API Reference
Firm API
Firm self-service endpoints for API keys, webhooks, users, and settings
Endpoints in this group
- GET
/v1/firm/me - PATCH
/v1/firm/me/settings - GET
/v1/firm/me/impact-assessments - POST
/v1/firm/me/impact-assessments - GET
/v1/firm/me/impact-assessments/{id} - POST
/v1/firm/me/impact-assessments/{id} - POST
/v1/firm/me/impact-assessments/{id}/supersede - GET
/v1/firm/me/stats - GET
/v1/firm/me/backup-status - GET
/v1/firm/me/api-keys - POST
/v1/firm/me/api-keys - DELETE
/v1/firm/me/api-keys/{keyId} - GET
/v1/firm/me/webhooks - POST
/v1/firm/me/webhooks - DELETE
/v1/firm/me/webhooks/{id} - GET
/v1/firm/me/models - GET
/v1/firm/me/models/drift - GET
/v1/firm/me/models/{provider}/{version}/timeline - GET
/v1/firm/me/users - POST
/v1/firm/me/users - DELETE
/v1/firm/me/users/{id} - GET
/v1/firm/me/incidents - POST
/v1/firm/me/incidents - GET
/v1/firm/me/incidents/stats - GET
/v1/firm/me/incidents/{id} - POST
/v1/firm/me/incidents/{id} - POST
/v1/firm/me/incidents/{id}/remediations - POST
/v1/firm/me/incidents/{id}/remediations/{remediationId} - GET
/v1/firm/me/vulnerability - GET
/v1/firm/me/bias - GET
/v1/firm/me/reports/consumer-duty - GET
/v1/firm/me/reports - POST
/v1/firm/me/reports
GET
/v1/firm/meGet current firm details
Responses
200Current firm details401Unauthorized
| Field | Type | Req | Description |
|---|---|---|---|
id | string | No | |
name | string | No | |
frnNumber | string | No | |
plan | string | No | LEDGERPRINCIPALBOTH |
enforceImpactAssessments | boolean | No | Whether the firm requires an approved impact assessment for any job that declares a modelProvider/modelVersion. Defaults to true; can be toggled via PATCH /v1/firm/me/settings. |
createdAt | string (date-time) | No |
Example request
cURL
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me" \
-H "X-Bedrock-Key: bk_live_your_api_key"PATCH
/v1/firm/me/settingsUpdate firm settings
Toggle firm-level controls. Currently supports the impact-assessment enforcement gate; more settings will be added here rather than scattered across new endpoints. Compliance-relevant changes emit a FIRM_SETTINGS_UPDATED ledger event carrying the field-level diff and the authenticated actor (user or API key). No-op writes (where the incoming value already matches the stored value) are ignored — nothing is written to the database and no ledger record is emitted.
Request body
| Field | Type | Req | Description |
|---|---|---|---|
enforceImpactAssessments | boolean | No | When true (the default), jobs submitted with a modelProvider/modelVersion are gated on a matching APPROVED impact assessment. |
Responses
200Updated firm settings401Unauthorized
| Field | Type | Req | Description |
|---|---|---|---|
id | string | No | |
name | string | No | |
frnNumber | string | No | |
plan | string | No | |
enforceImpactAssessments | boolean | No | |
createdAt | string (date-time) | No |
Example request
cURL
curl -X PATCH "https://api.bedrockcompliance.co.uk/v1/firm/me/settings" \
-H "X-Bedrock-Key: bk_live_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"enforceImpactAssessments": true
}'GET
/v1/firm/me/impact-assessmentsList Consumer Duty impact assessments
Returns every impact assessment filed by the firm, newest first. Each entry carries the outcome responses, template version, model provider/version (if set), and the users who created and signed off the assessment.
Responses
200List of impact assessments401Unauthorized
Example request
cURL
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/impact-assessments" \
-H "X-Bedrock-Key: bk_live_your_api_key"POST
/v1/firm/me/impact-assessmentsFile a draft impact assessment
Create a new DRAFT impact assessment for an AI use case. When outcomes are omitted, the draft is seeded with empty responses and a LOW risk rating for each of the four PRIN 2A outcome areas so the reviewer can fill them in progressively.
