Skip to main content
Subscribe to stay up to date on changes to the Vanta API and developer documentation — new endpoints, breaking changes, and release notes. Subscribe via RSS.
2026-07-10
Manage Vanta APINew

Vendor assessments API is now GA

GET /v1/vendors/{vendorId}/assessments and GET /v1/vendors/{vendorId}/assessments/{assessmentId} are now generally available. Both responses include the assessment-level owner (id, type, displayName, email), so you can attribute assessments to users or teams without a second lookup. See the Manage Vanta API reference.
2026-07-10
Manage Vanta APINew

List deactivated controls

A new GET /v1/controls/deactivated-controls endpoint returns paginated deactivated controls with a dedicated, clearly named path. GET /v1/controls/controls-library will be deprecated in a future release — migrate to the new endpoint when you can. See the Manage Vanta API reference.
2026-07-10
WebhooksUpdated

Clearer webhook reference for information requests and evidence

The webhooks reference now covers the full partner-visible status set, lifecycle, and payload shape for v1.information-request.* events, and clarifies that evidence.created and evidence.deleted fire once per piece of evidence. The v1.evidence.status-changed example has been corrected to a real NOT_READY_FOR_AUDIT → READY_FOR_AUDIT transition; INITIALIZED is not emitted to partners as a creation signal.
2026-07-10
Auditor APIFixed

404 on writes to soft-deleted comments

The following endpoints now return 404 when the target comment has already been soft-deleted, instead of 200 or 422:
  • PATCH /audits/{auditId}/controls/{controlId}/comments/{commentId}
  • PATCH /audits/{auditId}/information-requests/{informationRequestId}/comments/{commentId}
  • DELETE /audits/{auditId}/information-requests/{informationRequestId}/comments/{commentId}
Partners reconciling via changedSinceDate now see a consistent not-found response for deleted comments. See the Audits API reference.
2026-07-03
Manage Vanta APINew

Trust Center compliance frameworks

New endpoints let you manage the compliance frameworks shown on your Trust Center: list, create, update, and delete frameworks, plus upload a badge image for each framework. See the Manage Vanta API reference.
2026-07-03
Manage Vanta APINew

Trust Center chatbot conversations

Two new endpoints let you read Trust Center chatbot activity: GET /trust-centers/{slugId}/chatbot/conversations lists conversations and GET /trust-centers/{slugId}/chatbot/conversations/{conversationId} returns the messages in a conversation. Useful for surfacing chatbot activity in your own analytics or support tooling.
2026-07-03
Manage Vanta APINew

Bulk operations on Trust Center controls

New endpoints make it easier to manage Trust Center controls at scale:
  • Bulk add tags to Trust Center controls
  • Bulk remove tags from Trust Center controls
  • Bulk edit controls in a category
  • Reorder controls within a Trust Center control category
  • Reorder Trust Center control categories
2026-07-03
Manage Vanta APINew

More Trust Center customization endpoints

Additional endpoints round out Trust Center management:
  • List and set the data collected shown on your Trust Center
  • Upload a Trust Center favicon
  • Set Trust Center videos
  • Send a Trust Center viewer invite reminder
  • Full CRUD for Trust Center FAQ categories (add, update, delete)
2026-07-03
Manage Vanta APINew

Create data deletion requests

A new POST /customer-trust/deletion-requests endpoint lets you create a data deletion request from your own systems — useful for automating privacy workflows triggered by your app.
2026-07-03
Manage Vanta APINew

Issues API

Two new endpoints expose your Vanta issues: GET /issues lists issues and GET /issues/{issueId} returns a single issue. Use them to sync issues into your ticketing system or dashboards. See the Manage Vanta API reference.
2026-07-03
WebhooksNew

Control domain for webhooks

Webhook events now include a Control domain covering audit control comment events. Like the Information Request and Evidence domains, Control events are auditor-specific and are only delivered to Audit Partner accounts during an active audit engagement. See the Webhooks overview.
2026-07-03
Auditor APINew

