EU AI Act API Reference
This reference focuses on the routes that are actually wired in the current enterprise build.
Authentication
EU AI Act endpoints require:
X-Org-IDor tenant derived from Basic authX-User-IDwhen you want the user or reviewer identity captured on create or action flows
Route Families
| Family | Routes |
|---|---|
| Exports | POST/GET /api/v1/euaiact/export, GET /api/v1/euaiact/export/:id, GET /api/v1/euaiact/export/:id/download |
| Conformity | POST/GET /api/v1/euaiact/conformity, GET/PUT /api/v1/euaiact/conformity/:id, `POST /api/v1/euaiact/conformity/:id/submit |
| Accuracy | GET /api/v1/euaiact/accuracy, POST /api/v1/euaiact/accuracy/record, POST /api/v1/euaiact/accuracy/bias, GET /api/v1/euaiact/accuracy/history, GET /api/v1/euaiact/accuracy/alerts |
Export API
Create export
POST /api/v1/euaiact/export
Supported request fields:
| Field | Type |
|---|---|
export_type | enum |
format | enum |
date_from | RFC3339 string |
date_to | RFC3339 string |
model_ids | string array |
filters | object |
Example:
{
"export_type": "conformity_evidence",
"format": "json",
"date_from": "2026-01-01T00:00:00Z",
"date_to": "2026-03-31T23:59:59Z",
"model_ids": ["credit-scorer-v2"],
"filters": {
"risk_level": "high"
}
}
Implementation notes:
- invalid timestamps are rejected unless they use RFC3339
- the handler returns
202 Accepted X-User-IDis captured asrequested_by, defaulting tosystem
List exports
GET /api/v1/euaiact/export?limit=20&offset=0
Returns:
exportstotallimitoffset
Get export
GET /api/v1/euaiact/export/:id
Download export
GET /api/v1/euaiact/export/:id/download
Behavior depends on storage:
- cloud-storage deployments may redirect to a generated download URL
- local-storage deployments may return file metadata including
file_path,file_size, andformat
Conformity API
Create assessment
POST /api/v1/euaiact/conformity
Supported request fields:
{
"system_id": "credit-scorer-v2",
"system_name": "Credit Scoring Model v2",
"risk_category": "high",
"assessors": ["risk-team", "governance-team"]
}
List assessments
GET /api/v1/euaiact/conformity?status=pending&limit=20&offset=0
Get assessment
GET /api/v1/euaiact/conformity/:id
Update assessment
PUT /api/v1/euaiact/conformity/:id
The update shape supports:
system_namerisk_categoryassessorsrequirementsevidencefindingsrisk_mitigationrecommendations
Submit
POST /api/v1/euaiact/conformity/:id/submit
Approve
POST /api/v1/euaiact/conformity/:id/approve
Optional body:
{
"validity_years": 1
}
Reject
POST /api/v1/euaiact/conformity/:id/reject
Accuracy API
Get summary
GET /api/v1/euaiact/accuracy
Record metric
POST /api/v1/euaiact/accuracy/record
Supported request fields:
{
"model_id": "credit-scorer-v2",
"metric_type": "accuracy",
"value": 0.91,
"sample_size": 1200,
"window_start": "2026-03-01T00:00:00Z",
"window_end": "2026-03-15T23:59:59Z",
"metadata": {
"dataset": "production-shadow"
}
}
Record bias comparison
POST /api/v1/euaiact/accuracy/bias
Supported request fields:
{
"model_id": "credit-scorer-v2",
"category": "gender",
"group_a": "female",
"group_b": "male",
"group_a_rate": 0.62,
"group_b_rate": 0.69,
"sample_size": 800
}
History
GET /api/v1/euaiact/accuracy/history?model_id=credit-scorer-v2&metric_type=accuracy&limit=50
Active alerts
GET /api/v1/euaiact/accuracy/alerts
Alert-Route Caveat
The module includes internal alert-action logic, but the currently stable and code-verified path for enterprise teams is the alert listing endpoint above. This page deliberately avoids documenting per-alert action calls as a stable contract until the route wiring is cleaned up.
