> ## Documentation Index
> Fetch the complete documentation index at: https://developer.vanta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Vanta API changelog

> Recent updates to the Vanta API and developer documentation — new endpoints, breaking changes, and release notes.

Subscribe to stay up to date on changes to the Vanta API and developer
documentation — new endpoints, breaking changes, and release notes. [Subscribe via RSS](https://developer.vanta.com/docs/changelog/rss.xml).

<Update
  label="2026-07-10"
  tags={["Manage Vanta API", "New"]}
  rss={{
title: "Vendor assessments API is now GA",
description: "GET /v1/vendors/{vendorId}/assessments and GET /v1/vendors/{vendorId}/assessments/{assessmentId} are now publicly available and return each assessment's owner."
}}
>
  ### Vendor assessments API is now GA

  `GET /v1/vendors/{vendorId}/assessments` and `GET /v1/vendors/{vendorId}/assessments/{assessmentId}` are now generally available. Both responses include the assessment-level `owner` (`id`, `type`, `displayName`, `email`), so you can attribute assessments to users or teams without a second lookup. See the [Manage Vanta API reference](/reference/manage-vanta/overview).
</Update>

<Update
  label="2026-07-10"
  tags={["Manage Vanta API", "New"]}
  rss={{
title: "List deactivated controls",
description: "New GET /v1/controls/deactivated-controls endpoint returns paginated deactivated controls. GET /v1/controls/controls-library will be deprecated in a future release."
}}
>
  ### List deactivated controls

  A new `GET /v1/controls/deactivated-controls` endpoint returns paginated deactivated controls with a dedicated, clearly named path. `GET /v1/controls/controls-library` will be deprecated in a future release — migrate to the new endpoint when you can. See the [Manage Vanta API reference](/reference/manage-vanta/overview).
</Update>

<Update
  label="2026-07-10"
  tags={["Webhooks", "Updated"]}
  rss={{
title: "Clearer webhook reference for information requests and evidence",
description: "The developer portal now documents the full lifecycle and payloads for v1.information-request.* and v1.evidence.* events, with a corrected v1.evidence.status-changed example."
}}
>
  ### Clearer webhook reference for information requests and evidence

  The [webhooks reference](/reference/webhooks/overview) now covers the full partner-visible status set, lifecycle, and payload shape for `v1.information-request.*` events, and clarifies that `evidence.created` and `evidence.deleted` fire once per piece of evidence. The `v1.evidence.status-changed` example has been corrected to a real `NOT_READY_FOR_AUDIT → READY_FOR_AUDIT` transition; `INITIALIZED` is not emitted to partners as a creation signal.
</Update>

<Update
  label="2026-07-10"
  tags={["Auditor API", "Fixed"]}
  rss={{
title: "404 on writes to soft-deleted comments",
description: "PATCH on control and IRL comments and DELETE on IRL comments now return 404 when the target comment has already been soft-deleted."
}}
>
  ### 404 on writes to soft-deleted comments

  The following endpoints now return `404` when the target comment has already been soft-deleted, instead of `200` or `422`:

  * `PATCH /audits/{auditId}/controls/{controlId}/comments/{commentId}`
  * `PATCH /audits/{auditId}/information-requests/{informationRequestId}/comments/{commentId}`
  * `DELETE /audits/{auditId}/information-requests/{informationRequestId}/comments/{commentId}`

  Partners reconciling via `changedSinceDate` now see a consistent not-found response for deleted comments. See the [Audits API reference](/reference/audits/overview).
</Update>

<Update
  label="2026-07-03"
  tags={["Manage Vanta API", "New"]}
  rss={{
title: "Trust Center compliance frameworks",
description: "New endpoints let you list, create, update, and delete Trust Center compliance frameworks, plus upload a badge image for each framework."
}}
>
  ### Trust Center compliance frameworks

