Skip to main content

EU AI Act API Reference

This reference focuses on the routes that are actually wired in the current enterprise build.

Authentication

EU AI Act endpoints require:

  • X-Org-ID or tenant derived from Basic auth
  • X-User-ID when you want the user or reviewer identity captured on create or action flows

Route Families

FamilyRoutes
ExportsPOST/GET /api/v1/euaiact/export, GET /api/v1/euaiact/export/:id, GET /api/v1/euaiact/export/:id/download
ConformityPOST/GET /api/v1/euaiact/conformity, GET/PUT /api/v1/euaiact/conformity/:id, `POST /api/v1/euaiact/conformity/:id/submit
AccuracyGET /api/v1/euaiact/accuracy, POST /api/v1/euaiact/accuracy/record, POST /api/v1/euaiact/accuracy/bias, GET /api/v1/euaiact/accuracy/history, GET /api/v1/euaiact/accuracy/alerts

Export API

Create export

POST /api/v1/euaiact/export

Supported request fields:

FieldType
export_typeenum
formatenum
date_fromRFC3339 string
date_toRFC3339 string
model_idsstring array
filtersobject

Example:

{
"export_type": "conformity_evidence",
"format": "json",
"date_from": "2026-01-01T00:00:00Z",
"date_to": "2026-03-31T23:59:59Z",
"model_ids": ["credit-scorer-v2"],
"filters": {
"risk_level": "high"
}
}

Implementation notes:

  • invalid timestamps are rejected unless they use RFC3339
  • the handler returns 202 Accepted
  • X-User-ID is captured as requested_by, defaulting to system

List exports

GET /api/v1/euaiact/export?limit=20&offset=0

Returns:

  • exports
  • total
  • limit
  • offset

Get export

GET /api/v1/euaiact/export/:id

Download export

GET /api/v1/euaiact/export/:id/download

Behavior depends on storage:

  • cloud-storage deployments may redirect to a generated download URL
  • local-storage deployments may return file metadata including file_path, file_size, and format

Conformity API

Create assessment

POST /api/v1/euaiact/conformity

Supported request fields:

{
"system_id": "credit-scorer-v2",
"system_name": "Credit Scoring Model v2",
"risk_category": "high",
"assessors": ["risk-team", "governance-team"]
}

List assessments

GET /api/v1/euaiact/conformity?status=pending&limit=20&offset=0

Get assessment

GET /api/v1/euaiact/conformity/:id

Update assessment

PUT /api/v1/euaiact/conformity/:id

The update shape supports:

  • system_name
  • risk_category
  • assessors
  • requirements
  • evidence
  • findings
  • risk_mitigation
  • recommendations

Submit

POST /api/v1/euaiact/conformity/:id/submit

Approve

POST /api/v1/euaiact/conformity/:id/approve

Optional body:

{
"validity_years": 1
}

Reject

POST /api/v1/euaiact/conformity/:id/reject

Accuracy API

Get summary

GET /api/v1/euaiact/accuracy

Record metric

POST /api/v1/euaiact/accuracy/record

Supported request fields:

{
"model_id": "credit-scorer-v2",
"metric_type": "accuracy",
"value": 0.91,
"sample_size": 1200,
"window_start": "2026-03-01T00:00:00Z",
"window_end": "2026-03-15T23:59:59Z",
"metadata": {
"dataset": "production-shadow"
}
}

Record bias comparison

POST /api/v1/euaiact/accuracy/bias

Supported request fields:

{
"model_id": "credit-scorer-v2",
"category": "gender",
"group_a": "female",
"group_b": "male",
"group_a_rate": 0.62,
"group_b_rate": 0.69,
"sample_size": 800
}

History

GET /api/v1/euaiact/accuracy/history?model_id=credit-scorer-v2&metric_type=accuracy&limit=50

Active alerts

GET /api/v1/euaiact/accuracy/alerts

Alert-Route Caveat

The module includes internal alert-action logic, but the currently stable and code-verified path for enterprise teams is the alert listing endpoint above. This page deliberately avoids documenting per-alert action calls as a stable contract until the route wiring is cleaned up.