Skip to main content

Evidence API

Programmatically post evidence to Strike Graph using our secure REST API

Micah Spieler avatar
Written by Micah Spieler
Updated over 2 weeks ago

Access to the Evidence API is limited by subscription plan. Please contact your Customer Success Manager for more information about access.

The Evidence API allows you to push compliance evidence directly to your Strike Graph evidence repository using secure API calls. This integration enables you to streamline evidence collection by connecting your existing systems and workflows to your GRC, reducing manual effort and ensuring your evidence stays current.

With the Evidence API, you can send JSON-formatted evidence data to any evidence item in your Strike Graph instance, making it perfect for automated testing by Verify AI, continuous control monitoring, and integration with your existing compliance tools.

Getting Started

Prerequisites

  • An active Strike Graph account with API access enabled

  • Appropriate permissions to manage integrations in your Strike Graph instance

  • The external ID of the evidence item you want to upload to

Step 1: Set up API credentials

To get your API credentials, navigate to the Integration Manager and find the "Public Evidence API" card. After opening this card, click the "Connect" button to generate credentials.

Please note: once created, you will not be able to re-retrieve your Client Secret, so make sure you store it in a secure location (such as your password manager).

Your credentials will include:

  • Client ID

  • Client Secret

  • Auth0 Domain

  • API Audience (typically urn:sg:public-api)

Step 2: Obtain an access token

Before making API calls, you'll need to obtain an access token using your M2M credentials:

POST https://{auth0-domain}/oauth/token 
Content-Type: application/json 

BODY 
{ 
  "grant_type": "client_credentials",
  "client_id": "{your-client-id}",
  "client_secret": "{your-client-secret}",
  "audience": "urn:sg:public-api"
}

The response will include an access_token that you'll use for subsequent API calls. Tokens are valid for 2 hours by default.

Using the Evidence API

Finding Specific API Route For Your Evidence

To upload evidence to a specific item, you'll need its API route (which contains the evidence's external ID). You can find this in Strike Graph by:

  1. Navigate to the evidence item in your Evidence Repository

  2. Click on the evidence item to open its details page

  3. Look for the "API Route" button in the evidence details

  4. Click on the button to copy the route

Note: External IDs are unique within your organization and remain stable across evidence updates.

Attach file via API

Once you have an access token, you can attach JSON evidence using the API route copied from the evidence detail page, and the following header and body details:

POST  https://api.grc.strikegraph.com/v1/evidence/{evidence-external-id}/attachment 
Authorization: Bearer {access-token} 
Content-Type: application/json 

BODY
{ 
  "your": "evidence-data", 
  "timestamp": "2024-01-15T10:30:00Z", 
  "status": "active" 
}

Required headers:

  • Authorization: Bearer {access-token} - Your M2M access token

  • Content-Type: application/json - Must be JSON format

Optional headers:

  • Request-Id: {uuid} - Optional request identifier that will be returned as X-Request-Id for tracking

Request body:

  • JSON object containing your evidence data

  • Maximum size: 10 MB

  • Structure depends on your specific evidence requirements

Success response

When your evidence is successfully uploaded, you'll receive a 201 Created response:

{ 
  "attachmentExtId": "{evidence-external-id}",
  "s3VersionId": "v1.2.3.abc123def456", 
  "filename": "{evidence-external-id}.json", 
  "uploadedAt": "2024-01-15T10:30:00Z" 
}

The evidence will immediately appear in your Strike Graph instance and be available for compliance monitoring.

Rate Limits and Best Practices

Rate limiting

  • 50 requests per minute per client

  • Rate limits are applied per client ID, so multiple applications can each make 50 requests per minute

  • When rate limited, you'll receive a 429 response with Retry-After headers indicating when to retry

Best practices

  • Store your credentials securely - Never hardcode client secrets in your application code

  • Handle token expiration - Access tokens expire after 2 hours, so implement automatic token refresh

  • Implement retry logic - Handle rate limits and temporary errors gracefully with exponential backoff

Error Handling

The Evidence API returns standardized error responses to help you troubleshoot issues quickly:

{ 
  "errorCode": "ERROR_CODE_IN_CAPS",
  "message": "Human-readable error description",
  "details": {},
  "meta": {} 
}

Common errors:

HTTP Status

Error Code

Description

Solution

401

UNAUTHORIZED

Invalid or expired token

Obtain a new access token

403

FORBIDDEN

Missing required scope or permissions

Verify your client has sg:attachments:create scope

404

EVIDENCE_NOT_FOUND

Evidence ID doesn't exist in your organization

Check the evidence external ID

413

PAYLOAD_TOO_LARGE

Request body exceeds 10 MB limit

Reduce the size of your evidence data

415

UNSUPPORTED_MEDIA_TYPE

Content-Type is not application/json

Set Content-Type: application/json header

429

RATE_LIMITED

Too many requests

Wait and retry based on Retry-After header

Request tracking

Include a Request-Id header with a unique UUID to track requests across logs and support interactions. This ID will be returned as X-Request-Id in the response headers.

Getting Help

If you encounter issues with the Evidence API:

  1. Check the error response - Error messages provide specific guidance on what went wrong

  2. Verify your setup - Ensure your credentials, scopes, and evidence IDs are correct

  3. Review rate limits - Check if you're hitting the 50 requests per minute limit

  4. Contact support - Reach out through our chat feature for real-time Customer Success support 8 AM-5 PM PT Monday through Friday

Did this answer your question?