API Reference
Integrate Complicer into your workflows. Manage audits, websites, findings, and evidence programmatically.
Pro plan required
API access is available on the Pro plan and above. Free plan users can use the dashboard for all operations. Upgrade to Pro
Base URL
https://app.complicer.com/apiAuthentication
All API requests require an API key passed in the Authorization header as a Bearer token. Create API keys in Settings → API Keys in your dashboard.
API Key Authentication
# Pass your API key in the Authorization header
curl "https://app.complicer.com/api/audits" \
-H "Authorization: Bearer ck_YOUR_API_KEY" \
-H "Content-Type: application/json"API key format: Keys begin with the prefix ck_ followed by 64 hex characters. The full key is shown once at creation and cannot be retrieved afterwards.
Security: Keep your API key secret. Do not commit it to version control. Use environment variables or a secrets manager in CI/CD. If a key is compromised, revoke it immediately in the dashboard.
Scopes
Each API key is assigned one or more scopes that control which endpoints it can access. A request to an endpoint whose required scope is not included in the key will receive a 403 Forbidden response.
| Scope | Description |
|---|---|
| audit:read | List and view audits |
| audit:create | Create and delete audits |
| audit:run | Trigger audit runs |
| website:read | List and view websites |
| website:create | Add new websites |
| website:update | Update website settings |
| website:delete | Remove websites |
| finding:read | List and view findings |
| finding:update | Update finding status |
| evidence:read | List, view, and download evidence |
| evidence:download | Download evidence files |
Rate Limits
Rate limits vary by plan. When you exceed the limit, the API returns a 429 Too Many Requests response with a Retry-After header indicating when you can retry.
| Plan | Daily Limit | Burst Limit |
|---|---|---|
| Free | 100 requests/day | 10 req/min |
| Pro | 10,000 requests/day | 200 req/min |
| Business | 50,000 requests/day | 500 req/min |
| Enterprise | Custom | Custom |
Rate Limit Response Headers
X-RateLimit-Limit: 10000
X-RateLimit-Remaining: 9985
X-RateLimit-Reset: 1739577600Audits
Create and manage compliance audits for your websites.
GET
/api/auditsaudit:readList all audits for the authenticated account.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| page | integer | No | Page number (default: 1) |
| per_page | integer | No | Results per page (default: 20, max: 100) |
| website_id | string | No | Filter by website ID |
| status | string | No | Filter by status: pending, running, completed, failed |
Example Request
curl -X GET "https://app.complicer.com/api/audits?page=1&per_page=20" \
-H "Authorization: Bearer ck_YOUR_API_KEY" \
-H "Content-Type: application/json"Example Response
{
"data": [
{
"id": "aud_abc123",
"website_id": "web_xyz789",
"status": "completed",
"risk_score": 72,
"findings_count": 14,
"created_at": "2026-02-10T14:30:00Z",
"completed_at": "2026-02-10T14:32:15Z"
}
],
"meta": {
"page": 1,
"per_page": 20,
"total": 42
}
}POST
/api/auditsaudit:createCreate a new compliance audit for a website.
Request Body
| Name | Type | Required | Description |
|---|---|---|---|
| website_id | string | Yes | The website to audit |
| regulations | string[] | No | Regulations to check: gdpr, ai_act, eprivacy (default: all) |
| depth | string | No | Scan depth: quick, standard, deep (default: standard) |
Example Request
curl -X POST "https://app.complicer.com/api/audits" \
-H "Authorization: Bearer ck_YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"website_id": "web_xyz789",
"regulations": ["gdpr", "eprivacy"],
"depth": "standard"
}'Example Response
{
"data": {
"id": "aud_def456",
"website_id": "web_xyz789",
"status": "pending",
"regulations": ["gdpr", "eprivacy"],
"depth": "standard",
"created_at": "2026-02-15T10:00:00Z"
}
}GET
/api/audits/:idaudit:readGet details of a specific audit including summary results.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | The audit ID |
Example Request
curl -X GET "https://app.complicer.com/api/audits/aud_abc123" \
-H "Authorization: Bearer ck_YOUR_API_KEY" \
-H "Content-Type: application/json"Example Response
{
"data": {
"id": "aud_abc123",
"website_id": "web_xyz789",
"status": "completed",
"risk_score": 72,
"findings_count": 14,
"findings_by_severity": {
"critical": 2,
"high": 5,
"medium": 4,
"low": 3
},
"regulations_checked": ["gdpr", "eprivacy"],
"created_at": "2026-02-10T14:30:00Z",
"completed_at": "2026-02-10T14:32:15Z"
}
}DELETE
/api/audits/:idaudit:createDelete an audit and all associated findings.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | The audit ID |
Example Request
curl -X DELETE "https://app.complicer.com/api/audits/aud_abc123" \
-H "Authorization: Bearer ck_YOUR_API_KEY"Example Response
{
"data": {
"deleted": true
}
}Websites
Manage the websites connected to your account.
