API overview

Gamut exposes an HTTP API so you can integrate governance into the rest of your stack, automating inventory, assessments, evidence and reporting rather than doing everything by hand.

Note

API capabilities depend on your plan & entitlements and the role of the token’s owner. A token can only do what its owner could do in the interface.

Base URL

The API is served from your Gamut workspace under a versioned prefix:

https://run.gamutassure.com/api/compass/v1/

All endpoints sit beneath this prefix. The version segment (v1) lets the API evolve without breaking existing integrations.

Authentication

Programmatic access uses bearer tokens, named, revocable API tokens tied to a user. Pass the token in the Authorization header:

Authorization: Bearer <your-token>

See Authentication for creating, using and revoking tokens.

What you can do

The API works with the same governance objects described throughout these docs, AI systems, assessments, evidence, findings and more. Anything that is governed in the product can, subject to permissions, be integrated:

• Keep your AI inventory in sync with other systems.
• Drive or retrieve assessment data.
• Manage evidence and findings programmatically.
• Pull data for external reporting.

Conventions

The API follows consistent conventions for requests, responses and errors. See Conventions & errors.

Next

• Authentication: create and use bearer tokens.
• Conventions & errors: request and response shape.