ComplianceMonitor.io

Evidence API

Read-only access to scan evidence and compliance data. Pull violations, pre-consent timelines, fingerprinting evidence, cookies and jurisdiction mappings into your own internal tools and legal workflows.

REST API · JSONv1 · stableRead-only
Get started

Overview

The Evidence API gives read-only access to your scan results — violations, pre-consent timelines, fingerprinting evidence, geographic data flows, cookie inventories and jurisdiction mappings. It's built for legal teams, internal audit and enterprise integrations.

Base URL

Base URL
https://compliancemonitor.io/api/v1

Read-only

All endpoints are GET. No writes, no scan triggers, no mutations.

API key auth

Authenticate with a hashed API key. Keys are managed in Settings.

Pro & Agency

Available on Pro and Agency plans. Upgrade from your dashboard.

Designed for legal teams

The Evidence API provides structured access to scan results — violations, fingerprinting evidence, pre-consent timelines, geographic data flows and jurisdiction-specific legal references. No scan triggering is exposed by design.

Get started

Authentication

All requests must include your API key in the X-Api-Key header.

cURL — Example request
curl -H "X-Api-Key: cmk_YOUR_API_KEY" \
  https://compliancemonitor.io/api/v1/scans/{scan_id}/evidence

How to get your API key

  1. Go to Settings in your dashboard
  2. Scroll to the Evidence API section and click Create Key
  3. Copy the key immediately — it will not be shown again

Keys are hashed before storage

If you lose your key, revoke it and create a new one from Settings. We don't store the plaintext value.

API reference

Endpoints

All endpoints follow the pattern /scans/{id}/{resource}. Replace {id} with the scan UUID from your dashboard.

Endpoint

List Violations

Returns all compliance violations found during the scan, including severity, vendor attribution, legal explanation, and remediation guidance.

GET/scans/{id}/violations

Example request

cURL
curl -H "X-Api-Key: cmk_YOUR_KEY" \
  https://compliancemonitor.io/api/v1/scans/SCAN_ID/violations

Example response

JSON · 200 OK
{
  "scan_id": "a1b2c3d4-...",
  "count": 3,
  "violations": [
    {
      "id": "...",
      "type": "cookie",
      "severity": "high",
      "name": "_ga",
      "domain": ".google-analytics.com",
      "description": "Google Analytics tracking cookie set before consent",
      "category": "analytics",
      "vendor": "Google",
      "country": "US",
      "why_illegal": "Analytics cookies require explicit opt-in before processing under GDPR Art. 6(1)(a)",
      "how_to_fix": "Block Google Analytics scripts until user provides consent via your CMP",
      "created_at": "2026-02-13T10:00:00Z"
    }
  ]
}
Endpoint

Fingerprinting Data

Returns browser fingerprinting detection results: canvas, WebGL, audio, font, and navigator API usage counts with timestamps.

GET/scans/{id}/fingerprinting
cURL
curl -H "X-Api-Key: cmk_YOUR_KEY" \
  https://compliancemonitor.io/api/v1/scans/SCAN_ID/fingerprinting
Endpoint

Pre-Consent Timeline

Chronological sequence of all events from page load: network requests, fingerprinting events, and CMP detection. Each event is marked as pre- or post-consent.

GET/scans/{id}/timeline
cURL
curl -H "X-Api-Key: cmk_YOUR_KEY" \
  https://compliancemonitor.io/api/v1/scans/SCAN_ID/timeline
Endpoint

Data Leak Map

Geographic breakdown of all outbound data flows, grouped by destination country. Each request includes vendor attribution, category, and pre-consent status.

GET/scans/{id}/leak-map
cURL
curl -H "X-Api-Key: cmk_YOUR_KEY" \
  https://compliancemonitor.io/api/v1/scans/SCAN_ID/leak-map
Endpoint

Jurisdiction Summary

Violations mapped to their legal context based on the scan's primary market (EU / UK / US_CA). Includes applicable law references, legal labels, and section titles.

GET/scans/{id}/jurisdiction-summary
cURL
curl -H "X-Api-Key: cmk_YOUR_KEY" \
  https://compliancemonitor.io/api/v1/scans/SCAN_ID/jurisdiction-summary
Endpoint

Cookie Inventory

Full inventory of cookies detected during the scan, including their attributes and whether they were set before user consent.

GET/scans/{id}/cookies
cURL
curl -H "X-Api-Key: cmk_YOUR_KEY" \
  https://compliancemonitor.io/api/v1/scans/SCAN_ID/cookies
Endpoint

Full Evidence Bundle

Complete evidence package for a scan in a single request. Includes scan metadata, all violations, cookies, fingerprinting data, leak requests, and jurisdiction mappings. Ideal for legal teams and internal audit.

GET/scans/{id}/evidence
cURL
curl -H "X-Api-Key: cmk_YOUR_KEY" \
  https://compliancemonitor.io/api/v1/scans/SCAN_ID/evidence
Reference

Error Codes

All errors return a JSON object with an error field.

StatusMessageCause
401Missing X-Api-Key headerNo API key provided in the request
401Invalid API keyThe key does not match any active key
401API key has been revokedThe key was revoked from Settings
403Evidence API requires an active Pro or Agency planAccount is on Free or Starter plan, or subscription is not active
404Scan not found or access deniedScan ID does not exist or belongs to another user
405Method not allowedUsed a method other than GET
422Scan is not yet completedScan is still pending or processing
429Rate limit exceededPer-minute or daily request limit exceeded. Check the Retry-After header

Error response format

JSON
{
  "error": "Scan not found or access denied"
}
Reference

Rate Limits

The Evidence API is subject to fair-use rate limits.

PlanRequests / minuteRequests / day
Pro605,000
Agency12020,000

If you exceed these limits, you will receive a 429 response. Wait and retry with exponential backoff.