API changelog

The running record of changes to the /api/v1/... surface. Read this page before upgrading an integration to take advantage of newly added endpoints, and watch it for deprecation notices.

How entries appear here

Every entry is dated and tagged with one of:

Added — new endpoint, new field on an existing response, new query parameter, new webhook event, new scope. Additive changes are safe for existing integrations; they do not require code changes on your side.
Changed (non-breaking) — a behavior change that does not alter request or response shape. Worth knowing about but does not require code changes.
Deprecated — an endpoint or field is still supported but will be removed in a future revision. Entries name the replacement and the earliest version that will remove the deprecated surface.
Removed — a previously deprecated surface has been removed. Only appears after a prior deprecated entry; never as a surprise.

We do not make breaking changes within v1. Breaking shape changes require a new major version (v2, etc.), at which point v1 continues to function under the deprecation policy described in Versioning.

This page is the canonical place to learn about v1 changes. New webhook events are also surfaced here (not only on the Webhooks page) so a single subscription point is enough.

Entries

v1.0 (initial release)

The initial release of the /api/v1/... surface. Adds:

Authentication

POST /api/v1/auth/token (OAuth 2.0 client credentials, service-account tokens).

Governance reads

GET /api/v1/governance/frameworks and detail
GET /api/v1/governance/controls and detail
GET /api/v1/governance/risks and detail
GET /api/v1/governance/evidence/claims and detail
GET /api/v1/governance/evidence/requirements and detail
GET /api/v1/governance/assessments and detail
GET /api/v1/governance/findings and detail
GET /api/v1/governance/exceptions and detail
GET /api/v1/governance/monitoring/definitions, runs, result items
GET /api/v1/governance/indicators/definitions and measurements
GET /api/v1/governance/submissions/requirements, packages, events
GET /api/v1/governance/assets and detail
GET /api/v1/governance/party-engagements, due-diligence reviews, right-to-audit records
GET /api/v1/governance/change-management/... across the five record types
GET /api/v1/governance/vulnerability-management/... across the three primary record types

Governance writes (targeted)

POST /api/v1/governance/findings (create finding from external scanner)
POST /api/v1/governance/evidence/claims (create evidence claim with attachment)
POST /api/v1/governance/submissions/events (record submission package events)

All writes accept Idempotency-Key.

Webhooks

finding.created
finding.status_changed
evidence.claim.created
evidence.claim.expired
submission.package.status_changed
assessment.status_changed

Scopes

A read scope and (where applicable) write scope per resource family: governance.controls:read, governance.findings:read, governance.findings:write, etc. See Authentication → Scopes.

Future entries appear above the v1.0 entry, newest first.

How to consume this page

For integrations you maintain:

Subscribe to release notifications through your account team or watch this page.
Read every Deprecated entry when it appears; deprecation is the only path to eventual removal, and the entry tells you the replacement and the earliest removal date.
Treat Added entries as opt-in. Your integration keeps working without them; adopt them when they let you simplify or replace a workaround.

For new integrations: build against the most recent set of capabilities; you do not need to learn historical entries.

REST API overview, the section index.
Versioning, the deprecation policy and what makes a v2 versus a v1 revision.
Webhooks, for the full webhook event reference.