Skip to main content
ASIRI

Submit evidence through the external API

Send audit evidence from internal systems into ASIRI with source metadata, payload hashes, redaction, freshness, review state, and control mappings.

Back to help center Contact support
Help center
Integrations and evidence8 min readUpdated May 2026Developer Center > Embeds > Server evidence example
Access needed
OwnerAdminSecurity adminDeveloper
ASIRI evidence engine run history
Automated evidence should be traceable by source, run, collection time, and result so operators can distinguish fresh evidence from stale evidence.
ASIRI control detail page showing evidence coverage
Submitted evidence is useful when it maps to controls, owners, review state, and audit readiness rather than sitting as an isolated upload.
ASIRI evidence library with evidence records
Evidence records should preserve title, type, source, collection time, validity, payload hash, and review status for audit exports.

What to send

Submit evidence that proves a control, operational check, or compliance activity happened. Examples include MFA exports, backup test results, access review completion, vendor review records, policy acknowledgements, vulnerability scan summaries, and incident drill logs.

Send the smallest useful payload. ASIRI stores redacted raw payload snapshots with a hash so auditors can trace the artifact without exposing secrets in normal dashboard views.

Submit evidence

  1. 1Create an API key with evidence:write scope.
  2. 2Send POST /v1/external/evidence from a trusted server, not from browser code.
  3. 3Include an Idempotency-Key header and a stable apiSubmissionId for the source record.
  4. 4Include title, evidenceType, collectedAt, validUntil when known, controlIds when mapped, and containsPersonalData when applicable.
  5. 5Include rawPayload only when it helps audit traceability. Do not send credentials, access tokens, private keys, or unnecessary personal data.
  6. 6Open Evidence > API submissions to review the record before relying on it in an audit pack.

Audit behavior

API evidence remains tenant-scoped. A key from one tenant cannot write evidence into another tenant.

Auditor exports show API provenance, submission ID, payload hash, redaction version, review state, and a warning when API evidence has not received human review.

Related

Keep going in this area.

Create an external API key

Create a least-privilege API key for systems that submit consent events, DSRs, vendors, incidents, Trust Center status reads, or evidence into ASIRI.

Read article

Review API-submitted evidence

Approve, reject, or map evidence submitted by API keys before it becomes part of your audit-facing posture.

Read article

Understand evidence freshness and control coverage

Learn how ASIRI marks evidence as current, stale, expired, or missing and turns failed checks into remediation work.

Read article