GET
/api/websiteswebsite:readList all websites for the authenticated account.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| page | integer | No | Page number (default: 1) |
| per_page | integer | No | Results per page (default: 20, max: 100) |
Example Request
curl -X GET "https://app.complicer.com/api/websites" \
-H "Authorization: Bearer ck_YOUR_API_KEY" \
-H "Content-Type: application/json"Example Response
{
"data": [
{
"id": "web_xyz789",
"url": "https://example.com",
"name": "Example Site",
"last_audit_at": "2026-02-10T14:30:00Z",
"risk_score": 72,
"status": "monitored",
"created_at": "2026-01-15T09:00:00Z"
}
],
"meta": {
"page": 1,
"per_page": 20,
"total": 5
}
}POST
/api/websiteswebsite:createAdd a new website to your account.
Request Body
| Name | Type | Required | Description |
|---|---|---|---|
| url | string | Yes | The website URL (must be a valid HTTPS URL) |
| name | string | No | Display name for the website |
Example Request
curl -X POST "https://app.complicer.com/api/websites" \
-H "Authorization: Bearer ck_YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"url": "https://example.com",
"name": "Example Site"
}'Example Response
{
"data": {
"id": "web_new123",
"url": "https://example.com",
"name": "Example Site",
"status": "pending_verification",
"created_at": "2026-02-15T10:00:00Z"
}
}PUT
/api/websites/:idwebsite:updateUpdate a website's configuration.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | The website ID |
Request Body
| Name | Type | Required | Description |
|---|---|---|---|
| name | string | No | Updated display name |
| monitoring | boolean | No | Enable or disable continuous monitoring |
Example Request
curl -X PUT "https://app.complicer.com/api/websites/web_xyz789" \
-H "Authorization: Bearer ck_YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Updated Name",
"monitoring": true
}'Example Response
{
"data": {
"id": "web_xyz789",
"url": "https://example.com",
"name": "Updated Name",
"monitoring": true,
"updated_at": "2026-02-15T10:05:00Z"
}
}DELETE
/api/websites/:idwebsite:deleteRemove a website and all associated data.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | The website ID |
Example Request
curl -X DELETE "https://app.complicer.com/api/websites/web_xyz789" \
-H "Authorization: Bearer ck_YOUR_API_KEY"Example Response
{
"data": {
"deleted": true
}
}Findings
Access and manage compliance findings from audits.
GET
/api/findingsfinding:readList findings across all audits with filtering.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| audit_id | string | No | Filter by audit ID |
| website_id | string | No | Filter by website ID |
| severity | string | No | Filter by severity: critical, high, medium, low |
| status | string | No | Filter by status: open, in_progress, mitigated, accepted, false_positive, closed |
| regulation | string | No | Filter by regulation: gdpr, ai_act, eprivacy |
| page | integer | No | Page number (default: 1) |
| per_page | integer | No | Results per page (default: 20, max: 100) |
Example Request
curl -X GET "https://app.complicer.com/api/findings?severity=critical&status=open" \
-H "Authorization: Bearer ck_YOUR_API_KEY" \
-H "Content-Type: application/json"Example Response
{
"data": [
{
"id": "fnd_001",
"audit_id": "aud_abc123",
"title": "Missing cookie consent banner",
"description": "No cookie consent mechanism detected. Non-essential cookies are being set without user consent.",
"severity": "critical",
"regulation": "gdpr",
"article": "Art. 7 GDPR / Art. 5(3) ePrivacy",
"status": "open",
"remediation": "Implement a cookie consent banner that blocks non-essential cookies until consent is granted.",
"created_at": "2026-02-10T14:31:00Z"
}
],
"meta": {
"page": 1,
"per_page": 20,
"total": 14
}
}GET
/api/findings/:idfinding:readGet detailed information about a specific finding.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | The finding ID |
Example Request
curl -X GET "https://app.complicer.com/api/findings/fnd_001" \
-H "Authorization: Bearer ck_YOUR_API_KEY" \
-H "Content-Type: application/json"Example Response
{
"data": {
"id": "fnd_001",
"audit_id": "aud_abc123",
"website_id": "web_xyz789",
"title": "Missing cookie consent banner",
"description": "No cookie consent mechanism detected. Non-essential cookies are being set without user consent.",
"severity": "critical",
"regulation": "gdpr",
"article": "Art. 7 GDPR / Art. 5(3) ePrivacy",
"status": "open",
"remediation": "Implement a cookie consent banner that blocks non-essential cookies until consent is granted.",
"evidence": {
"cookies_found": ["_ga", "_gid", "_fbp"],
"page_url": "https://example.com",
"screenshot_url": "https://app.complicer.com/evidence/scr_abc.png"
},
"created_at": "2026-02-10T14:31:00Z"
}
}PUT
/api/findings/:idfinding:updateUpdate a finding's status (e.g., mark as resolved or dismissed).
