> ## Documentation Index
> Fetch the complete documentation index at: https://developer.vanta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Pull Information Request Lists for your audits

> Get a list of Information Request Lists (IRLs) for the audits assigned to your firm.

export const EstimatedTime = ({time, icon = "clock"}) => <div className="vanta-estimated-time" style={{
  display: "inline-flex",
  alignItems: "center",
  gap: "0.5rem",
  padding: "0.35rem 0.75rem",
  marginBottom: "1rem",
  borderRadius: "9999px",
  background: "color-mix(in srgb, #5E05C4 10%, transparent)",
  border: "1px solid color-mix(in srgb, #5E05C4 25%, transparent)",
  fontSize: "0.8125rem",
  fontWeight: 500,
  lineHeight: 1,
  color: "#5E05C4",
  whiteSpace: "nowrap"
}}>
    <Icon icon={icon} iconType="regular" size={14} color="#5E05C4" />
    <span>Estimated time: {time}</span>
  </div>;

<EstimatedTime time="10 minutes" />

By the end of this quickstart you'll have a working auditor access token and you'll have used it to list the information requests for one of your active audits.

## Before you begin

Make sure you have:

* An active **Vanta Audit Partner** registration. If you don't see the **Auditor API** option in your Vanta navigation, contact your Vanta representative.
* An auditor account in Vanta.
* At least one active audit assigned to your firm — most endpoints return data only for audits that already exist.
* A terminal or HTTP client (cURL, Postman, or your language of choice).

<Info>
  This quickstart is for **Vanta audit partners** pulling data from their customers' audits. If you're a Vanta customer automating your own tenant, see the [Manage Vanta quickstart](/docs/quickstart/manage-vanta). If you're a partner building a public integration, see the [Build an Integration quickstart](/docs/quickstart/build-integration).
</Info>

<Steps titleSize="h3">
  <Step title="Create an auditor application">
    **Vanta Dashboard** — sign in to the Vanta app with your auditor email. In the left navigation, open **Auditor API**, then click **Create**.

    <img src="https://mintcdn.com/vanta/WstAJ2TKBLS7hAXq/images/e7779a8-2024-07-09_11-55.png?fit=max&auto=format&n=WstAJ2TKBLS7hAXq&q=85&s=1b5fc1cf30b361e806dbded2fcb53376" alt="Vanta Auditor API page with the Create button highlighted" width="721" height="250" data-path="images/e7779a8-2024-07-09_11-55.png" />

    Give your application a name and description, then click **Create**.

    <img src="https://mintcdn.com/vanta/WstAJ2TKBLS7hAXq/images/edf5580-2024-07-09_11-40.png?fit=max&auto=format&n=WstAJ2TKBLS7hAXq&q=85&s=9ff66afecd6bc1bdb518c762d3435020" alt="Auditor application creation form with name and description fields" width="923" height="845" data-path="images/edf5580-2024-07-09_11-40.png" />

    The OAuth `client_id` is auto-generated. Click **Generate client secret** to create the secret. Store both values securely — only share with trusted team members. You can rotate the secret at any time.

    <img src="https://mintcdn.com/vanta/WstAJ2TKBLS7hAXq/images/bded0fd-2024-07-09_11-41.png?fit=max&auto=format&n=WstAJ2TKBLS7hAXq&q=85&s=f9c0a9bbbe5b2819ebf3b5c7f6411f8a" alt="Auditor application detail page showing the generated client_id and Generate client secret button" width="2117" height="1225" data-path="images/bded0fd-2024-07-09_11-41.png" />
  </Step>

  <Step title="Get an access token">
    From your **terminal**, exchange your client credentials for an access token. This quickstart only makes read calls, so request the minimum scope: `auditor-api.audit:read`.

    <CodeGroup>
      ```bash Terminal theme={"system"}
      curl --location 'https://api.vanta.com/oauth/token' \
        --header 'Content-Type: application/json' \
        --data '{
          "client_id": "your_client_id",
          "client_secret": "your_client_secret",
          "scope": "auditor-api.audit:read",
          "grant_type": "client_credentials"
        }'
      ```

      ```javascript Node.js theme={"system"}
      const response = await fetch("https://api.vanta.com/oauth/token", {
        method: "POST",
        headers: { "Content-Type": "application/json" },
        body: JSON.stringify({
          client_id: "your_client_id",
          client_secret: "your_client_secret",
          scope: "auditor-api.audit:read",
          grant_type: "client_credentials",
        }),
      });
      const { access_token } = await response.json();
      ```

      ```python Python theme={"system"}
      import requests

      response = requests.post(
          "https://api.vanta.com/oauth/token",
          json={
              "client_id": "your_client_id",
              "client_secret": "your_client_secret",
              "scope": "auditor-api.audit:read",
              "grant_type": "client_credentials",
          },
      )
      access_token = response.json()["access_token"]
      ```
    </CodeGroup>

