bearer <access_token> header obtained via OAuth 2.0. You can learn more about authentication for a deeper dive.
An access_token stays active for one hour. Requesting a new token with the same client_id and client_secret returns a fresh token before the hour is up.
Vanta only allows a single active
access_token per Application. Requesting a new access_token with the same client_id and client_secret immediately revokes the previous one, and any in-flight requests using the old token will fail with a 401./oauth/token) are limited to 5 requests / minute across all APIs.
Scopes
Each API exposes its own set of scopes. Requesting a scope that doesn’t match your application type returns aninvalid_scope error.
See the scope tables in each API’s overview:
Versioning
The Vanta API does not officially support versioning. All requests target a single API surface athttps://api.vanta.com.
Vanta does not introduce breaking changes to existing endpoints — that includes removing or renaming fields, changing field types, altering the meaning of existing values, or adding new required parameters. All API changes are strictly additive: new endpoints, new optional parameters, and new response fields.
Clients should be written to tolerate the addition of new fields. Any deprecations will be announced in advance via the Changelog.
Error codes
The API uses standard HTTP status codes to signal success or failure. Error responses include a JSON body with amessage field describing the problem.
| Code | Meaning |
|---|---|
200 / 201 | Success |
400 | Bad request — malformed params or wrong types |
401 | Unauthorized — missing or invalid auth header |
403 | Forbidden — authenticated but not allowed |
404 | Not found — resource or endpoint doesn’t exist |
422 | Unprocessable entity — semantically invalid request |
429 | Too many requests — rate limit exceeded |
500 | Internal server error |
503 / 504 | Timeout |
- Manage Vanta: rate limits · pagination
- Build Integrations: rate limits · pagination
- Auditor API: rate limits · pagination
Tools and SDKs
Postman Collection
Import the collection to explore endpoints quickly.
MCP Server
Connect AI assistants to the Vanta API via Model Context Protocol.
SDKs
Official client libraries for the Vanta API.
Webhooks
Subscribe to events and receive real-time updates.