API reference

All 15 V1 rails at api.regunav.com/v1/<rail>. JSON over HTTPS. Bearer-token auth. OpenAPI 3.1 spec on request — contact support@regunav.com.

Overview

Base URL
https://api.regunav.com
Versioning
/v1/* (current)
Content-Type
application/json; charset=utf-8
Tenant scoping
X-IOF-Tenant: <tenant-id>

Authentication

All requests require a bearer token in the Authorization header. Tokens are scoped to a single tenant and follow the rn_<env>_<random> format.

Authorization: Bearer rn_live_a1b2c3d4e5f6...
X-IOF-Tenant: acme-corp

Token environments: rn_live_* (production), rn_test_* (sandbox), rn_dev_* (development). Generate tokens at app.regunav.com/settings/api-keys.

Pagination

List endpoints return { data: [...], cursor: string | null }. Pass ?cursor=... for next page. Default page size is 50, max 200.

GET /v1/compliance/obligations?limit=100&cursor=eyJpZCI6Ik9CLTAxMDAifQ

Rate limits

PlanPer secondPer month
Sandbox510,000
Starter2050,000
Growth100250,000
Scale5001,000,000
EnterpriseCustomCustom

Every response includes X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers.

Errors

JSON-shaped errors with error code, message, and optional details[]. Every error response includes a correlation_id for support.

{
  "error": "validation_failed",
  "message": "systemId is required",
  "details": [{ "field": "systemId", "issue": "missing" }],
  "correlation_id": "01HKQ3RMBTW8XF...",
  "documentation_url": "https://docs.regunav.com/api/errors#validation_failed"
}
StatusCodeDescription
400bad_requestMalformed request body or query
401unauthorizedMissing or invalid bearer token
403forbiddenAuthenticated but lacking required permission (Cerbos denial)
404not_foundResource does not exist or is not visible to caller
409conflictResource state conflict (e.g., duplicate ID)
422validation_failedSchema validation failed; see details[]
429rate_limitedPlan rate limit exceeded; check X-RateLimit headers
500internal_errorServer error; correlation_id in response
503service_unavailableUpstream service degraded; retry with backoff

Idempotency

All POST endpoints accept an Idempotency-Key header. Identical keys within 24h return the original response without re-executing.

Rails (15)

Each rail is a separately-versioned resource group. Below is the canonical list with sample endpoints and request/response shapes.

Compliance

/v1/compliance6 endpoints

Frameworks, assessments, obligations, evidence, attestations.

Endpoints
GET/v1/compliance/frameworks
GET/v1/compliance/assessments
POST/v1/compliance/assessments
GET/v1/compliance/obligations
POST/v1/compliance/evidence
POST/v1/compliance/attestations
Sample request
curl -X POST https://api.regunav.com/v1/compliance/assessments \
  -H "Authorization: Bearer rn_live_..." \
  -d '{ "type": "FRIA", "systemId": "AIS-001", "jurisdiction": "EU/DE" }'
Sample response
{ "id": "FRIA-2026-014", "status": "draft", "completion": 0, "stages": [...] }

Frameworks

/v1/frameworks6 endpoints

Framework dictionaries, clauses, controls, questions, activation.

Endpoints
GET/v1/frameworks
GET/v1/frameworks/:id
GET/v1/frameworks/:id/clauses
GET/v1/frameworks/:id/controls
GET/v1/frameworks/:id/questions
POST/v1/frameworks/:id/activate
Sample request
curl https://api.regunav.com/v1/frameworks/eu-ai-act/controls \
  -H "Authorization: Bearer rn_live_..."
Sample response
{ "data": [{ "id": "art-9", "title": "Risk management system", ... }], "cursor": null }

Graph (crosswalk)

/v1/graph4 endpoints

Cross-framework relations, blast radius, evidence reuse, onboarding savings.

