Introduction
Welcome to the Chequr API. This guide covers everything you need to integrate with our platform — from authenticating requests to listening for real-time compliance events. Our API is REST over HTTPS, returns JSON encoded as UTF-8, and follows predictable resource-oriented URLs.
Base URL
https://api.chequr.com/v1
Response Format
application/json · UTF-8
Every request is traced end-to-end with an X-Request-Id response header. Include it when reaching out to support so we can pinpoint the exact call in our logs.
curl https://api.chequr.com/v1/controls \
-H "Authorization: Bearer $CHEQUR_TOKEN"Authentication
All requests require a Bearer token in the Authorization header. Tokens are scoped to a single workspace and can be issued with read, write, or admin privileges.
Creating an API key
- Open Settings → Developer → API Keys in the Chequr dashboard.
- Click New key, name it, and choose a scope.
- Copy the token — we only display it once. Store it in your secrets manager.
Rotating & revoking keys
Any key can be rotated from the dashboard; the previous value continues to work for 24 hours to give you a grace window. Revoking a key invalidates it instantly. We strongly recommend rotating production keys every 90 days.
Never commit API keys to source control. Chequr monitors public GitHub for leaked tokens and will auto-revoke any it detects within minutes.
curl https://api.chequr.com/v1/controls \
-H "Authorization: Bearer $CHEQUR_TOKEN"Rate Limits
Production tokens are limited to 100 requests per second per API key. Sandbox tokens are capped at 10 requests per second. Bursts up to 2× the limit are absorbed via a token bucket.
Response headers
X-RateLimit-LimitMaximum requests allowed in the current window.X-RateLimit-RemainingRequests left before you are throttled.X-RateLimit-ResetUnix epoch seconds until the window resets.Exceeding your limit returns 429 Too Many Requests with a Retry-After header. We recommend exponential backoff with full jitter.
Errors
Chequr uses conventional HTTP status codes to signal the outcome of a request. Every non-2xx response carries a machine-readable error body with code, message, and an optional detail object with field-level hints.
| Status | Name | When it happens |
|---|---|---|
| 400 | Bad Request | Malformed JSON or missing required field. |
| 401 | Unauthorized | Missing or invalid Bearer token. |
| 403 | Forbidden | Token is valid but lacks scope for this action. |
| 404 | Not Found | The requested resource does not exist. |
| 409 | Conflict | Duplicate resource or idempotency key clash. |
| 422 | Unprocessable Entity | Request validated against the schema but failed business rules. |
| 429 | Too Many Requests | Rate limit exceeded. Retry after the interval in `Retry-After`. |
| 500 | Server Error | Unexpected failure on our end. Please retry with backoff. |
| 503 | Service Unavailable | A dependent upstream is degraded. Safe to retry. |
{
"code": "validation_error",
"message": "Field \"control_id\" is required.",
"detail": {
"field": "control_id",
"hint": "Pass a control ID like ctrl_ac_02."
}
}Endpoints
The core surface of the Chequr API. All endpoints accept and return JSON, are cursor-paginated where applicable, and support idempotency keys via the Idempotency-Key header.
/v1/evidenceSubmit evidence
Push a new piece of evidence to a control. Evidence is automatically evaluated against the control's test policy and produces a pass / fail / review signal.
Body parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| control_id | string | Required | ID of the control this evidence maps to. |
| source | string | Required | Origin system (e.g. `aws`, `okta`, `github`, `manual`). |
| collected_at | string | Required | ISO-8601 timestamp of when the evidence was captured. |
| payload | object | Required | Arbitrary JSON object containing the raw evidence body. Must be ≤ 1 MB. |
curl -X POST https://api.chequr.com/v1/evidence \
-H "Authorization: Bearer $CHEQUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"control_id": "ctrl_ac_02",
"source": "aws",
"collected_at": "2026-04-15T09:14:22Z",
"payload": {
"bucket": "chequr-audit-logs",
"encryption": "AES256",
"public_access_blocked": true
}
}'{
"id": "ev_01HX9K2ZP7N4YQ8R5T3V",
"status": "accepted",
"created_at": "2026-04-15T09:14:23Z"
}/v1/controlsList controls
Returns a cursor-paginated list of every control in your workspace. Filter by framework or control status to scope the result set.
Query parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| framework | string | Optional | `soc2`, `iso_27001`, `hipaa`, `pci_dss`, `gdpr`, `nist_csf`. |
| status | string | Optional | `passing`, `failing`, `drifted`, `not_tested`. |
| limit | integer | Optional | Page size, 1–100. Defaults to 25. |
| cursor | string | Optional | Opaque pagination cursor from a prior response. |
curl https://api.chequr.com/v1/controls?framework=soc2&status=passing \
-H "Authorization: Bearer $CHEQUR_TOKEN"{
"data": [
{
"id": "ctrl_ac_02",
"framework": "soc2",
"code": "CC6.1",
"name": "Logical access restriction",
"status": "passing",
"last_tested_at": "2026-04-14T22:03:11Z"
},
{
"id": "ctrl_cm_04",
"framework": "soc2",
"code": "CC7.1",
"name": "Change management review",
"status": "passing",
"last_tested_at": "2026-04-14T21:58:02Z"
}
],
"next_cursor": "eyJvZmZzZXQiOjI1fQ=="
}/v1/controls/:idRetrieve a control
Fetch a single control with its full test policy, ownership, and the last 50 evidence items attached to it.
