Platform REST API
Authenticate with a token and read or write your governance data over REST.
Platform REST API
The VerifyWise platform exposes a REST API for reading and writing your governance data: projects, risks, vendors, models, tasks, evidence, policies and more. Every endpoint lives under /api and authenticates with a bearer token you create in the app.
This article covers the basics that apply to every endpoint: the base URL, how to authenticate, the response shape and the current limits. For the full endpoint catalog, use the interactive API reference described below.
Base URL
All endpoints are mounted under the /api prefix. The host depends on where VerifyWise runs. For a local install the default is:
http://localhost:3000/apiOn a hosted deployment, replace the host with your own domain. Endpoint paths keep their casing exactly as defined. For example, project risks are served at /api/projectRisks, not /api/project-risks.
Interactive API reference
VerifyWise serves a live OpenAPI (Swagger) reference that lists every endpoint, its parameters and its response schema. Open it in a browser at:
http://localhost:3000/api/docsThe spec is OpenAPI 3.0. Use it as the source of truth for the full endpoint list; this article only covers the cross-cutting rules.
Authentication
Every request must carry a bearer token in the Authorization header.
Authorization: Bearer <your-token>You create tokens in the app under Settings → API keys. Only Admin users can create them, and an organization may hold up to 10 active tokens at a time. A token carries the role of the user who created it.
Create a token
Tokens can also be created through the API itself (Admin only). Send a name and an expiry in days:
curl -X POST "http://localhost:3000/api/tokens" \
-H "Authorization: Bearer <admin-token>" \
-H "Content-Type: application/json" \
-d '{"name":"ci-pipeline","expires_in_days":90}'List, revoke and delete tokens
| Method & path | Description |
|---|---|
| GET /api/tokens | List the organization’s tokens with status and last-used time. The token value itself is never returned. |
| POST /api/tokens | Create a token (Admin only). Returns the raw token once. |
| POST /api/tokens/:id/revoke | Revoke a token. It stops working immediately and is kept, marked revoked, for your records. |
| DELETE /api/tokens/:id | Permanently delete a token row. |
Response shape
Responses use a consistent envelope: a short message and a data field that holds the payload.
{
"message": "OK",
"data": {
"id": 1,
"name": "ci-pipeline",
"expires_at": "2027-06-18T00:00:00.000Z"
}
}Client errors (4xx) use the same envelope, with data carrying the detail:
{
"message": "Bad Request",
"data": "expires_in_days is required"
}Server errors (5xx) use an error field instead of data:
{
"message": "Internal Server Error",
"error": "..."
}Status codes
| Code | Meaning |
|---|---|
| 200 / 201 | Success. 201 is returned when a resource is created. |
| 400 | Bad request: missing or invalid input. |
| 401 | Missing, invalid, expired or revoked token. |
| 403 | Authenticated, but the token’s role is not allowed to perform this action. |
| 404 | Resource not found. |
| 500 | Server error. |
Limits to know about
Two things work differently from what you might expect. Both are easy to design around once you know about them.
Multi-tenancy
Every request is scoped to the organization of the token that made it. You only ever see and modify your own organization’s data; there is no cross-organization access through these endpoints.