Request body
| Field | Type | Req | Description |
|---|---|---|---|
useCase | string | Yes | |
description | string | Yes | |
modelProvider | string | null | No | Optional. Pair with modelVersion to tie this assessment to a specific model and feed the enforcement gate on job submission. |
modelVersion | string | null | No | |
outcomes | ImpactAssessmentOutcomes | No | Optional. When omitted, the draft is seeded with empty responses and a LOW risk rating per outcome. |
Responses
201Draft assessment created400useCase and description required401Unauthorized
| Field | Type | Req | Description |
|---|---|---|---|
id | string | Yes | |
firmId | string | Yes | |
useCase | string | Yes | Short title for the AI use case (e.g. 'GPT-4 fact-find summariser'). |
description | string | Yes | What the AI does and where in the workflow it runs. |
modelProvider | string | null | No | AI model provider this assessment covers (e.g. 'openai'). When set with modelVersion and the firm has enforceImpactAssessments on, jobs declaring the same provider/version are gated on this assessment reaching APPROVED. |
modelVersion | string | null | No | Specific model version this assessment covers (e.g. 'gpt-4o-2024-08-06'). |
templateVersion | integer | Yes | Template schema version the outcomes conform to. v1 is the only template today. |
outcomes | ImpactAssessmentOutcomes | Yes | |
status | ImpactAssessmentStatus | Yes | |
createdById | string | null | No | |
signedOffById | string | null | No | |
signedOffAt | string (date-time) | null | No | Server-controlled. Stamped when the assessment transitions to APPROVED. |
createdAt | string (date-time) | Yes | |
updatedAt | string (date-time) | Yes | |
createdBy | object | null | No | |
signedOffBy | object | null | No | |
ledgerRecordId | string | null | No | Ledger record this assessment is anchored to once approved. Null before approval. Use as the key to fetch the certificate PDF via `GET /v1/ledger/records/{id}/certificate`. |
certificateId | string | null | No | Certificate id, populated once cert-gen finishes after approval. Use for verify deep-links. |
Example request
cURL
curl -X POST "https://api.bedrockcompliance.co.uk/v1/firm/me/impact-assessments" \
-H "X-Bedrock-Key: bk_live_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"useCase": "<useCase>",
"description": "<description>",
"modelProvider": "<modelProvider>",
"modelVersion": "<modelVersion>",
"outcomes": {}
}'GET
/v1/firm/me/impact-assessments/{id}Get an impact assessment
Parameters
| Parameter | In | Type | Req | Description |
|---|---|---|---|---|
id | path | string | Yes |
Responses
200Impact assessment401Unauthorized404Assessment not found
| Field | Type | Req | Description |
|---|---|---|---|
id | string | Yes | |
firmId | string | Yes | |
useCase | string | Yes | Short title for the AI use case (e.g. 'GPT-4 fact-find summariser'). |
description | string | Yes | What the AI does and where in the workflow it runs. |
modelProvider | string | null | No | AI model provider this assessment covers (e.g. 'openai'). When set with modelVersion and the firm has enforceImpactAssessments on, jobs declaring the same provider/version are gated on this assessment reaching APPROVED. |
modelVersion | string | null | No | Specific model version this assessment covers (e.g. 'gpt-4o-2024-08-06'). |
templateVersion | integer | Yes | Template schema version the outcomes conform to. v1 is the only template today. |
outcomes | ImpactAssessmentOutcomes | Yes | |
status | ImpactAssessmentStatus | Yes | |
createdById | string | null | No | |
signedOffById | string | null | No | |
signedOffAt | string (date-time) | null | No | Server-controlled. Stamped when the assessment transitions to APPROVED. |
createdAt | string (date-time) | Yes | |
updatedAt | string (date-time) | Yes | |
createdBy | object | null | No | |
signedOffBy | object | null | No | |
ledgerRecordId | string | null | No | Ledger record this assessment is anchored to once approved. Null before approval. Use as the key to fetch the certificate PDF via `GET /v1/ledger/records/{id}/certificate`. |
certificateId | string | null | No | Certificate id, populated once cert-gen finishes after approval. Use for verify deep-links. |
Example request
cURL
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/impact-assessments/<id>" \
-H "X-Bedrock-Key: bk_live_your_api_key"POST
/v1/firm/me/impact-assessments/{id}Update or transition an impact assessment
Edits the draft content and/or moves the assessment through its status graph: DRAFT → PENDING_SIGNOFF → APPROVED / REJECTED → SUPERSEDED. Approving requires an authenticated LEAD_REVIEWER or FIRM_ADMIN and produces an IMPACT_ASSESSMENT_APPROVED ledger event. APPROVED and SUPERSEDED assessments are immutable — further edits return 409 CONFLICT.
