Programmatic governance for every workflow.

Embed compliance into CI/CD pipelines, monitoring stacks, ticketing systems, and agent orchestration layers. KoraSafe's REST API and webhook infrastructure make governance a first-class citizen in your engineering toolchain.

REST API

Full governance at your fingertips

Every governance capability in KoraSafe is accessible through a clean, versioned REST API. Automate assessments, query your registry, chat with regulatory intelligence, and monitor compliance status -- all programmatically.

POST
/api/assess
Run an on-demand risk assessment for any AI system. Returns risk tier, flagged concerns, and recommended mitigations.
// Run a risk assessment POST /api/v1/assess { "system_name": "fraud-detection-v3", "category": "credit_decisioning", "jurisdiction": "EU" }
GET
/api/registry
Query your complete AI asset inventory. Filter by team, risk tier, lifecycle stage, or compliance status.
// Query AI registry GET /api/v1/registry ?risk_tier=high &status=production &team=ml-platform
POST
/api/chat
Ask Gloxi any regulatory question. Get sourced, jurisdiction-aware answers powered by our curated regulatory corpus.
// Ask Gloxi a regulatory question POST /api/v1/chat { "query": "What are EU AI Act
requirements for credit scoring?", "context": "financial_services" }
GET
/api/compliance
Check real-time compliance posture for any system or your entire fleet. Perfect for dashboards and CI gates.
// Check compliance status GET /api/v1/compliance ?system_id=sys_3f8a2k // Response { "status": "compliant", "score": 94 }
POST
/api/auditor/packets
Generate a JWS-signed evidence packet for an external auditor engagement. GET lists existing packets for the org; POST creates a new one bound to a magic-link invitation.
// Create an evidence packet for an auditor POST /api/v1/auditor/packets { "engagement_id": "eng_q4_2026", "systems": ["sys_3f8a2k", "sys_7r1m4n"], "window_days": 90 }
GET
/api/peer-benchmarking
Read your org's peer-cohort signals (governance maturity, finding rates, control coverage). Returns only when the cohort meets the consent-defined k-anonymity threshold.
// Pull cohort signals GET /api/v1/peer-benchmarking ?metric=finding_rate &cohort=fin-us-mid-east
POST
/api/vendor-attestations
Record NAIC §2.3 vendor AI attestations for your sub-processors. GET lists existing attestations for the org; POST submits a new attestation with retention metadata.
// Submit a vendor attestation POST /api/v1/vendor-attestations { "vendor_id": "vnd_abc", "framework": "naic-model-bulletin", "attested_on": "2026-05-11" }
POST
/api/baa-records
Track the customer's vendor BAA portfolio for HIPAA §164.314(a)(1) coverage. GET lists records; POST creates a new BAA with scope of PHI and renewal dates. PATCH on /api/baa-records/[id] updates status or rotates renewal dates.
// Create a BAA record POST /api/v1/baa-records { "vendor_id": "vnd_pacific_ehr", "scope_of_phi": ["clinical_notes", "lab_results"], "signed_on": "2026-04-15", "renewal_on": "2027-04-15" }
GET
/api/admin/edge-agents/status
Read every edge agent registered to your organization with last-seen timestamp, cert serial, and a connected / stale / offline state. Backend live; operator UI in Preview.
// Pull edge-agent status snapshot GET /api/v1/admin/edge-agents/status // Response shape [{ "id": "agt_p1", "last_seen_at": "2026-05-10T22:48Z", "cert_serial": "3F:9A:...", "status": "connected" }]
GET
/api/admin/rate-limits
Read your organization's effective per-token rate limits (read, write, MCP) including any admin-approved overrides. PATCH submits a ceiling-raise request; KoraSafe reviews against actual usage rather than approving blanket increases.
// Request a write-token override PATCH /api/v1/admin/rate-limits { "token_kind": "write", "requested_ceiling": 1200, "justification": "Bulk evidence import pipeline" }
GET
/api/admin/data-retention
Read or set per-org retention windows (findings, audit logs, evidence packets), bounded 30-3650 days. Defaults: three years for findings, seven years for evidence packets, per-org default for audit logs. PATCH updates a window.
// Set evidence packet retention to 7y PATCH /api/v1/admin/data-retention { "target": "evidence_packets", "retention_days": 2555 }
POST
/api/auditor/engagements
Provision an auditor portal Phase 2A multi-customer engagement: one firm reviewing evidence across multiple customer orgs under a single grant, with per-engagement scopes preserved by cross-tenant RLS. POST creates the engagement; GET lists engagements bound to the firm.
// Open a multi-customer engagement POST /api/v1/auditor/engagements { "firm_id": "firm_big4_a", "customer_orgs": ["org_x", "org_y"], "window_days": 90 }
GET
/api/governance-events
Read the org's governance event stream. Each event records a state change that downstream consumers want to react to: a risk score moved past a threshold, a finding transitioned state, an attestation lapsed. Events persist to governance_index_events with row-level org isolation and an idempotency key (so retries collapse to one row). Filter by event_type or finding_id; default page size 50, max 100. Webhook fan-out for these events is live; see the webhook registration endpoint below.
// Pull recent finding state-transition events GET /api/v1/governance-events ?event_type=finding.state_transition &limit=50 // Response shape { "events": [{ "id": "evt_3f9a...", "event_type": "finding.state_transition", "source_table": "findings", "source_id": "fnd_...", "trigger_reason": "open -> resolved", "payload": { ... }, "score_before": 62, "score_after": 66, "created_at": "2026-05-11T16:00:00Z" }], "count": 1 }
POST
/api/governance-events/webhooks
Webhook registration for the governance event stream. Register an HTTPS endpoint plus optional event-type filter; KoraSafe POSTs each matching event with an HMAC-SHA-256 signature. Failed deliveries enter a dead-letter queue with retry backoff; the consumer is responsible for idempotent processing.
// Register a webhook target POST /api/v1/governance-events/webhooks { "target_url": "https://customer.example/korasafe/webhook", "event_types": ["finding.state_transition", "risk_score.changed"], "hmac_secret_alias": "primary" }
POST
/api/admin/compliance/audit-package
Generate a regulator-readable audit package for a sector pack (fin-us or hc-us) or a framework (eu_ai_act, gdpr, nist_ai_rmf, iso_42001, soc2, naic, hipaa). Returns JSON by default; pass format=pdf for the regulator-readable PDF. Date range defaults to last 90 days when from/to omitted.
// Generate the hc-us HIPAA package PDF POST /api/v1/admin/compliance/audit-package ?pack=hc-us &format=pdf &from=2026-02-01 &to=2026-05-01 // fin-us variant for NAIC audits POST /api/v1/admin/compliance/audit-package?pack=fin-us&framework=naic
GET
/api/auditor/session/engagement
From inside a magic-link auditor session, list the engagement packets the firm has been granted for this customer. Used by the auditor portal UI to render the multi-packet picker. Auth is the auditor session token; no platform account required.
// List packets in this auditor's session GET /api/v1/auditor/session/engagement Authorization: Bearer ksauditor_... // Response shape { "engagement_id": "eng_q2_2026", "packets": [{ "id": "pkt_...", "customer_org_name": "Apex Financial", "window_from": "2026-02-01", "window_to": "2026-05-01" }] }
Webhooks

