> ## Documentation Index
> Fetch the complete documentation index at: https://developer.vanta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Manage Vanta API

> Manage Vanta API — automate your Vanta tenant: controls, documents, vendors, personnel, resources, and tests.

The Manage Vanta API is the operational surface for **your own Vanta tenant**. Use it to automate the work your team would otherwise click through in the Vanta dashboard — assigning control owners, uploading evidence, syncing personnel, querying test results, and managing vendors.

## Who is this API for?

This API is for **Vanta customers** automating their own tenant. It is **not available to partners** building marketplace integrations — partners must use the [Build Integrations API](/reference/build-integrations/overview).

| You are...                                  | Use this API to...                                                                                              |
| ------------------------------------------- | --------------------------------------------------------------------------------------------------------------- |
| **A Vanta customer's security or GRC team** | Automate compliance workflows in your own tenant: assign control owners, surface overdue tasks, manage vendors. |
| **A Vanta customer's engineering team**     | Pull tests, manage frameworks and automate your compliance program.                                             |

<Info>
  Building an integration that syncs data into Vanta from an external tool? Use the [Build Integrations API](/reference/build-integrations/overview) instead.
</Info>

## When to use this API

Reach for Manage Vanta endpoints when you want to:

* **Automate compliance workflows** — assign control owners, mark people as not-a-person, surface overdue tasks.
* **Report on your security posture** — query controls, tests, vulnerabilities, and resources to feed dashboards or downstream systems.
* **Manage your vendor inventory** — create vendors, attach documentation, and apply custom fields.

If you're new to the API, start with the [Manage Vanta quickstart](/docs/quickstart/manage-vanta) to authenticate and make your first call.

## Authentication

Manage Vanta apps use the **`client_credentials`** OAuth flow. Create a **Manage Vanta** application in the [Developer Console](https://app.vanta.com/settings/developer-console), then exchange your `client_id` / `client_secret` at the token endpoint for an access token scoped to your own Vanta tenant.

|                  |                                                         |
| ---------------- | ------------------------------------------------------- |
| **Endpoint**     | `POST /oauth/token`                                     |
| **Base URL**     | `https://api.vanta.com`  ·  `https://api.vanta-gov.com` |
| **Content-Type** | `application/json`                                      |
| **Grant type**   | `client_credentials`                                    |

**Request body**

| Field           | Type   | Required | Description                                                                        |
| --------------- | ------ | -------- | ---------------------------------------------------------------------------------- |
| `client_id`     | string | yes      | OAuth client ID from your Manage Vanta application.                                |
| `client_secret` | string | yes      | OAuth client secret from your application.                                         |
| `scope`         | string | yes      | Space-separated list of [Manage Vanta scopes](#scopes), e.g. `vanta-api.all:read`. |
| `grant_type`    | string | yes      | Must be `client_credentials`.                                                      |

<CodeGroup>
  ```bash cURL theme={"system"}
  curl --request POST 'https://api.vanta.com/oauth/token' \
    --header 'Content-Type: application/json' \
    --data '{
      "client_id": "vci_your_client_id",
      "client_secret": "vcs_your_client_secret",
      "scope": "vanta-api.all:read",
      "grant_type": "client_credentials"
    }'
  ```

  ```javascript Node.js theme={"system"}
  const response = await fetch("https://api.vanta.com/oauth/token", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({
      client_id: process.env.VANTA_CLIENT_ID,
      client_secret: process.env.VANTA_CLIENT_SECRET,
      scope: "vanta-api.all:read",
      grant_type: "client_credentials",
    }),
  });
  const { access_token } = await response.json();
  ```

  ```python Python theme={"system"}
  import requests

  response = requests.post(
      "https://api.vanta.com/oauth/token",
      json={
          "client_id": client_id,
          "client_secret": client_secret,
          "scope": "vanta-api.all:read",
          "grant_type": "client_credentials",
      },
  )
  access_token = response.json()["access_token"]
  ```
</CodeGroup>

**Response**

```json theme={"system"}
{
  "access_token": "vat_...",
  "expires_in": 3600,
  "token_type": "Bearer"
}
```

| Field          | Type    | Description                                                                        |
| -------------- | ------- | ---------------------------------------------------------------------------------- |
| `access_token` | string  | Bearer token. Send as `Authorization: Bearer <access_token>` on every API request. |
| `expires_in`   | integer | Lifetime in seconds. Always `3600` (1 hour).                                       |
| `token_type`   | string  | Always `Bearer`.                                                                   |

No `refresh_token` is issued. When the token expires after one hour, re-exchange your `client_id` / `client_secret` for a fresh one. Most integrations request a new token at the start of each scheduled run.