Parameters
| Parameter | In | Type | Req | Description |
|---|---|---|---|---|
id | path | string | Yes |
Request body
| Field | Type | Req | Description |
|---|---|---|---|
useCase | string | No | |
description | string | No | |
modelProvider | string | null | No | |
modelVersion | string | null | No | |
outcomes | ImpactAssessmentOutcomes | No | |
status | ImpactAssessmentStatus | No |
Responses
200Updated impact assessment400Invalid status value401Unauthorized403Senior sign-off required (LEAD_REVIEWER or FIRM_ADMIN) — or the caller is an API key (API keys cannot approve assessments)404Assessment not found409Invalid status transition, or an APPROVED / SUPERSEDED assessment was edited
| Field | Type | Req | Description |
|---|---|---|---|
id | string | Yes | |
firmId | string | Yes | |
useCase | string | Yes | Short title for the AI use case (e.g. 'GPT-4 fact-find summariser'). |
description | string | Yes | What the AI does and where in the workflow it runs. |
modelProvider | string | null | No | AI model provider this assessment covers (e.g. 'openai'). When set with modelVersion and the firm has enforceImpactAssessments on, jobs declaring the same provider/version are gated on this assessment reaching APPROVED. |
modelVersion | string | null | No | Specific model version this assessment covers (e.g. 'gpt-4o-2024-08-06'). |
templateVersion | integer | Yes | Template schema version the outcomes conform to. v1 is the only template today. |
outcomes | ImpactAssessmentOutcomes | Yes | |
status | ImpactAssessmentStatus | Yes | |
createdById | string | null | No | |
signedOffById | string | null | No | |
signedOffAt | string (date-time) | null | No | Server-controlled. Stamped when the assessment transitions to APPROVED. |
createdAt | string (date-time) | Yes | |
updatedAt | string (date-time) | Yes | |
createdBy | object | null | No | |
signedOffBy | object | null | No | |
ledgerRecordId | string | null | No | Ledger record this assessment is anchored to once approved. Null before approval. Use as the key to fetch the certificate PDF via `GET /v1/ledger/records/{id}/certificate`. |
certificateId | string | null | No | Certificate id, populated once cert-gen finishes after approval. Use for verify deep-links. |
Example request
cURL
curl -X POST "https://api.bedrockcompliance.co.uk/v1/firm/me/impact-assessments/<id>" \
-H "X-Bedrock-Key: bk_live_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"useCase": "<useCase>",
"description": "<description>",
"modelProvider": "<modelProvider>",
"modelVersion": "<modelVersion>",
"outcomes": {},
"status": {}
}'POST
/v1/firm/me/impact-assessments/{id}/supersedeMark an assessment as superseded
Retires an assessment in favour of a newer one covering the same use case. Superseded assessments are kept for audit trail but no longer count toward the impact-assessment enforcement gate.
Parameters
| Parameter | In | Type | Req | Description |
|---|---|---|---|---|
id | path | string | Yes |
Responses
200Assessment marked as superseded401Unauthorized404Assessment not found
| Field | Type | Req | Description |
|---|---|---|---|
id | string | Yes | |
firmId | string | Yes | |
useCase | string | Yes | Short title for the AI use case (e.g. 'GPT-4 fact-find summariser'). |
description | string | Yes | What the AI does and where in the workflow it runs. |
modelProvider | string | null | No | AI model provider this assessment covers (e.g. 'openai'). When set with modelVersion and the firm has enforceImpactAssessments on, jobs declaring the same provider/version are gated on this assessment reaching APPROVED. |
modelVersion | string | null | No | Specific model version this assessment covers (e.g. 'gpt-4o-2024-08-06'). |
templateVersion | integer | Yes | Template schema version the outcomes conform to. v1 is the only template today. |
outcomes | ImpactAssessmentOutcomes | Yes | |
status | ImpactAssessmentStatus | Yes | |
createdById | string | null | No | |
signedOffById | string | null | No | |
signedOffAt | string (date-time) | null | No | Server-controlled. Stamped when the assessment transitions to APPROVED. |
createdAt | string (date-time) | Yes | |
updatedAt | string (date-time) | Yes | |
createdBy | object | null | No | |
signedOffBy | object | null | No | |
ledgerRecordId | string | null | No | Ledger record this assessment is anchored to once approved. Null before approval. Use as the key to fetch the certificate PDF via `GET /v1/ledger/records/{id}/certificate`. |
certificateId | string | null | No | Certificate id, populated once cert-gen finishes after approval. Use for verify deep-links. |