    Expected response:

    ```json theme={"system"}
    {
      "access_token": "vat_your_token",
      "expires_in": 3600,
      "token_type": "Bearer"
    }
    ```

    <Info>
      **One token at a time.** Vanta only allows one active access token per application — requesting a new token immediately revokes the previous one. Tokens expire after one hour.
    </Info>

    <AccordionGroup>
      <Accordion title="Got a 401 or invalid_client?">
        Double-check the `client_id` and `client_secret` from the Auditor API page. If you rotated the secret, the old one is no longer valid. Make sure your `Content-Type` header is `application/json` — Vanta's `/oauth/token` does not accept form-encoded bodies.
      </Accordion>

      <Accordion title="Got an invalid_scope error?">
        You requested a scope that isn't available to **Auditor** apps. For this quickstart, request only `auditor-api.audit:read`. Auditor apps can also request `auditor-api.audit:write`, `auditor-api.auditor:read`, and `auditor-api.auditor:write` — request only what your tool needs.
      </Accordion>
    </AccordionGroup>
  </Step>

  <Step title="List your active audits">
    From your **terminal**, call `GET /v1/audits` to see the audits assigned to your firm, then grab an `auditId` to use in the next step. Pass `isActiveAudit=true` to filter out audits with a final report already uploaded. Replace `your_token_here` with the `access_token` from Step 2.

    <CodeGroup>
      ```bash Terminal theme={"system"}
      curl --location 'https://api.vanta.com/v1/audits?isActiveAudit=true&pageSize=10' \
        --header 'Accept: application/json' \
        --header 'Authorization: Bearer your_token_here'
      ```

      ```javascript Node.js theme={"system"}
      const response = await fetch(
        "https://api.vanta.com/v1/audits?isActiveAudit=true&pageSize=10",
        {
          headers: {
            Accept: "application/json",
            Authorization: `Bearer ${access_token}`,
          },
        }
      );
      const { results } = await response.json();
      const auditId = results.data[0].id;
      ```

      ```python Python theme={"system"}
      import requests

      response = requests.get(
          "https://api.vanta.com/v1/audits",
          params={"isActiveAudit": "true", "pageSize": 10},
          headers={
              "Accept": "application/json",
              "Authorization": f"Bearer {access_token}",
          },
      )
      audit_id = response.json()["results"]["data"][0]["id"]
      ```
    </CodeGroup>

    Expected response — note the `id` field on each audit; that's the `auditId` you'll use in the next step:

    ```json theme={"system"}
    {
      "results": {
        "data": [
          {
            "id": "65fc81a3359c8508c9af880f",
            "customerOrganizationName": "corporation.com",
            "customerDisplayName": "Corporation Company",
            "customerOrganizationId": "65fc81a3359c8508c9af880f",
            "auditStartDate": "2024-03-07T21:25:56.000Z",
            "auditEndDate": "2024-03-14T21:25:56.000Z",
            "framework": "SOC 2 Type II",
            "displayName": "Q1 2024 SOC 2 Audit",
            "auditFocus": "EXTERNAL"
          }
        ],
        "pageInfo": {
          "hasNextPage": false,
          "hasPreviousPage": false,
          "startCursor": "YXJyYXljb25uZWN0aW9uOjA=",
          "endCursor": "YXJyYXljb25uZWN0aW9uOjE="
        }
      }
    }
    ```

    <AccordionGroup>
      <Accordion title="Empty `data` array?">
        Either your firm has no active audits in flight, or every audit already has a final report uploaded (filtered out by `isActiveAudit=true`). Re-run the request without `isActiveAudit=true` to include completed audits.
      </Accordion>
    </AccordionGroup>
  </Step>

  <Step title="List information requests for that audit">
    From your **terminal**, call `GET /v1/audits/{auditId}/information-requests` with the `auditId` from Step 3. This returns every information request (IR) on the audit — the evidence requirements your team and the customer are working through. Reuse the same `access_token` from Step 2 by replacing `your_token_here`.

