> ## Documentation Index
> Fetch the complete documentation index at: https://www.trycomp.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Compliance Automation API

> Use the Comp AI API to automate SOC 2 evidence, policies, Trust Access, security questionnaires, tasks, and compliance workflows.

The Comp AI API lets engineering, security, and compliance teams connect their internal systems to the compliance workflows they run in Comp AI.

Use it to automate evidence collection, manage policies, coordinate compliance tasks, answer security questionnaires, configure Trust Center access, track risks and vendors, and keep SOC 2, ISO 27001, HIPAA, GDPR, and custom framework programs connected to the systems where work actually happens.

> **Prefer to drive Comp AI from an AI assistant?** The same endpoints documented here are also available as tools in the [Comp AI MCP server](/mcp-server) — install it once in Claude Desktop, Cursor, ChatGPT, Codex, or any MCP-compatible client and ask in plain language.

## Authentication

Most organization automation uses the `X-API-Key` header. Create scoped API keys inside your Comp AI organization, keep them server-side, and grant only the permissions needed for the workflow you are building.

```bash theme={null}
curl --request GET \
  --url "https://api.trycomp.ai/v1/organization" \
  --header "X-API-Key: $COMP_AI_API_KEY"
```

The reference covers Comp AI's product APIs across compliance operations, not just a single workflow. API-key backed endpoints are the integration contract for organization automation, while app session routes are kept out of the public reference.

* Trust Access management, public Trust Center data, evidence, policies, questionnaires, vendors, risks, integrations, cloud checks, and device compliance are API-backed workflows.
* Device Agent endpoints are used by signed-in employee devices.
* Webhook endpoints are intentionally omitted from the public reference unless they are useful for implementers.
* Internal, platform-admin, health, assistant, and browser automation routes are excluded from Mintlify docs.

## API Surface

| Area                          | What you can automate                                                                                                              |
| ----------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| Evidence and tasks            | List compliance tasks, upload evidence, export audit-ready evidence bundles, and create recurring evidence automations.            |
| Policies and knowledge base   | Create, version, publish, export, and improve policies while keeping approved source material available for AI-assisted workflows. |
| Security questionnaires       | Upload questionnaires, extract questions, generate answers from approved evidence, review edits, and export completed files.       |
| Trust Center and Trust Access | Manage access requests, NDA signing, grants, document downloads, certificates, FAQs, custom links, and public overview content.    |
| Frameworks and controls       | Track framework readiness, map controls to policies, tasks, requirements, and evidence expectations.                               |
| Integrations and cloud checks | Connect providers, run compliance checks, trigger AWS, Azure, and GCP scans, and review cloud security findings.                   |
| People, devices, and training | Track workforce members, device compliance, training completions, and endpoint evidence for people-security controls.              |
| Vendors, risks, and findings  | Manage third-party risk, organizational risks, audit findings, remediation status, and supporting evidence.                        |
| Penetration tests             | Create security assessment runs, track progress, inspect findings, and download report artifacts.                                  |

## Common Workflows

<CardGroup cols={2}>
  <Card title="Automated evidence" icon="clipboard-check" href="/automated-evidence">
    Connect tasks to recurring evidence collection so audit proof stays current.
  </Card>

  <Card title="Security questionnaire API" icon="file-question" href="/api-reference/questionnaire/upload-a-questionnaire-file-and-auto-answer-with-export">
    Upload questionnaires, generate approved answers, and export reviewer-ready files.
  </Card>

  <Card title="Policy workflows" icon="file-text" href="/ai-policy-editor">
    Draft, version, publish, and export policies that support audits and customer reviews.
  </Card>

  <Card title="Trust Access" icon="shield-check" href="/trust-access">
    Approve external reviewers, collect NDAs, and share controlled Trust Center resources.
  </Card>

  <Card title="Integrations" icon="plug" href="/integrations">
    Connect SaaS, cloud, and security tools that provide continuous compliance evidence.
  </Card>

  <Card title="Cloud tests" icon="cloud" href="/cloud-tests">
    Run AWS, Azure, and GCP security checks and turn findings into remediation work.
  </Card>

  <Card title="Device compliance" icon="monitor-check" href="/device-agent">
    Register endpoints and submit device security check-ins for workforce controls.
  </Card>

  <Card title="Penetration tests" icon="radar" href="/penetration-tests">
    Start security assessment runs and download report deliverables for review.
  </Card>
</CardGroup>

## Generated Reference Quality

The endpoint reference is generated from the NestJS OpenAPI specification used by the Comp AI API. Endpoint titles, descriptions, examples, visibility rules, and Mintlify metadata are maintained in the API source so generated pages stay aligned with product behavior as routes change.

Public customer-facing endpoints are documented. Internal operations, admin tooling, health checks, webhooks that are not useful for implementers, and routes that would expose private implementation details are intentionally excluded or hidden.

## Implementation Guidance

Start with the workflow you want to automate, then create a scoped API key for that workflow. For most teams, the first high-value integrations are:

1. Syncing evidence and task status into internal compliance reporting.
2. Uploading source documents to improve questionnaire and policy workflows.
3. Connecting Trust Center access approvals to CRM or customer-security processes.
4. Exporting evidence, policies, or questionnaire results for auditor and customer reviews.

Use production API calls against `https://api.trycomp.ai` and avoid storing API keys in client-side code.