Example request
cURL
curl -X POST "https://api.bedrockcompliance.co.uk/v1/firm/me/impact-assessments/<id>/supersede" \
-H "X-Bedrock-Key: bk_live_your_api_key"GET
/v1/firm/me/statsGet current firm statistics
Responses
200Firm statistics401Unauthorized
| Field | Type | Req | Description |
|---|---|---|---|
recordCount | integer | No | |
certificateCount | integer | No | |
jobCount | integer | No |
Example request
cURL
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/stats" \
-H "X-Bedrock-Key: bk_live_your_api_key"GET
/v1/firm/me/backup-statusGet immutable backup status for the firm
Responses
200Backup status with record counts and spot-check results401Unauthorized
| Field | Type | Req | Description |
|---|---|---|---|
healthy | boolean | No | |
database | object | No | |
immutableStorage | object | No | |
countsMatch | boolean | No | |
latestRecord | object | null | No | |
spotChecks | object[] | No | |
checkedAt | string (date-time) | No |
Example request
cURL
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/backup-status" \
-H "X-Bedrock-Key: bk_live_your_api_key"GET
/v1/firm/me/api-keysList API keys for the authenticated firm
Responses
200List of API keys401Unauthorized
Example request
cURL
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/api-keys" \
-H "X-Bedrock-Key: bk_live_your_api_key"POST
/v1/firm/me/api-keysGenerate a new API key
Request body
| Field | Type | Req | Description |
|---|---|---|---|
name | string | Yes | Name/label for the API key |
Responses
201API key generated (shown only once)401Unauthorized
| Field | Type | Req | Description |
|---|---|---|---|
id | string | No | |
key | string | No | The full API key — only returned at creation time |
name | string | No | |
createdAt | string (date-time) | No |
Example request
cURL
curl -X POST "https://api.bedrockcompliance.co.uk/v1/firm/me/api-keys" \
-H "X-Bedrock-Key: bk_live_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"name": "<name>"
}'DELETE
/v1/firm/me/api-keys/{keyId}Revoke an API key
Parameters
| Parameter | In | Type | Req | Description |
|---|---|---|---|---|
keyId | path | string | Yes | API key ID |
Responses
204API key revoked401Unauthorized404API key not found
Example request
cURL
curl -X DELETE "https://api.bedrockcompliance.co.uk/v1/firm/me/api-keys/<keyId>" \
-H "X-Bedrock-Key: bk_live_your_api_key"GET
/v1/firm/me/webhooksList webhook endpoints for the authenticated firm
Responses
200List of webhook endpoints401Unauthorized
Example request
cURL
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/webhooks" \
-H "X-Bedrock-Key: bk_live_your_api_key"POST
/v1/firm/me/webhooksRegister a webhook endpoint
Request body
| Field | Type | Req | Description |
|---|---|---|---|
url | string (uri) | Yes | |
events | string[] | Yes | Event types to subscribe to |
Responses
201Webhook registered401Unauthorized
| Field | Type | Req | Description |
|---|---|---|---|
id | string | No | |
firmId | string | No | |
url | string (uri) | No | |
events | string[] | No | |
createdAt | string (date-time) | No | |
deactivatedAt | string (date-time) | null | No |
Example request
cURL
curl -X POST "https://api.bedrockcompliance.co.uk/v1/firm/me/webhooks" \
-H "X-Bedrock-Key: bk_live_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"url": "https://example.com",
"events": []
}'DELETE
/v1/firm/me/webhooks/{id}Deactivate a webhook endpoint
Parameters
| Parameter | In | Type | Req | Description |
|---|---|---|---|---|
id | path | string | Yes | Webhook ID |
Responses
204Webhook deactivated401Unauthorized404Webhook not found
Example request
cURL
curl -X DELETE "https://api.bedrockcompliance.co.uk/v1/firm/me/webhooks/<id>" \
-H "X-Bedrock-Key: bk_live_your_api_key"GET
/v1/firm/me/modelsList AI models tracked for the firm
Returns every distinct (provider, version) pair that has appeared on a review job, with usage counts and outcome rates. The registry is the entry point for AI accountability evidence — every advice record is tagged with the model that produced it.
Responses
200List of model versions with usage stats401Unauthorized
Example request
cURL
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/models" \
-H "X-Bedrock-Key: bk_live_your_api_key"GET
/v1/firm/me/models/driftDetect drift across all AI models
Compares the trailing window against the prior baseline window for every (provider, version) the firm uses. Surfaces statistically significant changes in rejection rate, modification rate, and reviewer annotation frequency. Each model needs at least 5 completed jobs in both windows for a signal to fire.
