# Coverbase API > The Coverbase API is the programmatic surface for the Coverbase third-party risk and procurement platform. It lets you move vendor, assessment, and risk data between Coverbase and the systems your team already runs, and lets AI assistants act on your TPRM program through natural conversation. ## Docs - [API Keys API](https://docs.coverbase.com/api-reference/api-keys.md): Manage your organization's ak_* public-API keys: list, create, rotate, revoke, and grant admin scopes. - [Assessments API](https://docs.coverbase.com/api-reference/assessments.md): Create and retrieve assessments for vendors. - [Bill of Materials API](https://docs.coverbase.com/api-reference/bill-of-materials.md): Upload, version, and search machine-readable bills of materials (SBOM, AIBOM, HBOM, SaaSBOM) for vendors and services. - [Findings API](https://docs.coverbase.com/api-reference/findings.md): List, create, retrieve, and status-sync findings for GRC round-trips. - [Obligations API](https://docs.coverbase.com/api-reference/obligations.md): List, create, retrieve, and status-sync obligations (CUEC) for GRC round-trips. - [Radar API](https://docs.coverbase.com/api-reference/radar.md): Create radar events, and list, retrieve, and triage (dismiss) radar alerts. - [Reassessments API](https://docs.coverbase.com/api-reference/reassessments.md): Create reassessments from radar events, curate the vendor set, and run them. - [Users API](https://docs.coverbase.com/api-reference/users.md): Provision users, change org roles, and deprovision — for SailPoint / IGA-driven lifecycle. - [Vendors & Services API](https://docs.coverbase.com/api-reference/vendors.md): Create, retrieve, and update vendors, and create child services. - [Webhooks API](https://docs.coverbase.com/api-reference/webhooks.md): Register, list, update, delete, and test webhook subscriptions. - [Workflows API](https://docs.coverbase.com/api-reference/workflows.md): Invoke a named workflow and poll its run state. - [Changelog](https://docs.coverbase.com/changelog.md): Notable changes to the Coverbase public API documentation. - [API conventions](https://docs.coverbase.com/conventions.md): Authentication, base URLs, IDs, timestamps, idempotency, pagination, and the error envelope shared by all endpoints. - [Export API Reference](https://docs.coverbase.com/export.md): Endpoint reference for retrieving report data via the Coverbase Export API. - [Export API Concepts](https://docs.coverbase.com/export-api-concepts.md): Pull vendor, assessment, control, and evaluation data out of Coverbase via configurable report endpoints. - [Import API Reference](https://docs.coverbase.com/import.md): Endpoint reference for submitting batches of records via the Coverbase Import API. - [Import API Concepts](https://docs.coverbase.com/import-api.md): Push vendor, assessment, and service data into Coverbase from upstream systems of record. - [Introduction](https://docs.coverbase.com/index.md): The programmatic surface for the Coverbase third-party risk and procurement platform. - [End-to-end workflows](https://docs.coverbase.com/integrations/end-to-end-workflows.md): Three full lifecycle walkthroughs showing every API and webhook touchpoint. - [What to expect during onboarding](https://docs.coverbase.com/integrations/onboarding.md): How the workflow layer is configured, and what security teams typically request. - [Integration Workflows](https://docs.coverbase.com/integrations/overview.md): How Coverbase integrates with the systems your organization already runs, end to end. - [Triggering workflows from external systems](https://docs.coverbase.com/integrations/triggering-workflows.md): Three patterns for starting work in Coverbase from outside the UI. - [Webhook delivery history](https://docs.coverbase.com/integrations/webhook-deliveries.md): Inspect every webhook delivery attempt — status, response, and payload. - [Webhooks](https://docs.coverbase.com/integrations/webhooks.md): Delivery format, fan-out, signature verification, retries, and the event catalog. - [Workflow engine](https://docs.coverbase.com/integrations/workflow-engine.md): How triggers, conditions, and actions compose into orchestration logic. - [Connecting