τiso-compliant
Get an API key

POST /v1/evidence/export

POST /v1/evidence/export

Bundle audit-log entries + document sha256 attestations + compliance-doc inventory into a tamper-evident R2 export.

Bundles a tenant's audit-log entries for a time window, the sha256 attestations of every generated message in that window, and the iso-compliant compliance-doc inventory (SOC2_CONTROL_MAP, THREAT_MODEL, VENDOR_INVENTORY sha256s) into a signed JSON export uploaded to a tenant-scoped R2 bucket.

The export is the tamper-evident audit trail. The audit-log is a hash-chain (each entry references the prior entry's sha256) so any retroactive tampering with the chain is detectable.

The response carries a signed download URL valid for 15 minutes.

See apps/api/src/routes/evidence.ts and the chain logic at apps/api/src/lib/audit-log.ts.

Request

Request body

{
  "from": "YYYY-MM-DD",
  "to": "YYYY-MM-DD",
  "format": "\"json\""
}

Response

Response body

{
  "export_id": "string",
  "download_url": "string (signed, 15-minute expiry)",
  "chain_head_sha256": "hex string",
  "compliance_docs": "Array<{ name, sha256 }>"
}

Idempotency

Mandatory header `Idempotency-Key` (UUID or other opaque ≤64 char string). A second request with the same key and the same body returns the cached response and the header `X-Iso-Compliant-Idempotent-Replay: true`. A second request with the same key but a different body returns 409.

Rate limit

Sandbox: 60 requests / minute, 1000 / day. Production: 600 requests / minute soft cap, lifted per tenant on request.

← All docs