Endpoints
GET/v1/graph/relations
POST/v1/graph/blast-radius
POST/v1/graph/evidence-reuse
GET/v1/graph/onboarding-savings
Sample request
curl -X POST https://api.regunav.com/v1/graph/blast-radius \
  -H "Authorization: Bearer rn_live_..." \
  -d '{ "control": "ISO 27001 A.5.18" }'
Sample response
{ "affectedFrameworks": ["SOC 2 CC6.2", "GDPR Art. 32"], "affectedSystems": 14 }

Reporting

/v1/reports5 endpoints

Generate, export, schedule reports. Audit packs and notified-body bundles.

Endpoints
POST/v1/reports/generate
GET/v1/reports/export/:id
POST/v1/reports/schedule
POST/v1/reports/audit-pack
POST/v1/reports/notified-body-pack
Sample request
curl -X POST https://api.regunav.com/v1/reports/generate \
  -H "Authorization: Bearer rn_live_..." \
  -d '{ "template": "fria-dossier", "systemId": "AIS-001" }'
Sample response
{ "id": "RPT-2026-042", "status": "rendering", "downloadUrl": null }

Agents

/v1/agents8 endpoints

8 deterministic agents — classifier, framework-mapper, evidence-compiler, fria, incident-reporter, training-curator, conformity-guide, gpai-docs.

Endpoints
POST/v1/agents/classifier
POST/v1/agents/framework-mapper
POST/v1/agents/evidence-compiler
POST/v1/agents/fria
POST/v1/agents/incident-reporter
POST/v1/agents/training-curator
POST/v1/agents/conformity-guide
POST/v1/agents/gpai-docs
Sample request
curl -X POST https://api.regunav.com/v1/agents/classifier \
  -H "Authorization: Bearer rn_live_..." \
  -d '{ "purpose": "Credit decisioning", "affectedPersons": ["natural-persons"] }'
Sample response
{ "riskLevel": "High", "rationale": "Annex III(5)(a)", "applicableClauses": ["Art. 9", "Art. 10", ...] }

Stakeholders

/v1/stakeholders5 endpoints

Users, roles, assignments, RACI matrices, approval chains.

Endpoints
GET/v1/stakeholders/users
GET/v1/stakeholders/roles
POST/v1/stakeholders/assignments
GET/v1/stakeholders/raci
GET/v1/stakeholders/approval-chains
Sample request
curl https://api.regunav.com/v1/stakeholders/raci?systemId=AIS-001 \
  -H "Authorization: Bearer rn_live_..."
Sample response
[{ "control": "Art. 14", "responsible": "Maya R.", "accountable": "Board", ... }]

Self-audit

/v1/self-audit4 endpoints

Posture, drift detection, findings, remediations, evidence chain.

Endpoints
GET/v1/self-audit/posture
GET/v1/self-audit/drift
GET/v1/self-audit/findings
POST/v1/self-audit/remediations
Sample request
curl https://api.regunav.com/v1/self-audit/drift \
  -H "Authorization: Bearer rn_live_..."
Sample response
{ "data": [{ "control": "ISO 27001 A.5.18", "type": "baseline-divergence", ... }] }

Trust

/v1/trust5 endpoints

Public trust posture, certifications, sub-processors, status, security questionnaires.

Endpoints
GET/v1/trust/posture
GET/v1/trust/certifications
GET/v1/trust/sub-processors
GET/v1/trust/status
POST/v1/trust/questionnaires
Sample request
curl https://api.regunav.com/v1/trust/sub-processors
Sample response
[{ "name": "AWS", "purpose": "Compute", "region": "EU" }, ...]

Specialists

/v1/specialists3 endpoints

Partner firms, consultants, client engagements (Specialist tier only).

