Vanta exposes three APIs, each with its own audience, auth flow, and scopes. Pick the one that matches what you’re building — every API-specific detail (scopes, pagination, rate limits, workflows) lives in its overview.Documentation Index
Fetch the complete documentation index at: https://developer.vanta.com/llms.txt
Use this file to discover all available pages before exploring further.
Manage Vanta
Automate your own Vanta tenant — controls, documents, vendors, personnel, tests.
Build Integrations
Push data into customer Vanta tenants — for marketplace partners and private connectors.
Conduct an Audit
For Vanta Audit Partners — pull audit data and manage information requests.
New to the API? Start with a quickstart to get authenticated and make your first call.
Base URLs
Use the base URL that matches your Vanta instance. Most customers usehttps://api.vanta.com. If you use Vanta Government Cloud you must use the Vanta Gov base URL.
| Product | Base URL |
|---|---|
| Vanta | https://api.vanta.com |
| Vanta Government Cloud | https://api.vanta-gov.com |
Authentication
Every Vanta API request requires anAuthorization: Bearer <access_token> header. All three APIs share a single OAuth 2.0 token endpoint — the grant type, scopes, and request body depend on which API you’re calling.
| Endpoint | POST /oauth/token |
| Base URL | https://api.vanta.com · https://api.vanta-gov.com |
| Content-Type | application/json |
| Token lifetime | 1 hour |
| Rate limit | 5 requests / minute, shared across all APIs |
| API | Grant type | Auth section |
|---|---|---|
| Manage Vanta | client_credentials | Authentication |
| Build Integrations (Private) | client_credentials | Authentication |
| Build Integrations (Public) | authorization_code | Authentication |
| Auditor API | client_credentials | Authentication |
One active token per Application. Requesting a new token with the same
client_id / client_secret immediately revokes the previous one — any in-flight requests using the old token will fail with 401. For authorization_code apps, this applies per source_id (per customer authorization), not globally.Scopes
Each API exposes its own set of scopes. Requesting a scope that doesn’t match your application type returns aninvalid_scope error.
See the scope tables in each API’s overview:
Versioning
The Vanta API does not officially support versioning. All requests target a single, unversioned API surface —https://api.vanta.com for standard Vanta tenants, and https://api.vanta-gov.com for Vanta Government Cloud tenants.
Vanta does not introduce breaking changes to existing endpoints — that includes removing or renaming fields, changing field types, altering the meaning of existing values, or adding new required parameters. All API changes are strictly additive: new endpoints, new optional parameters, and new response fields.
Clients should be written to tolerate the addition of new fields. Any deprecations will be announced in advance via the Changelog.
Error codes
The API uses standard HTTP status codes to signal success or failure. Error responses include a JSON body with amessage field describing the problem.
| Code | Meaning |
|---|---|
200 / 201 | Success |
400 | Bad request — malformed params or wrong types |
401 | Unauthorized — missing or invalid auth header |
403 | Forbidden — authenticated but not allowed |
404 | Not found — resource or endpoint doesn’t exist |
422 | Unprocessable entity — semantically invalid request |
429 | Too many requests — rate limit exceeded |
500 | Internal server error |
503 | Service unavailable |
504 | Gateway timeout |
- Manage Vanta: rate limits · pagination
- Build Integrations: rate limits · pagination
- Auditor API: rate limits · pagination
OpenAPI specifications
Download the OpenAPI 3.0 spec for each API to generate clients, import into your favorite tool, or browse the schema offline.Manage Vanta
OpenAPI spec for the Manage Vanta API.
Build Integrations
OpenAPI spec for the Build Integrations API.
Auditor API
OpenAPI spec for the Auditor API.
Tools and SDKs
Postman Collection
Import the collection to explore endpoints quickly.
MCP Server
Connect AI assistants to the Vanta API via Model Context Protocol.
SDKs
Official client libraries for the Vanta API.
Webhooks
Subscribe to events and receive real-time updates.