    <CodeGroup>
      ```bash Terminal theme={"system"}
      curl --location 'https://api.vanta.com/v1/audits/65fc81a3359c8508c9af880f/information-requests?pageSize=10' \
        --header 'Accept: application/json' \
        --header 'Authorization: Bearer your_token_here'
      ```

      ```javascript Node.js theme={"system"}
      const response = await fetch(
        `https://api.vanta.com/v1/audits/${auditId}/information-requests?pageSize=10`,
        {
          headers: {
            Accept: "application/json",
            Authorization: `Bearer ${access_token}`,
          },
        }
      );
      const { results } = await response.json();
      console.log(`${results.data.length} information requests for ${auditId}`);
      ```

      ```python Python theme={"system"}
      import requests

      response = requests.get(
          f"https://api.vanta.com/v1/audits/{audit_id}/information-requests",
          params={"pageSize": 10},
          headers={
              "Accept": "application/json",
              "Authorization": f"Bearer {access_token}",
          },
      )
      requests_list = response.json()["results"]["data"]
      print(f"{len(requests_list)} information requests for {audit_id}")
      ```
    </CodeGroup>

    Expected response:

    ```json theme={"system"}
    {
      "results": {
        "data": [
          {
            "id": "6890e473dce1da5d8406f5e7",
            "uniqueId": "1466132",
            "title": "Terminated Customer Deletion Evidence",
            "description": "Provide the data deletion evidence for a sample of terminated customers",
            "approvalStatus": "NEEDS_EVIDENCE",
            "cadence": "ANNUALLY",
            "frameworkCodes": ["SOC2_CC6.1"],
            "requestType": "SAMPLE",
            "dueDate": "2025-10-28T00:00:00.000Z",
            "ownerAssignment": {
              "type": "user",
              "id": "507f1f77bcf86cd799439011",
              "displayName": "John Doe"
            },
            "creationDate": "2025-08-01T12:34:56.000Z",
            "modificationDate": "2025-08-02T08:00:00.000Z",
            "deletionDate": null
          }
        ],
        "pageInfo": {
          "hasNextPage": false,
          "hasPreviousPage": false,
          "startCursor": "Njg5MGU0NzNkY2UxZGE1Z",
          "endCursor": "Njg5MGU0NzNkY2UxZGE1Z"
        }
      }
    }
    ```

    <AccordionGroup>
      <Accordion title="Empty `data` array?">
        Either the audit has no information requests yet, or the requests haven't been shared with the customer. Confirm in the Vanta dashboard that the audit has IRs configured. Note that this endpoint always includes soft-deleted records — check `deletionDate` to skip them.
      </Accordion>

      <Accordion title="Got a 403 Forbidden?">
        Your firm isn't assigned to this audit, or your application's allowlisted auditor emails don't include you. Re-run Step 3 and copy an `auditId` from the response — that list is already scoped to audits your firm can see.
      </Accordion>
    </AccordionGroup>
  </Step>

  <Step title="Verify it worked">
    Pick an information request from the response and open the audit in the Vanta app — find the IR by its `uniqueId` or `title`. You should land on the same record the API just returned.

    Confirm on the dashboard:

    * The **title**, **description**, and **due date** match what the API returned.
    * The **approval status** matches `approvalStatus` from the response (e.g. `NEEDS_EVIDENCE`, `AWAITING_REVIEW`, `APPROVED`).
    * The **owner** matches `ownerAssignment.displayName`.

    | Scenario     | Test input                                                      | Expected result                                                                                              |
    | ------------ | --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ |
    | Success      | An IR with `approvalStatus: "NEEDS_EVIDENCE"` from the response | The IR exists in the dashboard with matching title, description, and due date; status reads "Needs evidence" |
    | Auth failure | Expired `access_token` (older than one hour)                    | `401 Unauthorized` — re-run Step 2 for a fresh token                                                         |
    | Edge case    | An IR with a non-null `deletionDate`                            | Record is soft-deleted; it won't appear in the dashboard, and your tool should skip or archive it            |
  </Step>
</Steps>

## Congratulations

You have a working auditor token and you've used it to read information requests from one of your active audits. From here you can:

* **Pull the controls** for an audit with `GET /v1/audits/{auditId}/controls` to see every requirement in scope.
* **Pull evidence** with `GET /v1/audits/{auditId}/evidence` to feed the customer's evidence into your audit-management tooling.
* **Create custom IRs** with `POST /v1/audits/{auditId}/information-requests` to add evidence requirements that supplement Vanta's built-in scaffolding (requires the `auditor-api.audit:write` scope).
* **Accept or flag evidence** on an IR programmatically once your team has reviewed it.

## Next steps

<CardGroup cols={2}>
  <Card title="List audit controls" href="/api-reference/audits/list-audit-controls">
    Pull every control in scope for an audit, with framework codes and status.
  </Card>

  <Card title="Manage information requests" href="/api-reference/audits/list-information-requests-for-an-audit">
    Create custom IRs, accept or flag evidence, and share the IR list with the customer.
  </Card>

  <Card title="Browse the Auditor API" href="/reference/audits/overview">
    Every endpoint available to auditor apps.
  </Card>

  <Card title="Set up Postman" href="/docs/postman-setup">
    Import the Vanta collection and start testing requests in seconds.
  </Card>
</CardGroup>