<Info>
  **One active token per Application.** Requesting a new token with the same `client_id` / `client_secret` immediately revokes the previous one — any in-flight requests using the old token will fail with `401`. Centralize token issuance and don't run two processes that both mint tokens for the same application.
</Info>

For grant-type tradeoffs, secret rotation, and other foot-guns, see [Authentication concepts](/docs/concepts/authentication).

## Scopes

| Scope                        | Grants                                                                                              |
| ---------------------------- | --------------------------------------------------------------------------------------------------- |
| `vanta-api.all:read`         | `GET` access to all Manage Vanta endpoints.                                                         |
| `vanta-api.all:write`        | `PUT`, `PATCH`, `POST`, `DELETE` access to all Manage Vanta endpoints.                              |
| `vanta-api.documents:upload` | Upload files via the [document upload endpoint](/api-reference/documents/upload-file-for-document). |
| `vanta-api.vendors:read`     | `GET` access to vendor endpoints.                                                                   |
| `vanta-api.vendors:write`    | Write access to vendor endpoints.                                                                   |

Request only the scopes your application needs. Requesting a scope that doesn't match your application type returns `invalid_scope`.

## Base URL

Use `https://api.vanta.com`, or `https://api.vanta-gov.com` if you're on Vanta Gov. See [Base URLs](/reference/overview#base-urls) for details.

## Pagination

List endpoints use cursor-based pagination via the `pageSize` and `pageCursor` query parameters.

To page through results:

1. Make the initial request, optionally setting `pageSize` (defaults vary by endpoint).
2. Check `results.pageInfo.hasNextPage` in the response.
3. If `true`, pass `results.pageInfo.endCursor` as the `pageCursor` in your next request.
4. Repeat until `hasNextPage` is `false`.

Responses are wrapped as:

```json theme={"system"}
{
  "results": {
    "data": [ /* ... */ ],
    "pageInfo": {
      "endCursor": "...",
      "hasNextPage": true,
      "hasPreviousPage": false,
      "startCursor": "..."
    }
  }
}
```

Many list endpoints also support filters — see the per-endpoint reference for available options.

## Trust Center

Trust Center endpoints (`/trust-centers/{slugId}/...`) require your Trust Center's `slugId` as a path parameter. To find it:

1. In Vanta, navigate to **Trust Center > Overview**.
2. In the top right, copy the unique URL for your Trust Center — it looks like `https://app.vanta.com/your-domain.com/trust/tz7gh0fvb2ymzbl34hca2w`. The `slugId` is the final segment (in this example, `tz7gh0fvb2ymzbl34hca2w`).
3. If you've configured a custom domain, visit your public Trust Center, view source, and look for the `data-slug` attribute on the `<head>` element.

<img src="https://mintcdn.com/vanta/WstAJ2TKBLS7hAXq/images/0d3e25d-SCR-20240731-ufkq.png?fit=max&auto=format&n=WstAJ2TKBLS7hAXq&q=85&s=fbb33761928c31c43e0a49053b8f0179" alt="Trust Center slugId location" width="2236" height="788" data-path="images/0d3e25d-SCR-20240731-ufkq.png" />

## Rate limits

| Endpoint group         | Limit       |
| ---------------------- | ----------- |
| Manage Vanta endpoints | 50 / minute |
| OAuth (`/oauth/token`) | 5 / minute  |

Exceeding a limit returns `429 Too Many Requests`. Back off and retry after a short delay.

## Common workflows

<CardGroup cols={2}>
  <Card title="Add an owner to a control" href="/docs/guides/add-an-owner-to-a-control">
    Programmatically assign control ownership across your framework.
  </Card>

  <Card title="Upload a document" href="/docs/guides/upload-a-document">
    Attach evidence to controls, vendors, or tests.
  </Card>

  <Card title="Manage personnel" href="/docs/guides/list-users-with-overdue-security-tasks">
    Surface overdue tasks, offboard people, and mark non-personnel.
  </Card>

  <Card title="Query test results" href="/docs/guides/query-test-results-and-filter-for-failing-resources">
    Build dashboards from failing tests and resources.
  </Card>
</CardGroup>

## OpenAPI specification

<a href="/reference/manage-vanta.json" download>
  <Card title="Download the Manage Vanta OpenAPI spec" icon="download">
    Generate clients, import into your favorite tool, or browse the schema offline.
  </Card>
</a>

## Tools

<CardGroup cols={2}>
  <Card title="Postman Collection" icon="paper-plane" href="/docs/postman-setup">
    Import the collection to explore endpoints quickly.
  </Card>

  <Card title="MCP Server" icon="robot" href="/docs/vanta-mcp">
    Connect AI assistants to the Vanta API.
  </Card>

  <Card title="Webhooks" icon="bell" href="/docs/webhooks">
    Subscribe to events and receive real-time updates.
  </Card>
</CardGroup>
