EquanimGRC exposes a JSON REST API over your workspace under /api/v1. It is the same authorization model the rest of the product runs on: every request is tenant-scoped and authorized server-side, and the API touches exactly the data the calling identity is allowed to. For agents, the Model Context Protocol interface sits over this same model and is usually the better fit; the REST API is for direct integrations.
Authentication
Requests carry a bearer token issued by your Authentik instance, which the API verifies as an OAuth 2.1 resource server before doing any work. There are also token-lifecycle endpoints —POST /api/v1/auth/login, /auth/refresh, and /auth/logout. See Authentication & SSO.
Resources
The current surface covers the core compliance objects:
GET /frameworks,GET /frameworks/:idand nested/controls— read the control library and a framework's controls.GET /policies— read policies and their detail.GET /evidence_items,POST /evidence_items, andGET /evidence_items/:id/download— read, submit, and retrieve evidence.GET/POST/PATCH /vendors— manage the vendor inventory./questionnaireswith nested/answers, plussubmit,progress, and bulk answer updates — drive questionnaire workflows./tasks— read, create, and update tasks, and comment on them.GET /reports/posture,/reports/gaps,/reports/audit_readiness— pull program state programmatically.
Conventions
Responses are JSON. Reads and writes are scoped to your tenant; an identity provisioned in one tenant never sees another's records (see Roles & data isolation). Evidence submitted through the API is attributed to the submitting identity — a person or a service principal — so API activity lands in the same audit trail as everything else.
Scope
The REST surface is deliberately scoped to the resources above and grows as integrations need it; it is not a full mirror of every screen in the product. If you are connecting an agent rather than a fixed integration, start with Connect via MCP andTools & scopes.