Parameters
| Parameter | In | Type | Req | Description |
|---|---|---|---|---|
baselineDays | query | integer | No | Length of the baseline window in days (defaults to 90). |
currentDays | query | integer | No | Length of the current window in days (defaults to 30). |
Responses
200Drift signals across all models400Invalid window parameters401Unauthorized
| Field | Type | Req | Description |
|---|---|---|---|
signals | ModelDriftSignal[] | No | All triggered drift signals, sorted by severity (alert > warning > info). |
thresholds | object | No | |
baselineWindowDays | integer | No | |
currentWindowDays | integer | No |
Example request
cURL
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/models/drift" \
-H "X-Bedrock-Key: bk_live_your_api_key"GET
/v1/firm/me/models/{provider}/{version}/timelineWeekly quality timeline for a model version
Returns weekly buckets of approval / modification / rejection rates and reviewer annotation counts for a specific model version. Use this to drill into a drift signal and see exactly when the regression started.
Parameters
| Parameter | In | Type | Req | Description |
|---|---|---|---|---|
provider | path | string | Yes | Model provider (e.g. "openai") |
version | path | string | Yes | Model version (e.g. "gpt-4o-2024-08-06") |
from | query | string | No | Start of the window (defaults to 180 days ago). |
to | query | string | No | End of the window (defaults to now). |
Responses
200Weekly timeline points400Invalid date range401Unauthorized
Example request
cURL
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/models/<provider>/<version>/timeline" \
-H "X-Bedrock-Key: bk_live_your_api_key"GET
/v1/firm/me/usersList users for the firm
Responses
200List of users401Unauthorized
Example request
cURL
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/users" \
-H "X-Bedrock-Key: bk_live_your_api_key"POST
/v1/firm/me/usersInvite a user to the firm
Request body
| Field | Type | Req | Description |
|---|---|---|---|
name | string | Yes | |
email | string (email) | Yes | |
fcaRef | string | No | FCA individual reference number |
qualifications | string[] | No | |
role | string | No | FIRM_ADMINREVIEWERLEAD_REVIEWER |
Responses
201User invited401Unauthorized
| Field | Type | Req | Description |
|---|---|---|---|
id | string | No | |
name | string | No | |
email | string (email) | No | |
fcaRef | string | null | No | |
qualifications | string[] | No | |
role | string | No | FIRM_ADMINREVIEWERLEAD_REVIEWER |
isAvailable | boolean | No | |
invitedAt | string (date-time) | No | |
activatedAt | string (date-time) | null | No | |
deactivatedAt | string (date-time) | null | No | |
activeJobId | string | null | No |
Example request
cURL
curl -X POST "https://api.bedrockcompliance.co.uk/v1/firm/me/users" \
-H "X-Bedrock-Key: bk_live_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"name": "<name>",
"email": "<email>",
"fcaRef": "<fcaRef>",
"qualifications": [],
"role": "<role>"
}'DELETE
/v1/firm/me/users/{id}Deactivate a user
Parameters
| Parameter | In | Type | Req | Description |
|---|---|---|---|---|
id | path | string | Yes | User ID |
Responses
204User deactivated400Cannot deactivate yourself401Unauthorized
Example request
cURL
curl -X DELETE "https://api.bedrockcompliance.co.uk/v1/firm/me/users/<id>" \
-H "X-Bedrock-Key: bk_live_your_api_key"GET
/v1/firm/me/incidentsList incidents for the firm
Returns the 200 most recent incidents for the authenticated firm, newest first. Each incident includes any remediation actions attached to it and the user who reported it.
Responses
200List of incidents401Unauthorized403Forbidden
Example request
cURL
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/incidents" \
-H "X-Bedrock-Key: bk_live_your_api_key"POST
/v1/firm/me/incidentsLog a new incident
Creates a new incident and enqueues an INCIDENT_LOGGED record to the immutable ledger. The incident snapshot (id, title, severity, category, affected jobs/records, reportedAt) is hashed and anchored to the ledger chain.
