API overview

Gamut exposes an HTTP API so you can integrate governance into the rest of your stack, automating inventory, assessments, evidence and reporting rather than doing everything by hand.

Base URL

The API is served from your Gamut workspace under a versioned prefix:

https://run.gamutassure.com/api/compass/v1/

All endpoints sit beneath this prefix. The version segment (v1) lets the API evolve without breaking existing integrations.

Authentication

Programmatic access uses bearer tokens, named, revocable API tokens tied to a user. Pass the token in the Authorization header:

Authorization: Bearer <your-token>

See Authentication for creating, using and revoking tokens.

What you can do

The API works with the same governance objects described throughout these docs, AI systems, assessments, evidence, findings and more. Anything that is governed in the product can, subject to permissions, be integrated:

Keep your AI inventory in sync with other systems.
Drive or retrieve assessment data.
Manage evidence and findings programmatically.
Pull data for external reporting.
Manage your own API tokens (/tokens).

Two authentication modes

The API has two distinct authentication paths for two distinct callers:

Bearer tokens for user-scoped automation against the governance objects above. A token can do only what its owner could. See Authentication.
Signed service requests for external agent runtimes, under /api/compass/v1/external-agent/*. These endpoints (context, model, tool invoke, child-agent request, heartbeat, result) are HMAC-signed and nonce-protected rather than bearer-authenticated, and every action is brokered through Gateway. This is the path the BYO agent runtime SDK uses; agents act through it but never receive provider credentials.

Conventions

The API follows consistent conventions for requests, responses and errors. See Conventions & errors.

Authentication: create and use bearer tokens.
Conventions & errors: request and response shape.