Drata API Overview


Drata is the world’s most advanced security and compliance automation platform with the mission to help companies earn and keep the trust of their users, customers, partners and prospects. We help thousands of companies streamline compliance for SOC 2, ISO 27001, HIPAA, GDPR, your own custom frameworks, and many more through continuous, automated control monitoring and evidence collection. Using the Drata API, you can access your data to power internal workflows and build creative solutions.

Our APIs use the REST architecture and are defined using the OpenAPI specification. All our APIs accept and return JSON and require HTTPS.

Base URL

The Drata API uses region-specific base URLs:


All calls to Drata APIs are authenticated with an API key that a user can generate within your Drata app. Allowed resources can be customized per API key.

Please keep your API keys private.

API Keys created should never be exposed in untrusted contexts. Never put an API Key in client-side JavaScript, embed it in a web page, or otherwise allow users to access it. If an API Key is exposed, lost, or stolen, then it is compromised. Revoke compromised keys immediately from your Account Settings page to prevent unauthorized access.

Rate Limits

Each request is tracked by its unique IP. The limit is 500 requests per minute. Hitting the limit will block requests for the following 10 minutes.

Endpoint Updates

As of 8/24/23, Reports & Docs was updated to Evidence Library in the Drata web app. Below are the routes that were updated for the Open API:


All keys that were provisioned for the previous endpoints do not need to be modified as the scopes were migrated.