Request body
| Field | Type | Req | Description |
|---|---|---|---|
title | string | Yes | |
description | string | Yes | |
severity | IncidentSeverity | Yes | |
category | IncidentCategory | Yes | |
affectedReviewJobIds | string[] | No | |
affectedLedgerRecordIds | string[] | No |
Responses
201Incident created400Missing title/description or invalid severity/category401Unauthorized403Forbidden404Firm not found
| Field | Type | Req | Description |
|---|---|---|---|
id | string | Yes | |
firmId | string | Yes | |
title | string | Yes | |
description | string | Yes | |
severity | IncidentSeverity | Yes | |
category | IncidentCategory | Yes | |
status | IncidentStatus | Yes | |
reportedAt | string (date-time) | Yes | |
reportedById | string | null | No | |
resolvedAt | string (date-time) | null | No | Server-controlled. Stamped when status transitions to RESOLVED or CLOSED. |
rootCause | string | null | No | |
affectedReviewJobIds | string[] | Yes | Review job IDs affected by the incident. |
affectedLedgerRecordIds | string[] | Yes | Ledger record IDs affected by the incident. |
metadata | object | Yes | |
remediations | IncidentRemediation[] | No | Remediation actions, present when the incident is fetched individually. |
reportedBy | object | null | No |
Example request
cURL
curl -X POST "https://api.bedrockcompliance.co.uk/v1/firm/me/incidents" \
-H "X-Bedrock-Key: bk_live_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"title": "<title>",
"description": "<description>",
"severity": {},
"category": {},
"affectedReviewJobIds": [],
"affectedLedgerRecordIds": []
}'GET
/v1/firm/me/incidents/statsIncident statistics and trends
Aggregate counts (total, open, resolved, critical), a breakdown by category, and a 12-month trend of incident volume. Open counts include OPEN, INVESTIGATING, and REMEDIATING states.
Responses
200Incident statistics401Unauthorized403Forbidden
| Field | Type | Req | Description |
|---|---|---|---|
total | integer | Yes | |
open | integer | Yes | Incidents in OPEN, INVESTIGATING, or REMEDIATING state. |
resolved | integer | Yes | Incidents in RESOLVED or CLOSED state. |
critical | integer | Yes | Incidents with severity CRITICAL (any status). |
byCategory | object | Yes | Count of incidents per category. |
trend | object[] | Yes | Trailing 12 months of incident volume, oldest first. |
Example request
cURL
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/incidents/stats" \
-H "X-Bedrock-Key: bk_live_your_api_key"GET
/v1/firm/me/incidents/{id}Get an incident with remediations
Returns a single incident scoped to the authenticated firm, with all attached remediation actions and the user who reported it.
Parameters
| Parameter | In | Type | Req | Description |
|---|---|---|---|---|
id | path | string | Yes | Incident identifier |
Responses
200Incident with remediations401Unauthorized403Forbidden404Incident not found
| Field | Type | Req | Description |
|---|---|---|---|
id | string | Yes | |
firmId | string | Yes | |
title | string | Yes | |
description | string | Yes | |
severity | IncidentSeverity | Yes | |
category | IncidentCategory | Yes | |
status | IncidentStatus | Yes | |
reportedAt | string (date-time) | Yes | |
reportedById | string | null | No | |
resolvedAt | string (date-time) | null | No | Server-controlled. Stamped when status transitions to RESOLVED or CLOSED. |
rootCause | string | null | No | |
affectedReviewJobIds | string[] | Yes | Review job IDs affected by the incident. |
affectedLedgerRecordIds | string[] | Yes | Ledger record IDs affected by the incident. |
metadata | object | Yes | |
remediations | IncidentRemediation[] | No | Remediation actions, present when the incident is fetched individually. |
reportedBy | object | null | No |
Example request
cURL
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/incidents/<id>" \
-H "X-Bedrock-Key: bk_live_your_api_key"POST
/v1/firm/me/incidents/{id}Update incident status or root cause
Updates an incident's status and/or root cause. Uses POST rather than PATCH for consistency with the rest of this namespace. When the status transitions to RESOLVED or CLOSED the server stamps resolvedAt and enqueues an INCIDENT_RESOLVED record to the immutable ledger.
