Skip to main content

Documentation Index

Fetch the complete documentation index at: https://developer.vanta.com/llms.txt

Use this file to discover all available pages before exploring further.

The Manage Vanta API is the operational surface for your own Vanta tenant. Use it to automate the work your team would otherwise click through in the Vanta dashboard — assigning control owners, uploading evidence, syncing personnel, querying test results, and managing vendors.

Who is this API for?

This API is for Vanta customers automating their own tenant. It is not available to partners building marketplace integrations — partners must use the Build Integrations API.
You are…Use this API to…
A Vanta customer’s security or GRC teamAutomate compliance workflows in your own tenant: assign control owners, surface overdue tasks, manage vendors.
A Vanta customer’s engineering teamPull tests, manage frameworks and automate your compliance program.
Building an integration that syncs data into Vanta from an external tool? Use the Build Integrations API instead.

When to use this API

Reach for Manage Vanta endpoints when you want to:
  • Automate compliance workflows — assign control owners, mark people as not-a-person, surface overdue tasks.
  • Report on your security posture — query controls, tests, vulnerabilities, and resources to feed dashboards or downstream systems.
  • Manage your vendor inventory — create vendors, attach documentation, and apply custom fields.
If you’re new to the API, start with the Manage Vanta quickstart to authenticate and make your first call.

Authentication

Manage Vanta apps use the client_credentials OAuth flow. Create a Manage Vanta application in the Developer Console, then exchange your client_id / client_secret at the token endpoint for an access token scoped to your own Vanta tenant.
EndpointPOST /oauth/token
Base URLhttps://api.vanta.com  ·  https://api.vanta-gov.com
Content-Typeapplication/json
Grant typeclient_credentials
Request body
FieldTypeRequiredDescription
client_idstringyesOAuth client ID from your Manage Vanta application.
client_secretstringyesOAuth client secret from your application.
scopestringyesSpace-separated list of Manage Vanta scopes, e.g. vanta-api.all:read.
grant_typestringyesMust be client_credentials.
curl --request POST 'https://api.vanta.com/oauth/token' \
  --header 'Content-Type: application/json' \
  --data '{
    "client_id": "vci_your_client_id",
    "client_secret": "vcs_your_client_secret",
    "scope": "vanta-api.all:read",
    "grant_type": "client_credentials"
  }'
Response 
{
  "access_token": "vat_...",
  "expires_in": 3600,
  "token_type": "Bearer"
}
FieldTypeDescription
access_tokenstringBearer token. Send as Authorization: Bearer <access_token> on every API request.
expires_inintegerLifetime in seconds. Always 3600 (1 hour).
token_typestringAlways Bearer.
No refresh_token is issued. When the token expires after one hour, re-exchange your client_id / client_secret for a fresh one. Most integrations request a new token at the start of each scheduled run.
One active token per Application. Requesting a new token with the same client_id / client_secret immediately revokes the previous one — any in-flight requests using the old token will fail with 401. Centralize token issuance and don’t run two processes that both mint tokens for the same application.
For grant-type tradeoffs, secret rotation, and other foot-guns, see Authentication concepts.

Scopes

ScopeGrants
vanta-api.all:readGET access to all Manage Vanta endpoints.
vanta-api.all:writePUT, PATCH, POST, DELETE access to all Manage Vanta endpoints.
vanta-api.documents:uploadUpload files via the document upload endpoint.
vanta-api.vendors:readGET access to vendor endpoints.
vanta-api.vendors:writeWrite access to vendor endpoints.
Request only the scopes your application needs. Requesting a scope that doesn’t match your application type returns invalid_scope.

Base URL

Use https://api.vanta.com, or https://api.vanta-gov.com if you’re on Vanta Gov. See Base URLs for details.

Pagination

List endpoints use cursor-based pagination via the pageSize and pageCursor query parameters. To page through results:
  1. Make the initial request, optionally setting pageSize (defaults vary by endpoint).
  2. Check results.pageInfo.hasNextPage in the response.
  3. If true, pass results.pageInfo.endCursor as the pageCursor in your next request.
  4. Repeat until hasNextPage is false.
Responses are wrapped as: 
{
  "results": {
    "data": [ /* ... */ ],
    "pageInfo": {
      "endCursor": "...",
      "hasNextPage": true,
      "hasPreviousPage": false,
      "startCursor": "..."
    }
  }
}
Many list endpoints also support filters — see the per-endpoint reference for available options.

Trust Center

Trust Center endpoints (/trust-centers/{slugId}/...) require your Trust Center’s slugId as a path parameter. To find it:
  1. In Vanta, navigate to Trust Center > Overview.
  2. In the top right, copy the unique URL for your Trust Center — it looks like https://app.vanta.com/your-domain.com/trust/tz7gh0fvb2ymzbl34hca2w. The slugId is the final segment (in this example, tz7gh0fvb2ymzbl34hca2w).
  3. If you’ve configured a custom domain, visit your public Trust Center, view source, and look for the data-slug attribute on the <head> element.
Trust Center slugId location

Rate limits

Endpoint groupLimit
Manage Vanta endpoints50 / minute
OAuth (/oauth/token)5 / minute
Exceeding a limit returns 429 Too Many Requests. Back off and retry after a short delay.

Common workflows

Add an owner to a control

Programmatically assign control ownership across your framework.

Upload a document

Attach evidence to controls, vendors, or tests.

Manage personnel

Surface overdue tasks, offboard people, and mark non-personnel.

Query test results

Build dashboards from failing tests and resources.

OpenAPI specification

Download the Manage Vanta OpenAPI spec

Generate clients, import into your favorite tool, or browse the schema offline.

Tools

Postman Collection

Import the collection to explore endpoints quickly.

MCP Server

Connect AI assistants to the Vanta API.

Webhooks

Subscribe to events and receive real-time updates.