> ## Documentation Index
> Fetch the complete documentation index at: https://developer.vanta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# API Overview

> The Vanta API is a RESTful JSON API that lets you automate workflows, integrate external data, and access audit information programmatically.

Vanta exposes three APIs, each with its own audience, auth flow, and scopes. Pick the one that matches what you're building — every API-specific detail (scopes, pagination, rate limits, workflows) lives in its overview.

<CardGroup cols={1}>
  <Card title="Manage Vanta" icon="sliders" href="/reference/manage-vanta/overview">
    Automate your own Vanta tenant — controls, documents, vendors, personnel, tests.
  </Card>
</CardGroup>

<CardGroup cols={2}>
  <Card title="Build Integrations" icon="plug" href="/reference/build-integrations/overview">
    Push data into customer Vanta tenants — for marketplace partners and private connectors.
  </Card>

  <Card title="Conduct an Audit" icon="clipboard-check" href="/reference/audits/overview">
    For Vanta Audit Partners — pull audit data and manage information requests.
  </Card>
</CardGroup>

<Note>
  New to the API? Start with a [quickstart](/docs/quickstart/manage-vanta) to get authenticated and make your first call.
</Note>

## Base URLs

Use the base URL that matches your Vanta instance. Most customers use `https://api.vanta.com`. If you use Vanta Government Cloud you must use the Vanta Gov base URL.

| Product                | Base URL                    |
| ---------------------- | --------------------------- |
| Vanta                  | `https://api.vanta.com`     |
| Vanta Government Cloud | `https://api.vanta-gov.com` |

## Authentication

Every Vanta API request requires an `Authorization: Bearer <access_token>` header. All three APIs share a single OAuth 2.0 token endpoint — the grant type, scopes, and request body depend on which API you're calling.

|                    |                                                         |
| ------------------ | ------------------------------------------------------- |
| **Endpoint**       | `POST /oauth/token`                                     |
| **Base URL**       | `https://api.vanta.com`  ·  `https://api.vanta-gov.com` |
| **Content-Type**   | `application/json`                                      |
| **Token lifetime** | 1 hour                                                  |
| **Rate limit**     | 5 requests / minute, shared across all APIs             |

See your API's overview for the exact request body, code samples, and response shape:

| API                              | Grant type           | Auth section                                                            |
| -------------------------------- | -------------------- | ----------------------------------------------------------------------- |
| **Manage Vanta**                 | `client_credentials` | [Authentication](/reference/manage-vanta/overview#authentication)       |
| **Build Integrations** (Private) | `client_credentials` | [Authentication](/reference/build-integrations/overview#authentication) |
| **Build Integrations** (Public)  | `authorization_code` | [Authentication](/reference/build-integrations/overview#authentication) |
| **Auditor API**                  | `client_credentials` | [Authentication](/reference/audits/overview#authentication)             |

<Info>
  **One active token per Application.** Requesting a new token with the same `client_id` / `client_secret` immediately revokes the previous one — any in-flight requests using the old token will fail with `401`. For `authorization_code` apps, this applies *per `source_id`* (per customer authorization), not globally.
</Info>

For the underlying model — grant-type tradeoffs, refresh-token rotation semantics, and the rest of the foot-guns — see [Authentication concepts](/docs/concepts/authentication).

## Scopes

Each API exposes its own set of scopes. Requesting a scope that doesn't match your application type returns an `invalid_scope` error.

See the scope tables in each API's overview:

* [Manage Vanta scopes](/reference/manage-vanta/overview#scopes)
* [Build Integrations scopes](/reference/build-integrations/overview#scopes)
* [Auditor API scopes](/reference/audits/overview#scopes)

## Versioning

The Vanta API does not officially support versioning. All requests target a single, unversioned API surface — `https://api.vanta.com` for standard Vanta tenants, and `https://api.vanta-gov.com` for Vanta Government Cloud tenants.

Vanta does not introduce breaking changes to existing endpoints — that includes removing or renaming fields, changing field types, altering the meaning of existing values, or adding new required parameters. All API changes are strictly additive: new endpoints, new optional parameters, and new response fields.

Clients should be written to tolerate the addition of new fields. Any deprecations will be announced in advance via the [Changelog](/docs/changelog).

## Error codes

The API uses standard HTTP status codes to signal success or failure. Error responses include a JSON body with a `message` field describing the problem.

| Code          | Meaning                                             |
| ------------- | --------------------------------------------------- |
| `200` / `201` | Success                                             |
| `400`         | Bad request — malformed params or wrong types       |
| `401`         | Unauthorized — missing or invalid auth header       |
| `403`         | Forbidden — authenticated but not allowed           |
| `404`         | Not found — resource or endpoint doesn't exist      |
| `422`         | Unprocessable entity — semantically invalid request |
| `429`         | Too many requests — rate limit exceeded             |
| `500`         | Internal server error                               |
| `503`         | Service unavailable                                 |
| `504`         | Gateway timeout                                     |

Per-API rate limits and pagination shapes are documented in each API's overview:

* Manage Vanta: [rate limits](/reference/manage-vanta/overview#rate-limits) · [pagination](/reference/manage-vanta/overview#pagination)
* Build Integrations: [rate limits](/reference/build-integrations/overview#rate-limits) · [pagination](/reference/build-integrations/overview#pagination)
* Auditor API: [rate limits](/reference/audits/overview#rate-limits) · [pagination](/reference/audits/overview#pagination)

## OpenAPI specifications

Download the OpenAPI 3.0 spec for each API to generate clients, import into your favorite tool, or browse the schema offline.

<CardGroup cols={3}>
  <a href="/reference/manage-vanta.json" download>
    <Card title="Manage Vanta" icon="download">
      OpenAPI spec for the Manage Vanta API.
    </Card>
  </a>

  <a href="/reference/build-integrations.json" download>
    <Card title="Build Integrations" icon="download">
      OpenAPI spec for the Build Integrations API.
    </Card>
  </a>

  <a href="/reference/auditor-api.json" download>
    <Card title="Auditor API" icon="download">
      OpenAPI spec for the Auditor API.
    </Card>
  </a>
</CardGroup>

## Tools and SDKs

<CardGroup cols={2}>
  <Card title="Postman Collection" icon="paper-plane" href="/docs/postman-setup">
    Import the collection to explore endpoints quickly.
  </Card>

  <Card title="MCP Server" icon="robot" href="/docs/vanta-mcp">
    Connect AI assistants to the Vanta API via Model Context Protocol.
  </Card>

  <Card title="SDKs" icon="cube" href="/docs/sdks">
    Official client libraries for the Vanta API.
  </Card>

  <Card title="Webhooks" icon="bell" href="/docs/webhooks">
    Subscribe to events and receive real-time updates.
  </Card>
</CardGroup>