  New endpoints let you manage the compliance frameworks shown on your Trust Center: list, create, update, and delete frameworks, plus upload a badge image for each framework. See the [Manage Vanta API reference](/reference/manage-vanta/overview).
</Update>

<Update
  label="2026-07-03"
  tags={["Manage Vanta API", "New"]}
  rss={{
title: "Trust Center chatbot conversations",
description: "Two new endpoints list Trust Center chatbot conversations and retrieve the messages in a conversation."
}}
>
  ### Trust Center chatbot conversations

  Two new endpoints let you read Trust Center chatbot activity: `GET /trust-centers/{slugId}/chatbot/conversations` lists conversations and `GET /trust-centers/{slugId}/chatbot/conversations/{conversationId}` returns the messages in a conversation. Useful for surfacing chatbot activity in your own analytics or support tooling.
</Update>

<Update
  label="2026-07-03"
  tags={["Manage Vanta API", "New"]}
  rss={{
title: "Bulk operations on Trust Center controls",
description: "New endpoints bulk add or remove tags on Trust Center controls, bulk edit controls in a category, and reorder controls within a category."
}}
>
  ### Bulk operations on Trust Center controls

  New endpoints make it easier to manage Trust Center controls at scale:

  * Bulk add tags to Trust Center controls
  * Bulk remove tags from Trust Center controls
  * Bulk edit controls in a category
  * Reorder controls within a Trust Center control category
  * Reorder Trust Center control categories
</Update>

<Update
  label="2026-07-03"
  tags={["Manage Vanta API", "New"]}
  rss={{
title: "More Trust Center customization endpoints",
description: "New endpoints list and set Trust Center data collected, upload a favicon, set videos, and send viewer invite reminders."
}}
>
  ### More Trust Center customization endpoints

  Additional endpoints round out Trust Center management:

  * List and set the data collected shown on your Trust Center
  * Upload a Trust Center favicon
  * Set Trust Center videos
  * Send a Trust Center viewer invite reminder
  * Full CRUD for Trust Center FAQ categories (add, update, delete)
</Update>

<Update
  label="2026-07-03"
  tags={["Manage Vanta API", "New"]}
  rss={{
title: "Create data deletion requests",
description: "A new POST /customer-trust/deletion-requests endpoint creates a data deletion request programmatically."
}}
>
  ### Create data deletion requests

  A new `POST /customer-trust/deletion-requests` endpoint lets you create a data deletion request from your own systems — useful for automating privacy workflows triggered by your app.
</Update>

<Update
  label="2026-07-03"
  tags={["Manage Vanta API", "New"]}
  rss={{
title: "Issues API",
description: "New GET /issues and GET /issues/{issueId} endpoints list and retrieve issues from your Vanta account."
}}
>
  ### Issues API

  Two new endpoints expose your Vanta issues: `GET /issues` lists issues and `GET /issues/{issueId}` returns a single issue. Use them to sync issues into your ticketing system or dashboards. See the [Manage Vanta API reference](/reference/manage-vanta/overview).
</Update>

<Update
  label="2026-07-03"
  tags={["Webhooks", "New"]}
  rss={{
title: "Control domain for webhooks",
description: "The webhooks event catalog now includes a Control domain for audit control comment events, delivered to Audit Partner accounts during an active engagement."
}}
>
  ### Control domain for webhooks

  Webhook events now include a **Control** domain covering audit control comment events. Like the **Information Request** and **Evidence** domains, Control events are auditor-specific and are only delivered to [Audit Partner](/reference/audits/overview) accounts during an active audit engagement. See the [Webhooks overview](/reference/webhooks/overview).
</Update>

<Update
  label="2026-07-03"
  tags={["Auditor API", "New"]}
  rss={{
title: "Audit control comments API",
description: "New endpoints let auditors create, update, and delete comments on controls during an audit engagement."
}}
>
  ### Audit control comments API

  Auditors can now create, update, and delete comments on a control during an audit:

  * `POST /audits/{auditId}/controls/{controlId}/comments`
  * `PATCH /audits/{auditId}/controls/{controlId}/comments/{commentId}`
  * `DELETE /audits/{auditId}/controls/{controlId}/comments/{commentId}`

  These complement the existing `GET` list endpoint and are delivered only to Audit Partner accounts during an active audit engagement. See the [Audits API reference](/reference/audits/overview).
</Update>

<Update
  label="2026-07-03"
  tags={["Auditor API", "New"]}
  rss={{
title: "Audit integrations and organization endpoints",
description: "New read endpoints expose an audit's connected integrations and the audited organization's information and notification settings."
}}
>
  ### Audit integrations and organization endpoints

  Three new read endpoints give auditors more context during an engagement:

  * `GET /audits/{auditId}/integrations` — integrations connected for the audit
  * `GET /audits/{auditId}/organization/information` — the audited organization's information
  * `GET /audits/{auditId}/organization/notifications` — the organization's notification settings

  Available only to Audit Partner accounts during an active audit engagement. See the [Audits API reference](/reference/audits/overview).
</Update>

<Update
  label="2026-07-03"
  tags={["Manage Vanta API", "Updated"]}
  rss={{
title: "Assessment type and owner on security reviews",
description: "The security review API response now includes assessmentType and the assessment-level owner (id, type, displayName, email)."
}}
>
  ### Assessment type and owner on security reviews

  `GET /v1/vendors/{vendorId}/security-reviews` responses now include `assessmentType` and `owner` (`id`, `type`, `displayName`, `email`). `owner` is `null` when unassigned; `email` is populated for user owners and `null` for team owners.
</Update>

<Update
  label="2026-07-03"
  tags={["Auditor API", "Updated"]}
  rss={{
title: "Audit duplication trail on information request history",
description: "Information request history activities now include sourceInformationRequestId and sourceAuditId when an audit was duplicated."
}}
>
  ### Audit duplication trail on information request history

  Information request history activities now include two new fields: `sourceInformationRequestId` (the request this one was copied from) and `sourceAuditId` (the audit it was duplicated from). Both are populated only for audit-duplication activities and null otherwise. See the [Audits API reference](/reference/audits/overview).
</Update>

<Update
  label="2026-07-03"
  tags={["Manage Vanta API", "Updated"]}
  rss={{
title: "New event log actions",
description: "The event log reference adds UNDELETE_PROGRAM_SEGMENT and REMOVE_DATA_SUBJECT_REQUEST_RELATIONSHIP_OPTION, and removes PROVIDE_JUSTIFICATION_FOR_AUDIT_CONTROL_ASSESSMENT."
}}
>
  ### New event log actions

  The [event log reference](/reference/manage-vanta/event-log-reference) adds `UNDELETE_PROGRAM_SEGMENT` and `REMOVE_DATA_SUBJECT_REQUEST_RELATIONSHIP_OPTION` to the list of action types. `PROVIDE_JUSTIFICATION_FOR_AUDIT_CONTROL_ASSESSMENT` was removed.
</Update>

<Update
  label="2026-07-03"
  tags={["Auditor API", "Breaking"]}
  rss={{
title: "Integration category and tag enums renamed",
description: "AuditIntegrationCategory was renamed to AuditIntegrationTag, and AuditIntegrationServiceCategory was renamed to AuditIntegrationCategory. Update clients that reference these schemas."
}}
>
  ### Integration category and tag enums renamed

  On the audit integrations endpoint, two schemas were renamed to match how the fields are described in the API:

  * `AuditIntegrationCategory` → `AuditIntegrationTag` (values like `ACCESS`, `COMPUTERS`)
  * `AuditIntegrationServiceCategory` → `AuditIntegrationCategory` (values like `CLOUD_PROVIDER`, `HR_PROVIDER`)

  The `tagsMatchesAny` and `categoriesMatchesAny` query parameters are unchanged. Update generated clients that reference the old schema names.
</Update>