clients](https://docs.coverbase.com/mcp/connecting.md): Connect Claude Code, Claude.ai, Claude Desktop, Cursor, VS Code, Microsoft Copilot Studio, and other MCP clients to the Coverbase MCP server. - [Anthropic Connectors Directory](https://docs.coverbase.com/mcp/connector-directory.md): Coverbase in Claude's official Connectors Directory — one-click install, branded card, and a published security review. - [Example prompts](https://docs.coverbase.com/mcp/example-prompts.md): Realistic prompts that exercise the core MCP server workflows. - [Coverbase MCP Server](https://docs.coverbase.com/mcp/overview.md): Let AI assistants query and manage your TPRM program through natural conversation. - [Roles and permissions](https://docs.coverbase.com/mcp/permissions.md): How the MCP server enforces read-only versus read/write access, why it inherits the connected user's Coverbase role, and the controls that keep every tool call least-privilege. - [Security and privacy](https://docs.coverbase.com/mcp/security.md): Authentication, authorization, data handling, and what we log when you connect the MCP server. - [Troubleshooting](https://docs.coverbase.com/mcp/troubleshooting.md): Common issues when connecting and using the Coverbase MCP server. - [Agentic Inspect](https://docs.coverbase.com/products/agentic-inspect.md): Agentic, browser-based vendor inspection that converts attestations into verified control evidence. - [Assessment Copilot](https://docs.coverbase.com/products/assessment-copilot.md): AI-powered assessment engine that automates approximately 90% of vendor risk assessment workload. - [Autonomous Intake](https://docs.coverbase.com/products/autonomous-intake.md): Procurement-embedded intake that classifies requests, triggers the right risk path, and orchestrates downstream work. - [Contract Guardian](https://docs.coverbase.com/products/contract-guardian.md): Contract analysis and redline surfacing for third-party agreements. - [Findings Manager](https://docs.coverbase.com/products/findings-manager.md): Intelligence layer over findings across every assessment — remediation tracking and systemic risk pattern detection. - [Obligations Tracker](https://docs.coverbase.com/products/obligations-tracker.md): Track the obligations your organization takes on when engaging third parties: CUECs, legal terms, SOW duties, and technical controls. - [RFP Platform](https://docs.coverbase.com/products/rfp-platform.md): A complete RFP platform purpose-built for regulated industries, with risk, compliance, security, and legal evaluation embedded into vendor selection. - [Supplier Radar](https://docs.coverbase.com/products/supplier-radar.md): Continuous monitoring, triage, and response across your third-party ecosystem. - [Authentication](https://docs.coverbase.com/quickstart.md): All Coverbase API requests are authenticated with a bearer token over HTTPS. - [AI governance](https://docs.coverbase.com/security/ai-governance.md): How we select, test, and constrain the AI models that power Coverbase — and how we handle your data. - [Audit trails](https://docs.coverbase.com/security/audit-trails.md): Every action — dashboard, API, and AI — is logged in a tamper-evident audit trail you can read and export through the API. - [Compliance and assurance](https://docs.coverbase.com/security/compliance.md): SOC 2 Type II, independent annual penetration testing, and how to request our reports. - [Data protection](https://docs.coverbase.com/security/data-protection.md): Encryption, tenant isolation, key management, retention, and deletion. - [Security governance](https://docs.coverbase.com/security/governance.md): Policies, ownership, access control, personnel security, vendor management, and incident response. - [Trust and security overview](https://docs.coverbase.com/security/overview.md): How Coverbase governs, secures, and makes auditable the third-party risk platform you run your program on. - [Secure development](https://docs.coverbase.com/security/secure-development.md): Our secure SDLC: review, automated gates, dependency and secret scanning, and least-privilege CI/CD. ## OpenAPI Specs - [openapi](https://docs.coverbase.com/api-reference/openapi.json) ## Optional - [Content Library](https://www.coverbase.com/content-library)