> ## Documentation Index
> Fetch the complete documentation index at: https://developer.vanta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Accept evidence for an information request

> Accepts evidence for an information request, confirming that all submitted evidence
meets audit requirements. This action changes the request's approvalStatus to
an approved state and creates an activity log entry.

Acceptance workflow:
1. Auditor reviews submitted evidence
2. If evidence is satisfactory, auditor calls this endpoint
3. Request status changes to approved state and is considered complete for this audit cycle

Use this endpoint when:
- All required evidence has been submitted
- Evidence quality meets audit standards
- Evidence addresses all specified framework codes
- No additional information is needed

Rate limit: 50 requests / minute.



## OpenAPI

````yaml https://spec.speakeasy.com/vanta/vanta/conduct-an-audit-with-code-samples post /audits/{auditId}/information-requests/{requestId}/accept-evidence
openapi: 3.0.0
info:
  title: Conduct an audit
  version: 1.0.0
  description: >-
    The Auditor API lets audit firms conduct audits from a tool outside of
    Vanta. Unlock data syncing with Vanta through this API.


    **Note for Vanta Gov (FedRAMP) customers:** Select `Vanta Gov (FedRAMP)`
    from the server dropdown to issue requests against
    `https://api.vanta-gov.com`. The OAuth token URL shown below defaults to the
    commercial host — replace it with `https://api.vanta-gov.com/oauth/token`.
  termsOfService: https://www.vanta.com/terms
  license:
    name: UNLICENSED
  contact:
    name: API Support
    url: https://help.vanta.com/
    email: support@vanta.com
servers:
  - url: https://api.vanta.com/v1
    description: Vanta (Commercial)
  - url: https://api.vanta-gov.com/v1
    description: Vanta Gov (FedRAMP)
security: []
paths:
  /audits/{auditId}/information-requests/{requestId}/accept-evidence:
    post:
      tags:
        - Audits
      summary: Accept evidence for an information request
      description: >-
        Accepts evidence for an information request, confirming that all
        submitted evidence

        meets audit requirements. This action changes the request's
        approvalStatus to

        an approved state and creates an activity log entry.


        Acceptance workflow:

        1. Auditor reviews submitted evidence

        2. If evidence is satisfactory, auditor calls this endpoint

        3. Request status changes to approved state and is considered complete
        for this audit cycle


        Use this endpoint when:

        - All required evidence has been submitted

        - Evidence quality meets audit standards

        - Evidence addresses all specified framework codes

        - No additional information is needed


        Rate limit: 50 requests / minute.
      operationId: AcceptInformationRequestEvidence
      parameters:
        - in: path
          name: auditId
          required: true
          schema:
            type: string
        - in: path
          name: requestId
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AcceptInformationRequestEvidenceInput'
      responses:
        '200':
          description: Ok
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/InformationRequest'
              examples:
                Example 1:
                  value:
                    id: 6890e473dce1da5d8406f5e7
                    uniqueId: '1466132'
                    additionalControlIds: []
                    approvalStatus: NEEDS_EVIDENCE
                    cadence: ANNUALLY
                    frameworkCodes:
                      - SOC2_CC6.1
                    description: >-
                      Provide the data deletion evidence for a sample of
                      terminated customers
                    dueDate: '2025-10-28T00:00:00.000Z'
                    evidenceCaptureDate: '2025-10-28T00:00:00.000Z'
                    requestId: null
                    requestType: SAMPLE
                    title: Terminated Customer Deletion Evidence
                    creationDate: '2025-08-01T12:34:56.000Z'
                    modificationDate: '2025-08-02T08:00:00.000Z'
                    deletionDate: null
                    ownerAssignment:
                      type: user
                      id: 507f1f77bcf86cd799439011
                      displayName: John Doe
      security:
        - bearerAuth: []
      x-codeSamples:
        - lang: typescript
          label: AcceptInformationRequestEvidence
          source: |-
            import { Vanta } from "vanta-auditor-api-sdk";

            const vanta = new Vanta({
              bearerAuth: process.env["VANTA_BEARER_AUTH"] ?? "",
            });

            async function run() {
              const result = await vanta.audits.acceptInformationRequestEvidence({
                auditId: "<id>",
                requestId: "<id>",
                acceptInformationRequestEvidenceInput: {
                  auditorEmail: "<value>",
                },
              });

              console.log(result);
            }

            run();
        - lang: java
          label: AcceptInformationRequestEvidence
          source: >-
            package hello.world;


            import com.vanta.vanta_auditor_api.Vanta;

            import
            com.vanta.vanta_auditor_api.models.components.AcceptInformationRequestEvidenceInput;

            import
            com.vanta.vanta_auditor_api.models.operations.AcceptInformationRequestEvidenceResponse;

            import java.lang.Exception;


            public class Application {

                public static void main(String[] args) throws Exception {

                    Vanta sdk = Vanta.builder()
                            .bearerAuth(System.getenv().getOrDefault("BEARER_AUTH", ""))
                        .build();

                    AcceptInformationRequestEvidenceResponse res = sdk.audits().acceptInformationRequestEvidence()
                            .auditId("<id>")
                            .requestId("<id>")
                            .acceptInformationRequestEvidenceInput(AcceptInformationRequestEvidenceInput.builder()
                                .auditorEmail("<value>")
                                .build())
                            .call();

                    if (res.informationRequest().isPresent()) {
                        System.out.println(res.informationRequest().get());
                    }
                }
            }
components:
  schemas:
    AcceptInformationRequestEvidenceInput:
      description: |-
        Input for accepting evidence on an information request, indicating that
        the submitted evidence meets requirements. This changes the request's
        approvalStatus to an approved state and creates an activity log entry.
      properties:
        auditorEmail:
          type: string
          description: >-
            Email of the auditor accepting the evidence.

            Must match an existing Vanta user who belongs to the audit firm
            making the API request.
      required:
        - auditorEmail
      type: object
      additionalProperties: false
    InformationRequest:
      description: >-
        Information Request resource representing a single request for audit
        evidence from a customer.


        An information request is created by an auditor and shared with the
