Get started in 3 steps
Authenticate, collect your first consent record, and verify its cryptographic integrity — in under 5 minutes.
Request OTP & receive JWT
POST /auth/request-otpcurl -X POST https://api.vishwaasai.in/api/v1/auth/request-otp \ -H "Content-Type: application/json" \ -d '{"email": "admin@your-org.in"}' # Then verify the OTP from your inbox: curl -X POST https://api.vishwaasai.in/api/v1/auth/verify-otp \ -H "Content-Type: application/json" \ -d '{"email": "admin@your-org.in", "otp": "123456"}' # → { "access_token": "...", "refresh_token": "..." }
Collect your first consent record
POST /consent/collectcurl -X POST https://api.vishwaasai.in/api/v1/consent/collect \ -H "Authorization: Bearer <access_token>" \ -H "Content-Type: application/json" \ -d '{ "data_principal_id": "dp_01HX...", "purpose_code": "mkt_email", "channel": "api", "consent_text": "I agree to receive marketing emails" }' # Response includes full proof chain: { "id": "cr_01J...", "status": "active", "record_hash": "sha256:a3f2b1...", "chain_hash": "sha256:9c1bd2...", "digital_signature": "RSA-PSS:...", "tsa_token": "RFC3161:..." }
Verify hash chain integrity
POST /consent/verify-integrity/:idcurl -X POST https://api.vishwaasai.in/api/v1/consent/verify-integrity/cr_01J... \ -H "Authorization: Bearer <access_token>" # Returns: { "integrity_valid": true, "chain_position": 247, "verified_at": "2026-03-15T09:00:01Z" }
Authentication
All API calls (except public endpoints and health checks) require one of two auth methods depending on context.
JWT Bearer Token
For human admin users. Obtained via OTP flow. Rate-limited: 3 OTP requests per 5 minutes per email.
Authorization: Bearer <token>
API Key
For machine-to-machine (M2M) integrations. Configure via Settings → API Keys. Scoped per tenant.
X-API-Key: <api_key>
Tag 1 — Auth
9 endpoints/auth/request-otpRequest a 6-digit OTP (rate-limited: 3/5min/email)/auth/verify-otpVerify OTP → receive JWT access + refresh tokens/auth/refreshRefresh access token using refresh token/auth/logoutInvalidate current session/auth/meGet current authenticated user profile/auth/meUpdate profile (name, language preference)/portal/auth/request-otpOTP for data principal portal login/portal/auth/verify-otpVerify OTP → receive portal JWT/portal/auth/refreshRefresh portal sessionResponse Envelope
All API responses follow a consistent envelope structure regardless of endpoint.
{
"success": true,
"data": { /* response payload */ },
"meta": {
"page": 1,
"limit": 20,
"total": 150
},
"errors": [
{ "code": "VALIDATION_ERROR", "message": "...", "field": "purpose_code" }
]
}
success: true · data populated
Missing or expired JWT / API Key
Zod DTO validation failure — errors array populated
Consent
17 endpointsGranular purpose handling, consent collection, withdrawal, real-time status lookup, and cryptographic integrity verification. Every write returns a full proof chain.
/consent/status/:dpId/:purposeCodeReal-time consent status lookup. <50ms, Redis-cached. Use for enforcement at every API call.
/consent/batch-statusBatch lookup up to 1,000 principals in a single call. <200ms end-to-end.
/consent/verify-integrity/:idVerify SHA-256 hash chain integrity of any consent record. Returns chain position and verification timestamp.
/consent/bulk-collectBulk consent collection via CSV or array. Ideal for migrating existing consent records into the platform.
/consent/purposesList all consent purposes in the purpose catalog/consent/purposesCreate a new consent purpose/consent/recordsList consent records (paginated, filterable)/consent/collectCollect consent for a data principal + purpose/consent/withdrawRecord a consent withdrawal with proof/consent/history/:dpIdFull consent history for a data principal/consent/campaignsList consent campaignsNotices
13 endpointsVersioning, multilingual authoring, legal review, DPO approval workflow, and delivery tracking. Every published notice is locked and auditable.
/noticesList privacy notices/noticesCreate a new notice/notices/:id/versionsAll versions of a notice (full version history)/notices/:id/publishPublish a notice version (content locked after publish)/notices/:id/legal-reviewSubmit notice for legal review/notices/:id/dpo-approveDPO approves a notice/notices/public/:tenantSlugPUBLICLatest published notice for tenant — no auth required/notices/:id/deliver/:dpIdDeliver a notice to a specific data principalData Principal Rights (DPR)
15 endpointsAccess, correction, erasure, grievance, and nomination flows with SLA visibility, identity verification, evidence output, and DPBI escalation path.
