Skip to main content
For AI agents: a documentation index is available at https://docs.coverbase.com/llms.txt — this page is also available in markdown by appending .md to the URL.
This page describes how Coverbase integrates with the systems your organization already runs and how those integrations behave end to end. It’s intended for security, integration, and procurement teams evaluating Coverbase as part of a broader third-party risk and vendor lifecycle stack. The integration model is built around three layers: inbound API calls that bring data and commands into Coverbase, a workflow engine that orchestrates the work, and outbound webhooks that notify your downstream systems as work progresses.

Architecture

Inbound

External systems push data and commands into Coverbase. Procurement platforms create vendors, intake forms submit questionnaires, CMDBs sync service catalogs, and GRC tools start assessments. Each is a standard authenticated API call.

Orchestration

Once data lands, the workflow engine takes over. Triggers fire on object events, schedules, or external invocation. Conditions branch the flow. Actions execute the work: send a questionnaire, request evidence, run Copilot, wait for human review.

Outbound

As workflows progress, Coverbase fires webhooks to endpoints you control. Webhooks carry the event type and the affected object, so ServiceNow, Jira, Slack, Ariba, Icertis, or your data warehouse can react in real time.
External Systems          Coverbase              External Systems
─────────────────         ─────────────          ─────────────────
Ariba             ──▶     Inbound API     ──▶    ServiceNow
Jira                      Workflow Engine        Jira
CMDB                      Object Store           Slack
GRC tooling                                      Icertis
                                                 Data warehouse
The orchestration layer is configured once during onboarding. After that, both the configuration and every running workflow instance are reachable through the API. You can interrupt, modify, or replace any step at any time, through either the dashboard or the API.

Public API surface

The public resource API covers these operations:
ResourceOperations
VendorCreate, get, update (POST/GET/PATCH /v1/vendors)
ServiceCreate + update under a vendor (POST/PATCH /v1/vendors/{id}/services)
UserProvision (create-or-get), list / look up by email, get, update role / deprovision (POST/GET/PATCH /v1/users)
AssessmentCreate, get (POST/GET /v1/assessments)
FindingList, create, get, status-sync (/v1/findings)
ObligationList, create, get, status-sync (/v1/obligations)
WorkflowRun, get run with steps (POST /v1/workflows/{name}/run, GET /v1/workflows/runs/{id})
WebhookCreate, list, update, delete, test (/v1/webhooks)
Bulk vendor/assessment loading is also available through the separate Import API. Control sets, statuses, tags, and scale levels are referenced by ID in these requests/responses; configure them in the dashboard.
The public API uses plural route names (/v1/vendors, /v1/assessments). Internal dashboard routes use singular nouns and are not part of the supported public surface.

Where to go next

Workflow engine

Triggers, conditions, and actions. How orchestration logic is composed.

Triggering workflows from external systems

Three patterns for starting work in Coverbase from outside the UI.

Webhooks

Register endpoints, subscribe to event types, verify signatures, handle retries.

End-to-end workflows

Full lifecycle walkthroughs for onboarding, monitoring, and offboarding.