<Update
  label="2026-07-03"
  tags={["Manage Vanta API", "Breaking"]}
  rss={{
title: "Issue sort field values changed to camelCase",
description: "IssueSortField enum values changed from UPPER_SNAKE_CASE (e.g. DUE_DATE) to camelCase (e.g. dueDate). Update clients that hardcoded the old values."
}}
>
  ### Issue sort field values changed to camelCase

  `IssueSortField` enum values on the Issues endpoints changed from `DUE_DATE`, `CREATED_AT`, `DETECTED_AT`, `LAST_MODIFIED_AT`, `STATUS`, `SEVERITY` to `dueDate`, `createdDate`, `detectedDate`, `lastModifiedDate`, `status`, `severity`. Update any clients that hardcoded the old values.
</Update>

<Update
  label="2026-07-03"
  tags={["Manage Vanta API", "Breaking"]}
  rss={{
title: "Vendor accountManagerEmail max length reduced",
description: "The maxLength on Vendor accountManagerEmail was reduced from 2000 to 100 characters."
}}
>
  ### Vendor `accountManagerEmail` max length reduced

  The `maxLength` on the Vendor `accountManagerEmail` field was reduced from 2000 to 100 characters. Requests with longer values will be rejected.
</Update>

<Update
  label="2026-07-03"
  tags={["Manage Vanta API", "Fixed"]}
  rss={{
title: "Issue detectedDate is now non-nullable",
description: "The detectedDate field on issue responses is no longer marked nullable — every issue has a detected timestamp."
}}
>
  ### Issue `detectedDate` is now non-nullable

  The `detectedDate` field on issue responses is no longer marked nullable in the OpenAPI spec. Every issue has a detected timestamp.
</Update>

<Update
  label="2026-06-19"
  tags={["Manage Vanta API", "New"]}
  rss={{
title: "Manage controls on risk scenarios",
description: "New endpoints link and manage controls on a risk scenario: list, add, change controlType, and remove."
}}
>
  ### Manage controls on risk scenarios

  New endpoints let you link and manage controls on a risk scenario:

  * `GET /risk-scenarios/{riskScenarioId}/controls` — list a scenario's controls
  * `POST /risk-scenarios/{riskScenarioId}/controls` — add a control to a scenario
  * `PATCH /risk-scenarios/{riskScenarioId}/controls/{controlId}` — change a control's `controlType`
  * `DELETE /risk-scenarios/{riskScenarioId}/controls/{controlId}` — remove a control from a scenario

  See the [Manage Vanta API reference](/reference/manage-vanta/overview).
</Update>

<Update
  label="2026-06-05"
  tags={["Manage Vanta API", "New"]}
  rss={{
title: "Trust Center resource categories",
description: "Five new endpoints let you organize Trust Center resources into categories: list, add, reorder, update, and delete."
}}
>
  ### Trust Center resource categories

  Five new endpoints let you organize Trust Center resources into categories: list, add, reorder, update, and delete. Use them to model the same category structure customers see in your Trust Center. See the [Manage Vanta API reference](/reference/manage-vanta/overview).
</Update>

<Update
  label="2026-06-05"
  tags={["Manage Vanta API", "New"]}
  rss={{
title: "Update Trust Center viewers",
description: "New PATCH /trust-centers/{slugId}/viewers/{viewerId} endpoint updates a viewer's access without removing and re-adding them."
}}
>
  ### Update Trust Center viewers

  A new `PATCH /trust-centers/{slugId}/viewers/{viewerId}` endpoint updates a viewer's access on a Trust Center without removing and re-adding them.
</Update>

<Update
  label="2026-06-05"
  tags={["Manage Vanta API", "New"]}
  rss={{
title: "Trust Center FAQ category on responses",
description: "Trust Center FAQ endpoints now return the FAQ's category (id and name) so you can group FAQs in your own UI."
}}
>
  ### Trust Center FAQ category on responses