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | The finding ID |
Request Body
| Name | Type | Required | Description |
|---|---|---|---|
| status | string | Yes | New status: open, in_progress, mitigated, accepted, false_positive, closed |
| note | string | No | Optional note explaining the status change |
Example Request
curl -X PUT "https://app.complicer.com/api/findings/fnd_001" \
-H "Authorization: Bearer ck_YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"status": "resolved",
"note": "Cookie consent banner implemented via CookieYes"
}'Example Response
{
"data": {
"id": "fnd_001",
"status": "resolved",
"note": "Cookie consent banner implemented via CookieYes",
"updated_at": "2026-02-15T10:30:00Z"
}
}Evidence
Generate and download compliance evidence packages.
GET
/api/evidenceevidence:readList all evidence packages for the account.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| audit_id | string | No | Filter by audit ID |
| website_id | string | No | Filter by website ID |
| page | integer | No | Page number (default: 1) |
Example Request
curl -X GET "https://app.complicer.com/api/evidence?audit_id=aud_abc123" \
-H "Authorization: Bearer ck_YOUR_API_KEY" \
-H "Content-Type: application/json"Example Response
{
"data": [
{
"id": "evi_001",
"audit_id": "aud_abc123",
"website_id": "web_xyz789",
"type": "full_report",
"format": "pdf",
"download_url": "https://app.complicer.com/evidence/evi_001/download",
"expires_at": "2026-02-22T14:30:00Z",
"created_at": "2026-02-10T14:33:00Z"
}
],
"meta": {
"page": 1,
"per_page": 20,
"total": 8
}
}POST
/api/evidenceevidence:readGenerate a new evidence package for an audit.
Request Body
| Name | Type | Required | Description |
|---|---|---|---|
| audit_id | string | Yes | The audit to generate evidence for |
| type | string | No | Package type: full_report, executive_summary, technical_detail (default: full_report) |
| format | string | No | Output format: pdf, json (default: pdf) |
Example Request
curl -X POST "https://app.complicer.com/api/evidence" \
-H "Authorization: Bearer ck_YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"audit_id": "aud_abc123",
"type": "full_report",
"format": "pdf"
}'Example Response
{
"data": {
"id": "evi_002",
"audit_id": "aud_abc123",
"type": "full_report",
"format": "pdf",
"status": "generating",
"created_at": "2026-02-15T10:00:00Z"
}
}GET
/api/evidence/:idevidence:readGet details and download URL for a specific evidence package.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | The evidence package ID |
Example Request
curl -X GET "https://app.complicer.com/api/evidence/evi_001" \
-H "Authorization: Bearer ck_YOUR_API_KEY" \
-H "Content-Type: application/json"Example Response
{
"data": {
"id": "evi_001",
"audit_id": "aud_abc123",
"website_id": "web_xyz789",
"type": "full_report",
"format": "pdf",
"status": "ready",
"download_url": "https://app.complicer.com/evidence/evi_001/download",
"file_size_bytes": 2457600,
"expires_at": "2026-02-22T14:30:00Z",
"created_at": "2026-02-10T14:33:00Z"
}
}DELETE
/api/evidence/:idevidence:readDelete an evidence package.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | The evidence package ID |
Example Request
curl -X DELETE "https://app.complicer.com/api/evidence/evi_001" \
-H "Authorization: Bearer ck_YOUR_API_KEY"Example Response
{
"data": {
"deleted": true
}
}Error Codes
The API uses standard HTTP status codes. Error responses include a JSON body with details.
Error Response Format
{
"error": {
"code": "validation_error",
"message": "The url field must be a valid HTTPS URL.",
"details": {
"field": "url",
"value": "http://example.com"
}
}
}| Status | Meaning |
|---|---|
| 400 | Bad Request — Invalid parameters or request body |
| 401 | Unauthorized — Invalid or missing API key |
| 403 | Forbidden — Your plan does not include API access |
| 404 | Not Found — The requested resource does not exist |
| 422 | Unprocessable Entity — Validation error |
| 429 | Too Many Requests — Rate limit exceeded |
| 500 | Internal Server Error — Something went wrong on our end |
Need Help?
If you have questions about the API or need higher rate limits, reach out to our team.