Documents API

Agents reason over a corpus of documents you upload. The Documents API lets you add policies, evidence, questionnaires, and custom frameworks to that corpus, list and filter them, and remove them. Uploaded documents are referenced by document_id in expert chat and workflows.

Method Endpoint Description
POST /v1/documents Upload a document
GET /v1/documents List / filter documents
DELETE /v1/documents/{document_id} Delete a document

All endpoints require authorization: YOUR_API_KEY.


Document types

Type Use Required extra fields
policy Policy/procedure text for coverage analysis
evidence Artifacts proving a control is met, for audit readiness framework_id, control_id, expires_at
questionnaire Security questionnaires to answer or analyze
custom_framework Your own control set, to map and reason against

Upload a Document

POST /v1/documents

Send as multipart/form-data.

Field Type Required Description
file binary Yes File content to upload (PDF, PNG, TXT, etc.).
type string Yes One of policy, evidence, questionnaire, custom_framework.
framework_id string For evidence Framework this document relates to. Optional for other types.
control_id string For evidence Control this document provides evidence for. Optional for other types.
expires_at string (ISO 8601) For evidence When this document expires. Optional (omit for no expiry) for policy and questionnaire.

Example — policy

curl -X POST https://compliance.secberus.ai/v1/documents \
  -H "authorization: YOUR_API_KEY" \
  -F "file=@access-control-policy.pdf" \
  -F "type=policy"

Example — evidence

curl -X POST https://compliance.secberus.ai/v1/documents \
  -H "authorization: YOUR_API_KEY" \
  -F "file=@mfa-screenshot.png" \
  -F "type=evidence" \
  -F "framework_id=pci_dss_v4" \
  -F "control_id=8.4.2" \
  -F "expires_at=2026-12-31T00:00:00Z"

Response

Status: 200 OK — returns the created Document object:

{
  "document_id": "doc_01h9z…",
  "filename": "mfa-screenshot.png",
  "type": "evidence",
  "file_type": "png",
  "chunks": 1,
  "uploaded_at": "2026-06-04T15:04:05Z",
  "expires_at": "2026-12-31T00:00:00Z",
  "framework_id": "pci_dss_v4",
  "control_id": "8.4.2",
  "image_summary": "Screenshot of the admin console showing MFA enforced for all administrators…"
}

List Documents

GET /v1/documents

Returns an array of Document objects. All query parameters are optional and combine as filters.

Parameter Type Description
type string Filter by document type.
file_type string Filter by file extension (e.g. pdf, png, txt).
framework_id string Filter by framework ID.
control_id string Filter by control ID.
expired boolean true returns only expired documents; false only unexpired; omit for all.

Example

List the unexpired evidence for one framework — useful for spotting evidence that needs refreshing before an audit:

curl -H "authorization: YOUR_API_KEY" \
  "https://compliance.secberus.ai/v1/documents?type=evidence&framework_id=pci_dss_v4&expired=false"

Response

Status: 200 OK

[
  {
    "document_id": "doc_01h9z…",
    "filename": "mfa-screenshot.png",
    "type": "evidence",
    "file_type": "png",
    "chunks": 1,
    "uploaded_at": "2026-06-04T15:04:05Z",
    "expires_at": "2026-12-31T00:00:00Z",
    "framework_id": "pci_dss_v4",
    "control_id": "8.4.2"
  }
]

Delete a Document

DELETE /v1/documents/{document_id}
Parameter In Description
document_id path ID of the document to delete.

Example

curl -X DELETE https://compliance.secberus.ai/v1/documents/doc_01h9z… \
  -H "authorization: YOUR_API_KEY"

Response

Status: 204 No Content — the document and its indexed chunks are removed from your corpus.


Document Object

Field Type Description
document_id string Unique identifier. Use this in document_ids and --docs.
filename string Original filename.
type string policy, evidence, questionnaire, or custom_framework.
file_type string File extension without the leading dot (e.g. pdf, png, txt).
chunks integer Number of indexed chunks the document was split into.
uploaded_at string ISO 8601 upload timestamp.
expires_at string ISO 8601 expiry timestamp. Absent means no expiry.
framework_id string Framework the document is associated with.
control_id string Control the document provides evidence for.
image_summary string For image evidence: an AI-generated, compliance-focused summary of the image. Absent for non-image files.

Error Responses

Errors use RFC 7807 format:

Status Description
400 Bad Request — missing file/type, or missing required evidence fields
403 Forbidden — invalid or missing API key
500 Internal Server Error — contact support if persistent