Real-time event delivery

Never poll for status. KoraSafe pushes governance events to your endpoints the instant they happen -- policy violations, completed assessments, guardian triggers, and compliance breaches.

policy.violation.detected
Fires when any AI system violates an active governance policy. Includes violation severity, affected system, and policy reference.
assessment.completed
Fires when a risk assessment finishes. Includes the full risk tier classification, flagged concerns, and recommended actions.
guardian.trigger.fired
Fires when a Guardian agent detects an anomaly -- PII exposure, prompt injection, content-safety issue, hallucination spike, fairness drift, or behavioral drift.
compliance.threshold.breach
Fires when a system's compliance score drops below your configured threshold. Enables automated escalation workflows.
KoraSafe Governance Engine Events • Assessments • Policies Webhook Router HMAC-signed, retries, logs Slack / Teams Governance alerts CI/CD Pipeline Deployment gates Jira / Linear Remediation tickets Dashboards Grafana, Datadog
Extended API

Full governance API surface

Beyond the core endpoints, KoraSafe exposes a complete API for audit management, regulatory intelligence, alert routing, and cross-surface governance.

audit/*
Submit code for audit, query findings with severity and source filters, bulk-update finding status, trigger remediation, and view audit run history.
knowledge-graph/*
Query regulations, articles, controls, and cross-framework mappings. Check AI system compliance status against the full regulatory knowledge graph.
alerts/*
Fetch critical alert banners, query SLA compliance per severity tier, and manage notification preferences across Slack, email, and in-app channels.
policy-packs
Browse the policy pack catalog, subscribe to framework-specific packs, pin versions, and manage human review gates for regulatory updates.
browser/*
Receive observations from the Chrome extension: supported AI surface access, LLM provider usage signals, and shadow AI reports. Fetch extension configuration and governance context. Chrome extension currently in Preview; Web Store rollout once the install path settles.
benchmarks, partners
Anonymized industry benchmarking for governance posture comparison. Partner portal API for ecosystem integrations and pack submissions.
Integrations

Built for your stack

Pre-built patterns for the tools your teams already use. Drop governance checks into any workflow without changing how you build.

CI/CD gates

Block non-compliant models and AI systems from reaching production. Integrates with GitHub Actions, GitLab CI, Jenkins, and any pipeline that speaks HTTP.

Slack & teams alerts

Route governance notifications to the right channels. Policy violations, assessment results, and compliance alerts delivered where your team already works.

Jira & linear

Automatically create remediation tickets when violations are detected. Track resolution through your existing issue management workflow with full traceability.

Custom dashboards

Pipe governance metrics into Grafana, Datadog, or your own dashboards. Full OpenMetrics-compatible export for compliance posture visualization.

Five language SDKs

Production SDKs for TypeScript, Python, Go, JVM, and .NET with feature parity. Same API surface, same error semantics, same audit-chain emission per language. Wire governance from any runtime.

Security

Enterprise-grade authentication

Every API call is authenticated, scoped, and rate-limited. Built for teams that take security as seriously as governance.

API key authentication

Generate API keys per team, per environment. Rotate keys without downtime. Every key is tied to an audit trail for full accountability.

Scoped permissions

Fine-grained access controls let you grant read-only registry access to dashboards, write access to CI systems, and admin access to governance leads.

Rate limiting

Configurable rate limits per key and per endpoint. Burst-friendly defaults with the ability to request higher throughput for pipeline-heavy workloads.

Related

Keep exploring

Architecture

Multi-tenant Postgres, edge delivery, and the eight-stage regulatory intelligence pipeline.

Security

TLS, AES-256 at rest, RLS on every public table, SOC 2 Type I in audit, BYOK on the honest roadmap.

Integrations

Portkey, LangSmith, Presidio, AWS CUR, and shadow AI CSV importers.