Path parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | string | Required | The unique identifier of the control (e.g. `ctrl_ac_02`). |
curl https://api.chequr.com/v1/controls/ctrl_ac_02 \
-H "Authorization: Bearer $CHEQUR_TOKEN"{
"id": "ctrl_ac_02",
"framework": "soc2",
"code": "CC6.1",
"name": "Logical access restriction",
"owner": { "id": "usr_42", "name": "Priya Desai" },
"status": "passing",
"test_policy": {
"cadence": "daily",
"evaluator": "aws_s3_bucket_encryption"
},
"evidence": [
{
"id": "ev_01HX9K2ZP7N4YQ8R5T3V",
"source": "aws",
"status": "pass",
"collected_at": "2026-04-15T09:14:22Z"
}
]
}/v1/webhooksRegister a webhook
Subscribe to compliance events. Chequr will POST signed JSON payloads to the URL you provide whenever the selected events fire.
Body parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| url | string | Required | HTTPS endpoint that will receive event payloads. |
| events | array | Required | One or more of: `evidence.collected`, `control.drifted`, `audit.readiness_changed`, `risk.scored`, `vendor.posture_changed`. |
| secret | string | Required | Shared secret used to sign each event with HMAC-SHA-256. Minimum 32 characters. |
curl -X POST https://api.chequr.com/v1/webhooks \
-H "Authorization: Bearer $CHEQUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"url": "https://hooks.acme.io/chequr",
"events": ["control.drifted", "audit.readiness_changed"],
"secret": "whsec_9f2a7c6b1e4d8f0a3b5c7e9d1f2a4b6c"
}'{
"id": "wh_01HX9M7R2T8YV4K6N3P5Q9",
"url": "https://hooks.acme.io/chequr",
"events": ["control.drifted", "audit.readiness_changed"],
"created_at": "2026-04-15T09:16:04Z"
}/v1/audit-logQuery audit log
Returns a paginated, immutable stream of every action taken in your workspace — useful for forensic review and third-party audit exports.
Query parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| from | string | Optional | ISO-8601 lower bound. Defaults to 7 days ago. |
| to | string | Optional | ISO-8601 upper bound. Defaults to now. |
| actor | string | Optional | Filter by user ID or API key ID. |
| limit | integer | Optional | Page size, 1–250. Defaults to 100. |
curl "https://api.chequr.com/v1/audit-log?from=2026-04-01T00:00:00Z&limit=2" \
-H "Authorization: Bearer $CHEQUR_TOKEN"{
"data": [
{
"id": "al_01HX9M8S3V1WJ5L7M2N",
"actor": { "type": "user", "id": "usr_42", "name": "Priya Desai" },
"action": "control.policy_updated",
"target": "ctrl_ac_02",
"at": "2026-04-15T09:10:11Z"
},
{
"id": "al_01HX9M9T4W2XK6M8N3P",
"actor": { "type": "api_key", "id": "key_live_9f2a" },
"action": "evidence.submitted",
"target": "ev_01HX9K2ZP7N4YQ8R5T3V",
"at": "2026-04-15T09:14:23Z"
}
],
"next_cursor": null
}Webhooks
Receive real-time events when compliance state changes. Chequr delivers events at-least-once with exponential backoff for up to 24 hours. Use the signature header to verify authenticity before trusting a payload.
Event types
evidence.collectedA new evidence item was submitted.
control.driftedA previously passing control has regressed.
audit.readiness_changedYour audit-readiness score shifted.
risk.scoredA risk register item was re-scored.
vendor.posture_changedA vendor's security posture changed.
Signature verification
Every webhook carries an X-Chequr-Signature header of the form t=TIMESTAMP,v1=HMAC_SHA256. Recompute HMAC-SHA-256 over ${TIMESTAMP}.${RAW_BODY} using your webhook secret and compare with a constant-time equality check. Reject events older than 5 minutes to prevent replay.
{
"id": "evt_01HX9M8S3V1WJ5L7M2N",
"type": "control.drifted",
"created_at": "2026-04-15T09:20:11Z",
"data": {
"control_id": "ctrl_ac_02",
"previous_status": "passing",
"current_status": "drifted",
"detected_at": "2026-04-15T09:19:58Z"
}
}SDKs & Libraries
First-party SDKs wrap the REST API with typed clients, automatic retries, streaming pagination, and built-in webhook signature verification.
Changelog
API versions ship roughly every other month. Breaking changes are reserved for major versions and always carry a 12-month deprecation window.
v1.4
· Apr 2026- Added `GET /v1/audit-log` for forensic audit exports.
- Webhook signatures now include a replay-protection timestamp.
- `evidence.collected` payloads now embed control test results inline.
v1.3
· Feb 2026- New `vendor.posture_changed` event.
- Cursor-based pagination across all list endpoints.
- Deprecated `offset` / `page` parameters (removal in v2).
v1.2
· Dec 2025- Idempotency keys on all `POST` endpoints.
- Added NIST CSF 2.0 framework identifiers.
- Improved rate-limit headers with fractional-second resolution.