Audit control comments API

Auditors can now create, update, and delete comments on a control during an audit:
  • POST /audits/{auditId}/controls/{controlId}/comments
  • PATCH /audits/{auditId}/controls/{controlId}/comments/{commentId}
  • DELETE /audits/{auditId}/controls/{controlId}/comments/{commentId}
These complement the existing GET list endpoint and are delivered only to Audit Partner accounts during an active audit engagement. See the Audits API reference.
2026-07-03
Auditor APINew

Audit integrations and organization endpoints

Three new read endpoints give auditors more context during an engagement:
  • GET /audits/{auditId}/integrations — integrations connected for the audit
  • GET /audits/{auditId}/organization/information — the audited organization’s information
  • GET /audits/{auditId}/organization/notifications — the organization’s notification settings
Available only to Audit Partner accounts during an active audit engagement. See the Audits API reference.
2026-07-03
Manage Vanta APIUpdated

Assessment type and owner on security reviews

GET /v1/vendors/{vendorId}/security-reviews responses now include assessmentType and owner (id, type, displayName, email). owner is null when unassigned; email is populated for user owners and null for team owners.
2026-07-03
Auditor APIUpdated

Audit duplication trail on information request history

Information request history activities now include two new fields: sourceInformationRequestId (the request this one was copied from) and sourceAuditId (the audit it was duplicated from). Both are populated only for audit-duplication activities and null otherwise. See the Audits API reference.
2026-07-03
Manage Vanta APIUpdated

New event log actions

The event log reference adds UNDELETE_PROGRAM_SEGMENT and REMOVE_DATA_SUBJECT_REQUEST_RELATIONSHIP_OPTION to the list of action types. PROVIDE_JUSTIFICATION_FOR_AUDIT_CONTROL_ASSESSMENT was removed.
2026-07-03
Auditor APIBreaking

Integration category and tag enums renamed

On the audit integrations endpoint, two schemas were renamed to match how the fields are described in the API:
  • AuditIntegrationCategoryAuditIntegrationTag (values like ACCESS, COMPUTERS)
  • AuditIntegrationServiceCategoryAuditIntegrationCategory (values like CLOUD_PROVIDER, HR_PROVIDER)
The tagsMatchesAny and categoriesMatchesAny query parameters are unchanged. Update generated clients that reference the old schema names.
2026-07-03
Manage Vanta APIBreaking

Issue sort field values changed to camelCase

IssueSortField enum values on the Issues endpoints changed from DUE_DATE, CREATED_AT, DETECTED_AT, LAST_MODIFIED_AT, STATUS, SEVERITY to dueDate, createdDate, detectedDate, lastModifiedDate, status, severity. Update any clients that hardcoded the old values.
2026-07-03
Manage Vanta APIBreaking

Vendor accountManagerEmail max length reduced

The maxLength on the Vendor accountManagerEmail field was reduced from 2000 to 100 characters. Requests with longer values will be rejected.
2026-07-03
Manage Vanta APIFixed

Issue detectedDate is now non-nullable

The detectedDate field on issue responses is no longer marked nullable in the OpenAPI spec. Every issue has a detected timestamp.
2026-06-19
Manage Vanta APINew

Manage controls on risk scenarios

New endpoints let you link and manage controls on a risk scenario:
  • GET /risk-scenarios/{riskScenarioId}/controls — list a scenario’s controls
  • POST /risk-scenarios/{riskScenarioId}/controls — add a control to a scenario
  • PATCH /risk-scenarios/{riskScenarioId}/controls/{controlId} — change a control’s controlType
  • DELETE /risk-scenarios/{riskScenarioId}/controls/{controlId} — remove a control from a scenario
See the Manage Vanta API reference.
2026-06-05
Manage Vanta APINew

Trust Center resource categories

Five new endpoints let you organize Trust Center resources into categories: list, add, reorder, update, and delete. Use them to model the same category structure customers see in your Trust Center. See the Manage Vanta API reference.
2026-06-05
Manage Vanta APINew

Update Trust Center viewers

A new PATCH /trust-centers/{slugId}/viewers/{viewerId} endpoint updates a viewer’s access on a Trust Center without removing and re-adding them.
2026-06-05
Manage Vanta APINew

Trust Center FAQ category on responses

Trust Center FAQ endpoints now return the FAQ’s category (id and name) so you can group FAQs in your own UI.
2026-06-05
Auditor APIUpdated