  Trust Center FAQ endpoints now return the FAQ's `category` (id and name) so you can group FAQs in your own UI.
</Update>

<Update
  label="2026-06-05"
  tags={["Auditor API", "Updated"]}
  rss={{
title: "Richer test snapshot evidence",
description: "The test-snapshot evidence detail endpoint now returns apiRequests and outOfScopeResources fields."
}}
>
  ### Richer test snapshot evidence

  The test-snapshot evidence detail endpoint now returns two new fields. `apiRequests` lists HTTP requests captured during API introspection tests. `outOfScopeResources` lists resources excluded at the test level (customer-disabled) and the framework level (segment configuration). See the [Audits API reference](/reference/audits/overview).
</Update>

<Update
  label="2026-06-05"
  tags={["Auditor API", "Updated"]}
  rss={{
title: "More filters on audit issues",
description: "GET /audits/{auditId}/issues/items now accepts created/detected date filters, and orderBy accepts detectedAt."
}}
>
  ### More filters on audit issues

  `GET /audits/{auditId}/issues/items` now accepts `createdAfterDate`, `createdBeforeDate`, `detectedAfterDate`, and `detectedBeforeDate` query parameters, and `orderBy` now accepts `detectedAt`.
</Update>

<Update
  label="2026-06-05"
  tags={["Auditor API", "Updated"]}
  rss={{
title: "Code changes date filter rename",
description: "startDate and endDate on GET /audits/{auditId}/assets/code-changes were renamed to closedAfterDate and closedBeforeDate. Update clients that hardcoded the old names."
}}
>
  ### Code changes date filter rename

  The `startDate` and `endDate` query parameters on `GET /audits/{auditId}/assets/code-changes` were renamed to `closedAfterDate` and `closedBeforeDate` for consistency with other Auditor API endpoints. Update any clients that hardcoded the old names.
</Update>

<Update
  label="2026-06-05"
  tags={["Manage Vanta API", "Updated"]}
  rss={{
title: "More event log actions and targets",
description: "The event log reference adds new action types and three new target types."
}}
>
  ### More event log actions and targets

  The [event log reference](/reference/manage-vanta/event-log-reference) now lists new action types covering Trust Center FAQ and resource categories, program segments, risk register updates, subscription renewals, in-app purchases, and Trust Center viewer reminders. It also adds three new target types: `TRUST_CENTER_FAQ_CATEGORY`, `TRUST_CENTER_RESOURCE_CATEGORY`, and `QUESTIONNAIRE_AUTOMATION`.
</Update>

<Update
  label="2026-06-05"
  tags={["Auditor API", "Deprecated"]}
  rss={{
title: "Legacy Auditor API list endpoints deprecated",
description: "Six legacy GET /audits/{auditId}/... list endpoints are deprecated and at end of life. They work for legacy audits only — don't build new integrations on them."
}}
>
  ### Legacy Auditor API list endpoints

  The following endpoints are deprecated and at end of life. They work for legacy audits only and do not support controlled audit view. They remain available for existing legacy audits for now, but will be removed once legacy audits are fully phased out — don't build new integrations on them.

  * `GET /audits/{auditId}/monitored-computers`
  * `GET /audits/{auditId}/people`
  * `GET /audits/{auditId}/vendors`
  * `GET /audits/{auditId}/vulnerabilities`
  * `GET /audits/{auditId}/vulnerability-remediations`
  * `GET /audits/{auditId}/vulnerable-assets`

  For audits in controlled audit view, this data is served by separate endpoints (`personnel/people` for people, `personnel/computers` for monitored computers, and `managed-vendors` for vendors). These are not drop-in replacements: which endpoint you use depends on whether the audit is in controlled audit view.
</Update>

<Update
  label="2026-05-22"
  tags={["Auditor API", "New"]}
  rss={{
title: "Code changes population for auditors",
description: "New GET /audits/{auditId}/assets/code-changes endpoint returns the pull requests visible to auditors during an audit engagement, with search, source filtering, date-range filtering, and cursor pagination."
}}
>
  ### Code changes population for auditors