Parameters
| Parameter | In | Type | Req | Description |
|---|---|---|---|---|
id | path | string | Yes | Incident identifier |
Request body
| Field | Type | Req | Description |
|---|---|---|---|
status | IncidentStatus | No | |
rootCause | string | null | No | Pass null to clear a previously-set root cause. resolvedAt is server-controlled and cannot be set via this endpoint. |
Responses
200Updated incident400Invalid status401Unauthorized403Forbidden404Incident not found
| Field | Type | Req | Description |
|---|---|---|---|
id | string | Yes | |
firmId | string | Yes | |
title | string | Yes | |
description | string | Yes | |
severity | IncidentSeverity | Yes | |
category | IncidentCategory | Yes | |
status | IncidentStatus | Yes | |
reportedAt | string (date-time) | Yes | |
reportedById | string | null | No | |
resolvedAt | string (date-time) | null | No | Server-controlled. Stamped when status transitions to RESOLVED or CLOSED. |
rootCause | string | null | No | |
affectedReviewJobIds | string[] | Yes | Review job IDs affected by the incident. |
affectedLedgerRecordIds | string[] | Yes | Ledger record IDs affected by the incident. |
metadata | object | Yes | |
remediations | IncidentRemediation[] | No | Remediation actions, present when the incident is fetched individually. |
reportedBy | object | null | No |
Example request
cURL
curl -X POST "https://api.bedrockcompliance.co.uk/v1/firm/me/incidents/<id>" \
-H "X-Bedrock-Key: bk_live_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"status": {},
"rootCause": "<rootCause>"
}'POST
/v1/firm/me/incidents/{id}/remediationsAdd a remediation action to an incident
Attach a new remediation action (with optional owner and due date) to an existing incident.
Parameters
| Parameter | In | Type | Req | Description |
|---|---|---|---|---|
id | path | string | Yes | Incident identifier |
Request body
| Field | Type | Req | Description |
|---|---|---|---|
description | string | Yes | |
ownerName | string | No | |
dueAt | string (date-time) | No |
Responses
201Remediation created400Description required401Unauthorized403Forbidden404Incident not found
| Field | Type | Req | Description |
|---|---|---|---|
id | string | Yes | |
incidentId | string | Yes | |
description | string | Yes | |
status | RemediationStatus | Yes | |
ownerName | string | null | No | |
dueAt | string (date-time) | null | No | |
completedAt | string (date-time) | null | No | Server-controlled: set when status becomes COMPLETED, cleared otherwise. |
createdAt | string (date-time) | Yes |
Example request
cURL
curl -X POST "https://api.bedrockcompliance.co.uk/v1/firm/me/incidents/<id>/remediations" \
-H "X-Bedrock-Key: bk_live_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"description": "<description>",
"ownerName": "<ownerName>",
"dueAt": "<dueAt>"
}'POST
/v1/firm/me/incidents/{id}/remediations/{remediationId}Update a remediation action
Update the status of an existing remediation. completedAt is server-controlled: it is set when the status becomes COMPLETED and cleared otherwise.
Parameters
| Parameter | In | Type | Req | Description |
|---|---|---|---|---|
id | path | string | Yes | Incident identifier |
remediationId | path | string | Yes | Remediation identifier |
Request body
| Field | Type | Req | Description |
|---|---|---|---|
status | RemediationStatus | No |
Responses
200Updated remediation400Invalid status401Unauthorized403Forbidden404Remediation not found
| Field | Type | Req | Description |
|---|---|---|---|
id | string | Yes | |
incidentId | string | Yes | |
description | string | Yes | |
status | RemediationStatus | Yes | |
ownerName | string | null | No | |
dueAt | string (date-time) | null | No | |
completedAt | string (date-time) | null | No | Server-controlled: set when status becomes COMPLETED, cleared otherwise. |
createdAt | string (date-time) | Yes |
Example request
cURL
curl -X POST "https://api.bedrockcompliance.co.uk/v1/firm/me/incidents/<id>/remediations/<remediationId>" \
-H "X-Bedrock-Key: bk_live_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"status": {}
}'GET
/v1/firm/me/vulnerabilityVulnerability handling report (FG21/1)
Aggregated handling of FCA FG21/1 vulnerability drivers (health, life event, capability, financial resilience) across review jobs. Includes per-flag outcome breakdowns, counts of specialist reviewers and reviews awaiting senior sign-off, and a sample of recent flagged jobs.
Responses
200Vulnerability report401Unauthorized403Forbidden
| Field | Type | Req | Description |
|---|---|---|---|
totalFlaggedJobs | integer | Yes | |
totalUnflaggedJobs | integer | Yes | |
flagBreakdown | VulnerabilityFlagBreakdown[] | Yes | |
specialistReviewerCount | integer | Yes | Reviewers trained to handle vulnerable clients. |
totalReviewerCount | integer | Yes | |
awaitingSeniorSignOff | integer | Yes | Flagged jobs still awaiting senior reviewer sign-off. |
recentFlaggedJobs | object[] | Yes |
Example request
cURL
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/vulnerability" \
-H "X-Bedrock-Key: bk_live_your_api_key"GET
/v1/firm/me/biasBias / fairness report across client segments
Splits completed review outcomes by client segment dimensions (age band, risk profile, product type, etc.) and flags segments whose rejection or modification rates diverge materially from the baseline or exceed an absolute rejection threshold. Flags come in two kinds: 'divergence' (rate differs from the dimension baseline) and 'absolute' (rate exceeds the configured threshold).
