Customer API access

• API access is available only on plans or add-ons that include the API entitlement.
• Only Owner/Admin users can create or revoke API keys.
• API keys are scoped to the organisation that created them.
• Starter organisations cannot create API keys unless API access is explicitly enabled by plan or add-on.

The public docs explain the API access model. The live endpoint list and OpenAPI JSON are available inside the authenticated dashboard at Dashboard > Developer API.

This separation keeps implementation details out of public pages while still giving entitled customers self-serve documentation.

• Read controls, evidence, vendors, incidents, and audit-relevant records where your plan permits.
• Create operational records through documented endpoints where API access is enabled.
• Use webhooks and incident intake for event-driven flows instead of polling where possible.
• Use the dashboard for authority package generation and workflows that require human review.

• Create separate keys for separate systems so revocation is precise.
• Rotate keys when an integration owner changes.
• Do not embed keys in client-side code or public repositories.
• Open a support ticket if you need endpoint coverage that is not listed in Dashboard > Developer API.