Skip to main content

Documentation Index

Fetch the complete documentation index at: https://www.trycomp.ai/docs/llms.txt

Use this file to discover all available pages before exploring further.

The Comp AI API lets engineering, security, and compliance teams connect their internal systems to the compliance workflows they run in Comp AI. Use it to automate evidence collection, manage policies, coordinate compliance tasks, answer security questionnaires, configure Trust Center access, track risks and vendors, and keep SOC 2, ISO 27001, HIPAA, GDPR, and custom framework programs connected to the systems where work actually happens.

Authentication

Most organization automation uses the X-API-Key header. Create scoped API keys inside your Comp AI organization, keep them server-side, and grant only the permissions needed for the workflow you are building. 
curl --request GET \
  --url "https://api.trycomp.ai/v1/organization" \
  --header "X-API-Key: $COMP_AI_API_KEY"
The reference covers Comp AI’s product APIs across compliance operations, not just a single workflow. API-key backed endpoints are the integration contract for organization automation, while app session routes are kept out of the public reference.
  • Trust Access management, public Trust Center data, evidence, policies, questionnaires, vendors, risks, integrations, cloud checks, and device compliance are API-backed workflows.
  • Device Agent endpoints are used by signed-in employee devices.
  • Webhook endpoints are intentionally omitted from the public reference unless they are useful for implementers.
  • Internal, platform-admin, health, assistant, and browser automation routes are excluded from Mintlify docs.

API Surface

AreaWhat you can automate
Evidence and tasksList compliance tasks, upload evidence, export audit-ready evidence bundles, and create recurring evidence automations.
Policies and knowledge baseCreate, version, publish, export, and improve policies while keeping approved source material available for AI-assisted workflows.
Security questionnairesUpload questionnaires, extract questions, generate answers from approved evidence, review edits, and export completed files.
Trust Center and Trust AccessManage access requests, NDA signing, grants, document downloads, certificates, FAQs, custom links, and public overview content.
Frameworks and controlsTrack framework readiness, map controls to policies, tasks, requirements, and evidence expectations.
Integrations and cloud checksConnect providers, run compliance checks, trigger AWS, Azure, and GCP scans, and review cloud security findings.
People, devices, and trainingTrack workforce members, device compliance, training completions, and endpoint evidence for people-security controls.
Vendors, risks, and findingsManage third-party risk, organizational risks, audit findings, remediation status, and supporting evidence.
Penetration testsCreate security assessment runs, track progress, inspect findings, and download report artifacts.

Common Workflows

Automated evidence

Connect tasks to recurring evidence collection so audit proof stays current.

Security questionnaire API

Upload questionnaires, generate approved answers, and export reviewer-ready files.

Policy workflows

Draft, version, publish, and export policies that support audits and customer reviews.

Trust Access

Approve external reviewers, collect NDAs, and share controlled Trust Center resources.

Integrations

Connect SaaS, cloud, and security tools that provide continuous compliance evidence.

Cloud tests

Run AWS, Azure, and GCP security checks and turn findings into remediation work.

Device compliance

Register endpoints and submit device security check-ins for workforce controls.

Penetration tests

Start security assessment runs and download report deliverables for review.

Generated Reference Quality

The endpoint reference is generated from the NestJS OpenAPI specification used by the Comp AI API. Endpoint titles, descriptions, examples, visibility rules, and Mintlify metadata are maintained in the API source so generated pages stay aligned with product behavior as routes change. Public customer-facing endpoints are documented. Internal operations, admin tooling, health checks, webhooks that are not useful for implementers, and routes that would expose private implementation details are intentionally excluded or hidden.

Implementation Guidance

Start with the workflow you want to automate, then create a scoped API key for that workflow. For most teams, the first high-value integrations are:
  1. Syncing evidence and task status into internal compliance reporting.
  2. Uploading source documents to improve questionnaire and policy workflows.
  3. Connecting Trust Center access approvals to CRM or customer-security processes.
  4. Exporting evidence, policies, or questionnaire results for auditor and customer reviews.
Use production API calls against https://api.trycomp.ai and avoid storing API keys in client-side code.