Endpoints
GET/v1/specialists/firms
GET/v1/specialists/consultants
GET/v1/specialists/client-engagements
Sample request
curl https://api.regunav.com/v1/specialists/client-engagements \
  -H "Authorization: Bearer rn_live_..."
Sample response
{ "data": [{ "tenant": "Acme Corp", "score": 82, "openFindings": 11 }] }

Seed

/v1/seed4 endpoints

Sandbox seeding for tenants, frameworks, evidence (Sandbox tier only).

Endpoints
POST/v1/seed/tenants
POST/v1/seed/frameworks
POST/v1/seed/evidence
POST/v1/seed/reset
Sample request
curl -X POST https://api.regunav.com/v1/seed/reset \
  -H "Authorization: Bearer rn_live_..."
Sample response
{ "status": "reset", "deletedRecords": 1247 }

Industry profiles

/v1/profiles6 endpoints

Pre-configured industry profiles — banking, finance, healthcare, manufacturing, SaaS, public sector.

Endpoints
GET/v1/profiles/banking
GET/v1/profiles/finance
GET/v1/profiles/healthcare
GET/v1/profiles/manufacturing
GET/v1/profiles/saas
GET/v1/profiles/public-sector
Sample request
curl https://api.regunav.com/v1/profiles/healthcare
Sample response
{ "frameworks": ["EU AI Act", "ISO 42001", "GDPR", "HIPAA"], "controlBaseline": ... }

Onboarding

/v1/onboarding4 endpoints

Onboarding plans, checklists, kickoff, milestone tracking.

Endpoints
POST/v1/onboarding/plan
GET/v1/onboarding/checklist
POST/v1/onboarding/kickoff
GET/v1/onboarding/milestones
Sample request
curl -X POST https://api.regunav.com/v1/onboarding/plan \
  -H "Authorization: Bearer rn_live_..." \
  -d '{ "profile": "healthcare" }'
Sample response
{ "phases": [{ "week": 1, "tasks": [...] }] }

Context

/v1/context5 endpoints

Document upload, classification, clause extraction, control mapping, gap analysis.

Endpoints
POST/v1/context/upload
POST/v1/context/classify
POST/v1/context/clause-extract
POST/v1/context/map
POST/v1/context/gap-analysis
Sample request
curl -X POST https://api.regunav.com/v1/context/gap-analysis \
  -H "Authorization: Bearer rn_live_..." \
  -d '{ "framework": "iso-27001" }'
Sample response
{ "gaps": [{ "control": "A.5.18", "missing": ["evidence", "owner"] }] }

Audit-trail

/v1/audit-trail4 endpoints

Cryptographically-signed event log. Search, query, export, replay.

Endpoints
GET/v1/audit-trail/events
POST/v1/audit-trail/query
POST/v1/audit-trail/export
POST/v1/audit-trail/replay
Sample request
curl https://api.regunav.com/v1/audit-trail/events?limit=50 \
  -H "Authorization: Bearer rn_live_..."
Sample response
{ "data": [{ "actor": "...", "action": "evidence.upload", "timestamp": "...", "signature": "..." }] }

Audit-engine

/v1/audit-engine5 endpoints

Schedule audits, run audit-engine, findings, sign-off, attestations.

Endpoints
GET/v1/audit-engine/schedules
POST/v1/audit-engine/run
GET/v1/audit-engine/findings
POST/v1/audit-engine/sign-off
POST/v1/audit-engine/attest
Sample request
curl -X POST https://api.regunav.com/v1/audit-engine/run \
  -H "Authorization: Bearer rn_live_..." \
  -d '{ "framework": "iso-27001", "scope": "annex-a" }'
Sample response
{ "runId": "AUD-2026-006", "status": "running", "estimatedCompletion": "2026-05-12T10:00:00Z" }

Webhooks

Subscribe to events at /api/webhooks. Events are HMAC-SHA256 signed with your tenant's webhook secret.

SDKs

Official SDKs available in TypeScript, Python, and Go. See /sdks.

Changelog

API changelog at /changelog. Breaking changes ship to /v2/* with 12-month deprecation of v1.