Skip to main content
POST
/
audits
/
{auditId}
/
controls
/
{controlId}
/
comments
TypeScript
import { Vanta } from "vanta-auditor-api-sdk";

const vanta = new Vanta({
  bearerAuth: process.env["VANTA_BEARER_AUTH"] ?? "",
});

async function run() {
  const result = await vanta.audits.createCommentForControl({
    auditId: "<id>",
    controlId: "<id>",
    addAuditControlCommentInput: {
      text: "<value>",
      email: "Justice.Konopelski@hotmail.com",
      creationDate: new Date("2024-04-23T18:18:35.232Z"),
    },
  });

  console.log(result);
}

run();
{
  "id": "65fc81a3359c8508c9af880f",
  "text": "Some comment",
  "creationDate": "2024-03-07T21:25:56.000Z",
  "modificationDate": "2024-03-07T21:25:56.000Z",
  "deletionDate": "2024-03-07T21:25:56.000Z",
  "email": "vlad@vantaroo.com",
  "authorName": "Vlad Vantaroo"
}

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Path Parameters

auditId
string
required
controlId
string
required

Body

application/json

Comments enable auditors and customers to collaborate on a control within an audit. All comments are immediately visible to authorized parties once created.

text
string
required

The text content of the comment. Must be at least 1 character. Can include questions, clarifications, or explanations related to the control.

email
string
required

Email address of the comment author. Must match an existing Vanta user who belongs to the audit firm making the API request. This email uniquely identifies the author across systems.

creationDate
string<date-time>
required

Timestamp when the comment was created in the external audit management system. This allows synchronizing comment timestamps from external systems. Format: ISO 8601 UTC timestamp.

Response

200 - application/json

Ok

A comment on a control within an audit. These threaded discussions let auditors and customers collaborate on a specific control — asking questions, documenting reasoning, or recording follow-ups — directly against the control being assessed.

Audit control comments are scoped to a single audit engagement and are distinct from any organization-internal control comments.

id
string
required

The unique identifier for the comment within Vanta's system. Format: ObjectId as a string (e.g., "6890e473dce1da5d8406f5e7").

text
string
required

The comment message content. Can include explanations, questions, or clarifications about the control.

creationDate
string<date-time>
required

Timestamp when the comment was created. Format: ISO 8601 UTC timestamp.

modificationDate
string<date-time> | null
required

Timestamp when the comment was last edited. Null if the comment has never been modified. Format: ISO 8601 UTC timestamp.

deletionDate
string<date-time> | null
required

Timestamp when the comment was soft-deleted. Null if the comment has not been deleted. Soft deletes retain the comment for audit history while hiding it from normal operations. Format: ISO 8601 UTC timestamp.

email
string | null
required

Email address of the comment author. This email uniquely identifies users between Vanta and external audit systems. Null when the comment author can't be matched to a Vanta user.

authorName
string | null
required

Human-readable display name of the comment author. Null if the author's name is not available (e.g., user was deleted). This enables correct author attribution in integrations where users cannot be reliably matched across systems by email alone.