        customer organization.

        The customer then uploads evidence, which the auditor reviews and either
        approves or flags

        for issues.
      properties:
        id:
          type: string
          description: >-
            The unique identifier for the information request within Vanta's
            system.

            This is the primary identifier used in all API endpoints.

            Format: ObjectId as a string (e.g., "6890e473dce1da5d8406f5e7")
        uniqueId:
          type: string
          description: >-
            External unique ID to prevent duplicates across different audit
            systems.

            Used for idempotency when syncing data between external audit
            management

            systems and Vanta. Unlike `id`, this value is provided by the
            external system.
        additionalControlIds:
          items:
            type: string
          type: array
          description: >-
            Additional control IDs beyond those automatically mapped from
            framework codes.

            Allows manual association with specific controls when automatic
            mapping

            is insufficient. Each ID should reference a valid control in your
            audit framework.
        approvalStatus:
          $ref: '#/components/schemas/InformationRequestApprovalStatus'
          description: >-
            Current approval status tracking the request's lifecycle through
            evidence

            submission and auditor review.
        cadence:
          allOf:
            - $ref: '#/components/schemas/InformationRequestCadence'
          nullable: true
          description: >-
            How frequently this information request recurs (e.g., annual
            password

            policy reviews). Null for one-time requests.
        frameworkCodes:
          items:
            type: string
          type: array
          description: >-
            The framework codes this request addresses.

            Links the request to specific compliance requirements. Can be an
            empty array

            if no framework codes are associated. These codes correspond to
            standards like SOC 2, ISO 27001, etc.
        description:
          type: string
          nullable: true
          description: >-
            Detailed description explaining what evidence is needed and why.

            Should provide clear instructions to help the customer understand
            what

            to submit.
        dueDate:
          type: string
          format: date-time
          nullable: true
          description: |-
            The deadline by which the customer must fulfill this request.
            Null if no specific deadline is set. Format: ISO 8601 UTC timestamp.
        evidenceCaptureDate:
          type: string
          format: date-time
          nullable: true
          description: |-
            The earliest date for which evidence should be captured.
            Evidence dated before this date may not be accepted.
            Null if not restricted. Format: ISO 8601 UTC timestamp.
        requestId:
          type: string
          nullable: true
          description: >-
            Non-unique external reference ID for this request.

            Unlike `uniqueId` which must be unique, `requestId` is for
            display/reference

            purposes only (e.g., "REQ-123"). Null if not provided.
        requestType:
          $ref: '#/components/schemas/InformationRequestType'
          description: Defines the scope of evidence required.
        title:
          type: string
          description: Short, descriptive title summarizing what is being requested.
        creationDate:
          type: string
          format: date-time
          description: |-
            Timestamp when the request was created in the system.
            Format: ISO 8601 UTC timestamp.
        modificationDate:
          type: string
          format: date-time
          description: |-
            Timestamp when the request was last modified.
            Format: ISO 8601 UTC timestamp.
        deletionDate:
          type: string
          format: date-time
          nullable: true
          description: >-
            Timestamp when the request was soft-deleted. Null if the request has
            not

            been deleted. Soft deletes allow retaining history while hiding the
            request

            from normal operations.

            Format: ISO 8601 UTC timestamp.
        ownerAssignment:
          allOf:
            - $ref: '#/components/schemas/ResourceOwner'
          nullable: true
          description: |-
            Resource owner (user or team) assigned to this information request.
            Returns null if no resource owner is assigned.
      required:
        - id
        - uniqueId
        - additionalControlIds
        - approvalStatus
        - cadence
        - frameworkCodes
        - description
        - dueDate
        - evidenceCaptureDate
        - requestId
        - requestType
        - title
        - creationDate
        - modificationDate
        - deletionDate
        - ownerAssignment
      type: object
      additionalProperties: false
    InformationRequestApprovalStatus:
      type: string
      enum:
        - NEEDS_EVIDENCE
        - READY_FOR_AUDIT
        - AUDITOR_APPROVED
        - AUDITOR_FLAGGED
      description: >-
        Current approval status of the information request, tracking its
        lifecycle through the audit process.


        The status progresses through the workflow: initial state → awaiting
        review → approved or flagged.

        Status can move between awaiting review and flagged states as evidence
        is reviewed and resubmitted.
    InformationRequestCadence:
      type: string
      enum:
        - ANNUALLY
        - BIANNUALLY
        - MONTHLY
        - QUARTERLY
      description: >-
        Frequency cadence for the information request, indicating how often it
        recurs.
    InformationRequestType:
      type: string
      enum:
        - POINT_IN_TIME
        - POPULATION
        - SAMPLE
      description: >-
        Type of information request, defining what scope of evidence is needed.


        - POINT_IN_TIME: Evidence for a specific moment (e.g., current state of
        a policy)

        - POPULATION: Evidence covering all items in a category (e.g., all
        employees)

        - SAMPLE: Evidence for a representative sample (e.g., 10 random customer
        records)
    ResourceOwner:
      anyOf:
        - properties:
            displayName:
              type: string
            id:
              type: string
            type:
              type: string
              enum:
                - user
              nullable: false
          required:
            - displayName
            - id
            - type
          type: object
        - properties:
            displayName:
              type: string
            id:
              type: string
            type:
              type: string
              enum:
                - team
              nullable: false
          required:
            - displayName
            - id
            - type
          type: object
      description: Represents either a user or a team owning a resource.
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer

````