Richer test snapshot evidence

The test-snapshot evidence detail endpoint now returns two new fields. apiRequests lists HTTP requests captured during API introspection tests. outOfScopeResources lists resources excluded at the test level (customer-disabled) and the framework level (segment configuration). See the Audits API reference.
2026-06-05
Auditor APIUpdated

More filters on audit issues

GET /audits/{auditId}/issues/items now accepts createdAfterDate, createdBeforeDate, detectedAfterDate, and detectedBeforeDate query parameters, and orderBy now accepts detectedAt.
2026-06-05
Auditor APIUpdated

Code changes date filter rename

The startDate and endDate query parameters on GET /audits/{auditId}/assets/code-changes were renamed to closedAfterDate and closedBeforeDate for consistency with other Auditor API endpoints. Update any clients that hardcoded the old names.
2026-06-05
Manage Vanta APIUpdated

More event log actions and targets

The event log reference now lists new action types covering Trust Center FAQ and resource categories, program segments, risk register updates, subscription renewals, in-app purchases, and Trust Center viewer reminders. It also adds three new target types: TRUST_CENTER_FAQ_CATEGORY, TRUST_CENTER_RESOURCE_CATEGORY, and QUESTIONNAIRE_AUTOMATION.
2026-06-05
Auditor APIDeprecated

Legacy Auditor API list endpoints

The following endpoints are deprecated and at end of life. They work for legacy audits only and do not support controlled audit view. They remain available for existing legacy audits for now, but will be removed once legacy audits are fully phased out — don’t build new integrations on them.
  • GET /audits/{auditId}/monitored-computers
  • GET /audits/{auditId}/people
  • GET /audits/{auditId}/vendors
  • GET /audits/{auditId}/vulnerabilities
  • GET /audits/{auditId}/vulnerability-remediations
  • GET /audits/{auditId}/vulnerable-assets
For audits in controlled audit view, this data is served by separate endpoints (personnel/people for people, personnel/computers for monitored computers, and managed-vendors for vendors). These are not drop-in replacements: which endpoint you use depends on whether the audit is in controlled audit view.
2026-05-22
Auditor APINew

Code changes population for auditors

A new GET /audits/{auditId}/assets/code-changes endpoint returns the pull requests visible to auditors during an audit engagement. Each record includes the PR title, identifier, repository, source (GitHub, GitLab, Bitbucket, or Azure DevOps), and opened/closed dates. Supports search, source filtering, date-range filtering, and cursor pagination. See the Audits API reference.
2026-05-08
Manage Vanta APINew

Event logs API

A new GET /event-logs endpoint lets you list audit events from your Vanta account, including the actor, date, and event type. Useful for streaming activity into your SIEM or building custom audit trails. See the Manage Vanta API reference.
2026-05-08
Auditor APINew

Audit issue snapshots

Two new endpoints surface the issues an auditor sees during an audit: list snapshotted issues and list audit snapshots. See the Audits API reference.
2026-05-08
Auditor APINew

Test snapshot evidence detail

A new endpoint returns rich detail for a single test-snapshot evidence row attached to an information request, including test metadata, integrations, SLA remediation policy, and the raw test data captured at snapshot time. See the Audits API reference.
2026-05-08
Manage Vanta APIUpdated

Trust Center categories on Knowledge Base resources

Knowledge Base resource endpoints now include a categoryId field, so you can read and set the Trust Center category a resource is filed under when creating or updating webpage and document resources. Pass null to keep a resource uncategorized. Only valid for REQUEST_ACCESS and PUBLIC resources.
2026-05-08
Manage Vanta APIUpdated

Identification date on risk scenarios

Risk scenario responses now include identificationDate, matching the “Identified Date” field in the Vanta UI. The value defaults to the scenario’s creation time when not explicitly set.
2026-05-08
Manage Vanta APIUpdated

Stricter validation for Knowledge Base webpage resources

Webpage resource title now requires at least one character, and url is validated as a URI. Existing valid payloads are unaffected.
2026-05-04

Welcome to the Vanta developer changelog

Future updates to the Vanta API and developer documentation will be listed here.