Parameters
| Parameter | In | Type | Req | Description |
|---|---|---|---|---|
from | query | string | No | Start of reporting period (ISO date or datetime; defaults to 12 months ago). Date-only values are interpreted as the start of that UTC day. |
to | query | string | No | End of reporting period (ISO date treated as end-of-day; defaults to now). |
rejectionThreshold | query | number | No | Absolute rejection-rate threshold for alerts, 0 to 1. Defaults to 0.3. |
Responses
200Bias report400Invalid date range or rejectionThreshold401Unauthorized403Forbidden
| Field | Type | Req | Description |
|---|---|---|---|
periodFrom | string (date-time) | Yes | |
periodTo | string (date-time) | Yes | Inclusive end of the reporting period (23:59:59.999 UTC for date-only inputs). |
totalRecords | integer | Yes | |
overallRejectionRate | number (float) | Yes | Overall rejection rate across every completed job in the period, regardless of which segment dimensions each job populates. |
dimensions | SegmentDimension[] | Yes | |
flags | BiasFlag[] | Yes | All flags raised, aggregated across dimensions. |
thresholds | object | Yes | Divergence thresholds, absolute delta from baseline. |
rejectionAlertThreshold | number (float) | Yes | Absolute rejection-rate threshold used to raise 'absolute' flags. |
trend | BiasTrendPoint[] | Yes |
Example request
cURL
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/bias" \
-H "X-Bedrock-Key: bk_live_your_api_key"GET
/v1/firm/me/reports/consumer-dutyConsumer Duty outcome metrics
Returns Consumer Duty outcome and control-evidence metrics for a reporting period: outcome breakdown, SLA compliance, reviewer workload, document-type breakdown, monthly outcome buckets, and a ledger crypto anchor covering the window. Includes the previous period's outcomes and SLA for comparison.
Parameters
| Parameter | In | Type | Req | Description |
|---|---|---|---|---|
from | query | string | No | Start of reporting period. ISO date or datetime. Defaults to the start of the current quarter. |
to | query | string | No | End of reporting period. ISO date treated as end-of-day. Defaults to today. |
Responses
200Consumer Duty report400Invalid date range401Unauthorized403Forbidden
| Field | Type | Req | Description |
|---|---|---|---|
periodFrom | string (date-time) | Yes | |
periodTo | string (date-time) | Yes | Inclusive end of the reporting period. |
metrics | ConsumerDutyMetrics | Yes |
Example request
cURL
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/reports/consumer-duty" \
-H "X-Bedrock-Key: bk_live_your_api_key"GET
/v1/firm/me/reportsList generated reports
Returns the audit log of previously-generated reports. Optionally filter by report type.
Parameters
| Parameter | In | Type | Req | Description |
|---|---|---|---|---|
type | query | string | No | Filter by report type. |
Responses
200List of report log entries400Invalid report type401Unauthorized403Forbidden
Example request
cURL
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/reports" \
-H "X-Bedrock-Key: bk_live_your_api_key"POST
/v1/firm/me/reportsLog a generated report
Record that a report was generated, for audit purposes. The server parses and normalises periodFrom/periodTo before persisting, and tags the entry with the authenticated user as the generator.
Request body
| Field | Type | Req | Description |
|---|---|---|---|
type | ReportType | Yes | |
periodFrom | string (date-time) | Yes | |
periodTo | string (date-time) | Yes | |
metadata | object | No |
Responses
201Report log entry400Invalid report type or date range401Unauthorized403Forbidden
| Field | Type | Req | Description |
|---|---|---|---|
id | string | Yes | |
firmId | string | Yes | |
type | ReportType | Yes | |
periodFrom | string (date-time) | Yes | |
periodTo | string (date-time) | Yes | |
generatedAt | string (date-time) | Yes | |
generatedByUserId | string | null | No | |
metadata | object | Yes | |
generatedByUser | object | null | No |
Example request
cURL
curl -X POST "https://api.bedrockcompliance.co.uk/v1/firm/me/reports" \
-H "X-Bedrock-Key: bk_live_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"type": {},
"periodFrom": "<periodFrom>",
"periodTo": "<periodTo>",
"metadata": {}
}'