  A new `GET /audits/{auditId}/assets/code-changes` endpoint returns the pull requests visible to auditors during an audit engagement. Each record includes the PR title, identifier, repository, source (GitHub, GitLab, Bitbucket, or Azure DevOps), and opened/closed dates. Supports search, source filtering, date-range filtering, and cursor pagination. See the [Audits API reference](/reference/audits/overview).
</Update>

<Update
  label="2026-05-08"
  tags={["Manage Vanta API", "New"]}
  rss={{
title: "Event logs API",
description: "New GET /event-logs endpoint lists audit events from your Vanta account, including the actor, date, and event type."
}}
>
  ### Event logs API

  A new `GET /event-logs` endpoint lets you list audit events from your Vanta account, including the actor, date, and event type. Useful for streaming activity into your SIEM or building custom audit trails. See the [Manage Vanta API reference](/reference/manage-vanta/overview).
</Update>

<Update
  label="2026-05-08"
  tags={["Auditor API", "New"]}
  rss={{
title: "Audit issue snapshots",
description: "Two new endpoints surface the issues an auditor sees during an audit: list snapshotted issues and list audit snapshots."
}}
>
  ### Audit issue snapshots

  Two new endpoints surface the issues an auditor sees during an audit: list snapshotted issues and list audit snapshots. See the [Audits API reference](/reference/audits/overview).
</Update>

<Update
  label="2026-05-08"
  tags={["Auditor API", "New"]}
  rss={{
title: "Test snapshot evidence detail",
description: "A new endpoint returns rich detail for a single test-snapshot evidence row attached to an information request, including test metadata, integrations, SLA remediation policy, and raw snapshot data."
}}
>
  ### Test snapshot evidence detail

  A new endpoint returns rich detail for a single test-snapshot evidence row attached to an information request, including test metadata, integrations, SLA remediation policy, and the raw test data captured at snapshot time. See the [Audits API reference](/reference/audits/overview).
</Update>

<Update
  label="2026-05-08"
  tags={["Manage Vanta API", "Updated"]}
  rss={{
title: "Trust Center categories on Knowledge Base resources",
description: "Knowledge Base resource endpoints now include a categoryId field, so you can read and set the Trust Center category a resource is filed under."
}}
>
  ### Trust Center categories on Knowledge Base resources

  Knowledge Base resource endpoints now include a `categoryId` field, so you can read and set the Trust Center category a resource is filed under when creating or updating webpage and document resources. Pass `null` to keep a resource uncategorized. Only valid for `REQUEST_ACCESS` and `PUBLIC` resources.
</Update>

<Update
  label="2026-05-08"
  tags={["Manage Vanta API", "Updated"]}
  rss={{
title: "Identification date on risk scenarios",
description: "Risk scenario responses now include identificationDate, matching the Identified Date field in the Vanta UI."
}}
>
  ### Identification date on risk scenarios

  Risk scenario responses now include `identificationDate`, matching the "Identified Date" field in the Vanta UI. The value defaults to the scenario's creation time when not explicitly set.
</Update>

<Update
  label="2026-05-08"
  tags={["Manage Vanta API", "Updated"]}
  rss={{
title: "Stricter validation for Knowledge Base webpage resources",
description: "Webpage resource title now requires at least one character, and url is validated as a URI. Existing valid payloads are unaffected."
}}
>
  ### Stricter validation for Knowledge Base webpage resources

  Webpage resource `title` now requires at least one character, and `url` is validated as a URI. Existing valid payloads are unaffected.
</Update>

<Update
  label="2026-05-04"
  rss={{
title: "Welcome to the Vanta developer changelog",
description: "Future updates to the Vanta API and developer documentation will be listed here."
}}
>
  ### Welcome to the Vanta developer changelog

  Future updates to the Vanta API and developer documentation will be listed here.
</Update>
