Overview
The Evidence API gives read-only access to your scan results — violations, pre-consent timelines, fingerprinting evidence, geographic data flows, cookie inventories and jurisdiction mappings. It's built for legal teams, internal audit and enterprise integrations.
Base URL
Read-only
All endpoints are GET. No writes, no scan triggers, no mutations.
API key auth
Authenticate with a hashed API key. Keys are managed in Settings.
Pro & Agency
Available on Pro and Agency plans. Upgrade from your dashboard.
Designed for legal teams
The Evidence API provides structured access to scan results — violations, fingerprinting evidence, pre-consent timelines, geographic data flows and jurisdiction-specific legal references. No scan triggering is exposed by design.
Authentication
All requests must include your API key in the X-Api-Key header.
curl -H "X-Api-Key: cmk_YOUR_API_KEY" \
https://compliancemonitor.io/api/v1/scans/{scan_id}/evidenceHow to get your API key
- Go to Settings in your dashboard
- Scroll to the Evidence API section and click Create Key
- Copy the key immediately — it will not be shown again
Keys are hashed before storage
If you lose your key, revoke it and create a new one from Settings. We don't store the plaintext value.
Endpoints
All endpoints follow the pattern /scans/{id}/{resource}. Replace {id} with the scan UUID from your dashboard.
List Violations
Returns all compliance violations found during the scan, including severity, vendor attribution, legal explanation, and remediation guidance.
Example request
curl -H "X-Api-Key: cmk_YOUR_KEY" \ https://compliancemonitor.io/api/v1/scans/SCAN_ID/violations
Example response
{
"scan_id": "a1b2c3d4-...",
"count": 3,
"violations": [
{
"id": "...",
"type": "cookie",
"severity": "high",
"name": "_ga",
"domain": ".google-analytics.com",
"description": "Google Analytics tracking cookie set before consent",
"category": "analytics",
"vendor": "Google",
"country": "US",
"why_illegal": "Analytics cookies require explicit opt-in before processing under GDPR Art. 6(1)(a)",
"how_to_fix": "Block Google Analytics scripts until user provides consent via your CMP",
"created_at": "2026-02-13T10:00:00Z"
}
]
}Fingerprinting Data
Returns browser fingerprinting detection results: canvas, WebGL, audio, font, and navigator API usage counts with timestamps.
curl -H "X-Api-Key: cmk_YOUR_KEY" \ https://compliancemonitor.io/api/v1/scans/SCAN_ID/fingerprinting
Pre-Consent Timeline
Chronological sequence of all events from page load: network requests, fingerprinting events, and CMP detection. Each event is marked as pre- or post-consent.
curl -H "X-Api-Key: cmk_YOUR_KEY" \ https://compliancemonitor.io/api/v1/scans/SCAN_ID/timeline
Data Leak Map
Geographic breakdown of all outbound data flows, grouped by destination country. Each request includes vendor attribution, category, and pre-consent status.
curl -H "X-Api-Key: cmk_YOUR_KEY" \ https://compliancemonitor.io/api/v1/scans/SCAN_ID/leak-map
Jurisdiction Summary
Violations mapped to their legal context based on the scan's primary market (EU / UK / US_CA). Includes applicable law references, legal labels, and section titles.
curl -H "X-Api-Key: cmk_YOUR_KEY" \ https://compliancemonitor.io/api/v1/scans/SCAN_ID/jurisdiction-summary
Full Evidence Bundle
Complete evidence package for a scan in a single request. Includes scan metadata, all violations, cookies, fingerprinting data, leak requests, and jurisdiction mappings. Ideal for legal teams and internal audit.
curl -H "X-Api-Key: cmk_YOUR_KEY" \ https://compliancemonitor.io/api/v1/scans/SCAN_ID/evidence
Error Codes
All errors return a JSON object with an error field.
| Status | Message | Cause |
|---|---|---|
| 401 | Missing X-Api-Key header | No API key provided in the request |
| 401 | Invalid API key | The key does not match any active key |
| 401 | API key has been revoked | The key was revoked from Settings |
| 403 | Evidence API requires an active Pro or Agency plan | Account is on Free or Starter plan, or subscription is not active |
| 404 | Scan not found or access denied | Scan ID does not exist or belongs to another user |
| 405 | Method not allowed | Used a method other than GET |
| 422 | Scan is not yet completed | Scan is still pending or processing |
| 429 | Rate limit exceeded | Per-minute or daily request limit exceeded. Check the Retry-After header |
Error response format
{
"error": "Scan not found or access denied"
}Rate Limits
The Evidence API is subject to fair-use rate limits.
| Plan | Requests / minute | Requests / day |
|---|---|---|
| Pro | 60 | 5,000 |
| Agency | 120 | 20,000 |
If you exceed these limits, you will receive a 429 response. Wait and retry with exponential backoff.