/dprList DPR requests (filterable by type, status, SLA)/dprSubmit a new DPR request/dpr/:id/verify-identityRecord identity verification method and status/dpr/:id/escalate-dpbiEscalate to DPBI (adds to escalation log)/dpr/erasure-jobsList erasure jobs across all DPR requests/dpr/reportDPR performance report (signed PDF/Excel)/portal/dprPORTALSubmit a rights request as a data principalBreach Management
12 endpoints72-hour clock awareness, DPBI notification, principal alerts, remediation tracking. Reporting a breach immediately starts the countdown timer.
/breachesReport a breach — starts 72-hour DPBI clock/breaches/:idGet breach details with live DPBI countdown/breaches/:id/notify-dpbiSubmit DPBI notification (marks timestamp)/breaches/:id/notify-principalsDispatch principal alert emails at scale/breaches/:id/add-remediationAdd a remediation step with evidence/breaches/:id/closeClose incident (requires DPO sign-off)/breaches/registerBreach Register export (signed PDF)DPIA & Governance
13 endpointsStructured assessment, DPO sign-off, risk tracking, certificates, and signed register exports.
/dpiasList all DPIAs/dpiasCreate a new DPIA/dpias/:id/submit-reviewSubmit for DPO review/dpias/:id/approveDPO approves a DPIA/dpias/:id/risksAdd a risk to a DPIA/dpias/:id/certificateGenerate DPIA certificate (signed PDF)/dpias/registerDPIA Register export (signed PDF)Vendor Management
9 endpointsProcessor visibility, DPA status, assessment cadence, cross-border oversight, and signed risk reports.
/vendorsList all vendors/vendorsOnboard a new vendor/vendors/:id/assessCreate a vendor assessment/vendors/:id/dpaUpload / update Data Processing Agreement/vendors/:id/cross-borderDocument a cross-border transfer arrangement/vendors/reportVendor Risk Report (signed PDF)Consent Propagation
14 endpointsDownstream webhook management, HMAC-signed delivery, dead-letter queue, retry logic, and propagation monitoring. Withdrawal events propagate in <5 seconds.
/propagation/webhooksList registered webhooks/propagation/webhooksRegister a new webhook/propagation/webhooks/:id/testSend a test event to a webhook/propagation/webhooks/:id/rotate-secretRotate HMAC signing secret/propagation/monitorDashboard: delivered / retrying / dead-letter/propagation/dead-letter/:id/retryRetry a dead-letter item/propagation/downstream-appsList registered downstream applicationsIdentity Resolution & Unified Profiles
28 endpointsSource system connectors, identity resolution rules, human review queue, and canonical unified profile access including identity graph and data asset map.
/source-systemsRegister a new source system (CRM, HRIS, etc.)/source-systems/:id/syncTrigger a manual sync/identity-resolution/runTrigger an identity resolution pass/identity-resolution/queue/:id/approveApprove a match (creates canonical link)/unified-profiles/:idUnified profile: consent history, identity graph, data asset map/unified-profiles/:id/identity-graphAll external IDs linked to this principal/unified-profiles/:id/consent-timelineFull consent history (signed PDF export)Dashboard
8 endpoints/dashboardTenant compliance dashboard (KPIs, posture score)/dashboard/consent-metricsConsent collection trends and rates/dashboard/dpr-metricsDPR queue stats, SLA compliance, completion rate/dashboard/risk-heatmapData asset × processing risk matrix/dashboard/activity-feedLive stream of compliance-significant events/dashboard/reportGenerate a compliance report (PDF/Excel)All 25 API Tag Groups
Full reference across all 188 endpoints. Browse the interactive Swagger UI for request/response schemas, DTOs, and live test execution.
| Tag | Group | Endpoints |
|---|---|---|
| 01 | Auth | 9 |
| 02 | Tenant Management | 25 |
| 03 | Consent | 17 |
| 04 | Campaigns | 7 |
| 05 | Notices | 13 |
| 06 | DPR | 15 |
| 07 | Breach | 12 |
| 08 | DPIA | 13 |
| 09 | Vendor | 9 |
| 10 | Data Map | 7 |
| 11 | Source Systems | 12 |
| 12 | Identity Resolution | 10 |
| 13 | Unified Profiles | 6 |
| 14 | Consent Propagation | 14 |
| 15 | Dashboard | 8 |
| 16 | Portal | 13 |
| 17 | Cookie | 9 |
| 18 | Integration | 9 |
| 19 | Audit | 3 |
| 20 | Training | 8 |
| 21 | Settings | 13 |
| 22 | Notification | 1 |
| 23 | Health | 2 |
| 24 | Data Principals | 6 |
| 25 | Reports | 3 |
| Total | 188 | |
Environments & Swagger UI
QA Environment
Safe sandbox for integration testing. Use MailHog to intercept OTP emails. No real data.
Production
Live environment. AWS Mumbai (ap-south-1). All writes cryptographically signed and stored with 7-year retention.
What the interactive Swagger UI gives you
Browse all 188 endpoints across 25 tag groups
Execute API calls directly from the browser with JWT auth
View request/response schemas (Zod-validated DTOs)
Download the OpenAPI 3.0 spec as JSON or YAML