For Agents
Manage Drata workspaces, controls, vendors, risk registers, and personnel so an agent can keep continuous compliance state synchronised with external systems.
Get started with Drata API – Beta in minutes using your preferred integration method.
# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
"jentic": {
"url": "https://api.jentic.com/mcp",
"auth": "oauth"
}
}
# Then ask your agent:
"add a Drata vendor"
# → Jentic returns the GET /events tool with parameter schema, agent executes.What an agent can do with Drata API – Beta API.
Manage Drata workspaces and inspect their compliance scope
List, create, modify, and remove controls within a workspace
Add control notes and assign control owners across the workspace surface
Maintain a vendor register with vendor types, risk profiles, and lifecycle state
Track risk register entries and supporting documentation
GET STARTED
Use for: I need to add a vendor to the Drata register, List all controls in a Drata workspace, Update the owner on a Drata control, Retrieve the personnel records tracked by Drata
Not supported: Does not run vulnerability scans, generate the audit report PDF, or replace your HRIS as a system of record — use for compliance state management within Drata only.
Jentic publishes the only available OpenAPI document for Drata API – Beta, keeping it validated and agent-ready.
Drata is a continuous compliance automation platform that monitors security controls across SOC 2, ISO 27001, HIPAA, and other frameworks. The V2 public API exposes 110 operations covering workspaces, controls, control notes and owners, vendors and vendor types, risk registers, personnel, policies, devices, assets, users, roles, and custom connections. Authentication is via a bearer token, suitable for headless ingestion of evidence and synchronisation of compliance state across systems. The spec is currently published as a public beta.
Synchronise personnel, policies, devices, and assets that feed Drata's evidence engine
Configure custom connections so non-native systems become evidence sources
Patterns agents use Drata API – Beta API for, with concrete tasks.
★ Vendor Risk Register Sync
Mirror the company's source-of-truth vendor list into Drata's vendor register so each vendor is reflected against compliance frameworks. The agent calls the workspaces vendor endpoints to upsert vendors and vendor types, keeping risk classifications aligned with procurement state. This avoids drift between Drata and the vendor management spreadsheet.
For each vendor in procurement, upsert a Drata vendor record under the relevant workspace and set its vendor type and risk classification.
Control Ownership Reviews
Run quarterly control ownership reviews by listing controls per workspace, attaching review notes, and updating control owners where ownership has rotated. The agent uses the workspace controls and control owners endpoints to record the review outcome alongside any compensating-control commentary, keeping audit trails inside Drata rather than in scattered spreadsheets.
List controls in workspace 'wsp_42', and for each control with an outdated owner, modify the owners and add a review note dated this quarter.
Personnel and Device Hygiene
Keep Drata's personnel and device evidence current by syncing HRIS leavers and MDM device retirements through the personnel and devices endpoints. The agent removes off-boarded personnel and retires decommissioned devices so compliance evidence reflects the current population, preventing stale findings from blocking SOC 2 readiness.
Pull HRIS leavers, remove their Drata personnel records, and mark associated devices retired through the devices endpoints.
Risk Register Maintenance
Maintain the Drata risk register from incident management or GRC source data so risks are added, updated, and retired in lockstep. The agent uses the risk-registers endpoints to mirror the latest risk state, attach notes from triage reviews, and close out remediated items, giving auditors a current view at any time.
Read the latest risk triage outcomes and update each Drata risk register entry with the new status and remediation note.
AI Agent Compliance Operator
Through Jentic, an AI agent can take 'add this vendor to Drata as high risk' and resolve it to the appropriate Drata vendor creation operation without browsing docs. Jentic injects the bearer token from the vault and validates the input payload against the operation schema. End-to-end setup is under an hour from sign-up versus several days of Drata API plumbing.
Use Jentic search for 'add a Drata vendor', load the matching workspace vendor operation, and execute it with the vendor name, type, and risk classification.
110 endpoints — drata is a continuous compliance automation platform that monitors security controls across soc 2, iso 27001, hipaa, and other frameworks.
METHOD
PATH
DESCRIPTION
/workspaces/{workspaceId}/controls
List controls in a workspace
/workspaces/{workspaceId}/controls
Create a control
/workspaces/{workspaceId}/controls/{controlId}/owners
Modify control owners
/workspaces/{workspaceId}/controls/{controlId}/notes
Create a control note
/assets
List assets
/custom-connections
Create a custom connection
/background-checks
Create a manual background check
/workspaces/{workspaceId}/controls
List controls in a workspace
/workspaces/{workspaceId}/controls
Create a control
/workspaces/{workspaceId}/controls/{controlId}/owners
Modify control owners
/workspaces/{workspaceId}/controls/{controlId}/notes
Create a control note
/assets
List assets
Three things that make agents converge on Jentic-routed access.
Credential isolation
Drata bearer tokens are stored encrypted in the Jentic vault and injected into the Authorization header at execution time. Agents receive a scoped reference, never the raw token.
Intent-based discovery
Agents search by intent (e.g. 'add a Drata vendor' or 'list Drata controls') and Jentic returns the matching V2 operation with its input schema. The agent calls the right endpoint without browsing 110-operation docs.
Time to first call
Direct Drata integration: several days for token onboarding, workspace traversal, and idempotent sync logic. Through Jentic: under an hour from sign-up to first vendor or control write.
Alternatives and complements available in the Jentic catalogue.
Secureframe API
Secureframe is a peer compliance automation platform with similar control and evidence coverage; Drata leans into deeper vendor and risk management.
Choose Secureframe when the customer is already on Secureframe. Choose Drata when SOC 2 + extended risk register coverage is the priority.
Snyk API
Snyk identifies application and dependency vulnerabilities; Drata records them as evidence for compliance frameworks.
Use Snyk for vulnerability detection. Use Drata to capture remediation evidence inside the compliance program.
Tenable Attack Surface Management API
Tenable surfaces external exposure; Drata records the corresponding control and evidence state.
Use Tenable to enumerate exposure. Use Drata to track the related controls and risk register entries.
Specific to using Drata API – Beta API through Jentic.
What authentication does the Drata API use?
Drata uses a bearer token in the Authorization header. Through Jentic, that token is stored encrypted in the vault and injected at execution time, so it never appears in the agent's prompt or response.
Can I manage controls programmatically with the Drata API?
Yes. The /workspaces/{workspaceId}/controls endpoints support listing, creating, retrieving, and modifying controls within a workspace. Companion endpoints handle control notes and control owners for review workflows.
How do I add a vendor to Drata through Jentic?
Run pip install jentic, search for 'add a Drata vendor', load the matching vendor creation operation, and execute it with the vendor name, vendor type, and risk classification. Jentic returns the input schema so the agent assembles a valid request without reading docs.
Can I sync personnel and devices into Drata?
Yes. The personnel and devices endpoints allow you to mirror HRIS and MDM data into Drata so its evidence engine sees the current population. This keeps SOC 2 and ISO readiness aligned with the live workforce.
Is the Drata API stable?
The V2 surface is published as a public beta. Track the source-url in the spec and validate changes before relying on the schema in production. Treat schema changes as breaking until the surface graduates from beta.
What are the rate limits for the Drata API?
The published spec does not declare explicit per-endpoint limits. Build retry-with-backoff into the client and treat 429 responses as the signal to slow down. For high-volume sync jobs, contact Drata to confirm thresholds.
/custom-connections
Create a custom connection
/background-checks
Create a manual background check