GETTING STARTED

Quickstart — 60 seconds

One POST. Instant verdict. Zero configuration.

1

Get your API key

Email api@auditarmor.polsia.app. You'll receive your Bearer token within 24 hours.

2

Run your first scan

Pick your language:

bash

curl -X POST https://auditarmor.polsia.app/api/v1/scan \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "output": "Patient Hans Müller, DOB 1982-03-14, was prescribed 500mg metformin.",
    "ruleset": "hipaa_us",
    "context": "clinical-notes"
  }'

python

import requests

response = requests.post(
    "https://auditarmor.polsia.app/api/v1/scan",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Content-Type": "application/json",
    },
    json={
        "output": "Patient Hans Müller, DOB 1982-03-14, was prescribed 500mg metformin.",
        "ruleset": "hipaa_us",
        "context": "clinical-notes",
    }
)

result = response.json()
print(result["verdict"])      # "block"
print(result["audit_id"])     # "alog_7f3a9..."
print(result["violations"])   # list of matched rules

javascript

const response = await fetch("https://auditarmor.polsia.app/api/v1/scan", {
  method: "POST",
  headers: {
    "Authorization": "Bearer YOUR_API_KEY",
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    output: "Patient Hans Müller, DOB 1982-03-14, was prescribed 500mg metformin.",
    ruleset: "hipaa_us",
    context: "clinical-notes",
  }),
});

const { verdict, audit_id, violations, latency_ms } = await response.json();
console.log(verdict);      // "block"
console.log(audit_id);     // "alog_7f3a9..."
console.log(latency_ms);   // 43

3

Handle the response

json — response

{
  "verdict": "block",
  "audit_id": "alog_7f3a9c12d4e8b",
  "audit_url": "https://auditarmor.polsia.app/api/v1/audit/alog_7f3a9c12d4e8b",
  "violations": [
    {
      "rule_id": "hipaa-dob",
      "severity": "high",
      "excerpt": "DOB 1982-03-14",
      "description": "Date of birth detected — PHI under HIPAA §164.514"
    },
    {
      "rule_id": "hipaa-diagnosis",
      "severity": "high",
      "excerpt": "prescribed 500mg metformin",
      "description": "Medical diagnosis or prescription detected"
    }
  ],
  "confidence": 0.87,
  "latency_ms": 43,
  "scanned_at": "2026-05-21T11:11:30Z"
}

💡 Verdict "block" → hold immediately. "flag" → route for human review. "allow" → pass through.

API REFERENCE

POST /api/v1/scan

Submit AI-generated text for compliance analysis. Returns a verdict synchronously.

POST https://auditarmor.polsia.app/api/v1/scan

Request Body

Parameter	Type	Required	Description
`output`	string	Yes	The AI-generated text to scan. Max 32,000 characters.
`ruleset`	string	Yes	Policy pack identifier. See Policy Packs.
`context`	string	No	Hint about the content origin (e.g. `'clinical-notes'`, `'customer-chat'`).
`policy_pack`	string[]	No	Stack multiple policy packs (e.g. `['gdpr_strict','pii_only']`).
`async`	boolean	No	`true` for async mode on long contexts. Returns `job_id` immediately.

Response

Field	Type	Description
`verdict`	string	`allow` · `flag` · `block`
`audit_id`	string	Unique ID for the tamper-proof audit record.
`audit_url`	string	Direct URL to retrieve the audit record.
`violations`	object[]	Each matched violation: `rule_id`, `severity`, `excerpt`, `description`.
`confidence`	number	Weighted risk score 0.0–1.0.
`latency_ms`	number	Processing time in milliseconds.
`scanned_at`	string	ISO 8601 timestamp.

GET https://auditarmor.polsia.app/api/v1/audit/{audit_id}

Retrieves a single, tamper-proof audit record by ID. Use this for regulatory evidence packages and audit reports.

bash

curl https://auditarmor.polsia.app/api/v1/audit/alog_7f3a9c12d4e8b \
  -H "Authorization: Bearer YOUR_API_KEY"

🔒 Audit records are immutable. Once written, they cannot be updated or deleted.

POLICY PACKS

Built-in Policy Packs

Each pack is a curated set of weighted rules tuned to a regulatory context.

gdpr_strict

GDPR (EU)

PII detection, consent language, data retention. Covers GDPR Art. 5, 13, 17.

Email Phone Names IP Consent Retention

hipaa_us

HIPAA (US)

Protected health information: SSN, DOB, diagnosis, prescriptions, MRN.

SSN DOB Diagnosis MRN PHI Email

finma_ch

FINMA (CH) — coming soon

Swiss financial regulator: client data, advisory claims, risk disclosures.

Preview

bafin_de

BaFin (DE) — coming soon

German financial authority: investor protection, MiFID-II disclosures, GDPR-financial data.

Preview

pii_only

PII Only

Lightweight scanner for PII detection only, without regulatory context rules.

Email Phone SSN Names

Stack & Customize

Combine multiple packs in one request:

json — stacked packs

{
  "output": "...",
  "ruleset": "gdpr_strict",
  "policy_pack": ["gdpr_strict", "pii_only"]
}

Custom rule packs: email us your regulatory context — we'll curate and deploy a new pack within 5 business days.

AUDIT TRAIL

Audit Trail Format

Every scan produces a tamper-proof record designed for regulatory audit packages.

json — audit record

{
  "audit_id": "alog_7f3a9c12d4e8b",
  "timestamp": "2026-05-21T11:11:30.000Z",
  "input_hash": "sha256:e3b0c44298fc1c149afb4c8996fb92427ae41e4649b934ca495991b7852b855",
  "rule_versions": {
    "hipaa-dob": "1.2.0",
    "hipaa-diagnosis": "1.2.0"
  },
  "verdict": "block",
  "confidence": 0.87,
  "violations": [
    {
      "rule_id": "hipaa-dob",
      "severity": "high",
      "excerpt": "DOB 1982-03-14",
      "description": "Date of birth detected — PHI under HIPAA §164.514"
    }
  ],
  "signatures": {
    "record_hash": "sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08",
    "chain_hash": "sha256:7a38d8c4e9f0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6"
  },
  "reviewer": null,
  "reviewed_at": null,
  "ruleset": "hipaa_us",
  "api_version": "v1"
}

Tamper Evidence

🔐

SHA-256 Input Hash

Raw input text is never stored. Only the SHA-256 hash — so you can prove a specific document was scanned without retaining sensitive data.

🔗

Hash Chain

Each record includes the chain_hash of the previous record. Gaps or modifications in the chain are immediately detectable.

📌

Rule Versions Pinned

rule_versions documents exactly which rule version flagged each violation. Retroactive changes are traceable.

👤

Reviewer Fields

reviewer and reviewed_at support manual approval workflows. Writable via the management API.

AUTHENTICATION

Authentication

All API requests require a Bearer token in the Authorization header:

http

Authorization: Bearer aa_prod_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Rate Limits

Plan	Requests/min	Requests/day	Max text
Starter	60	5,000	8,000 chars
Pro	300	100,000	32,000 chars
Enterprise	Unlimited	Unlimited	Unlimited (async)

Regional Endpoints

Region	Endpoint	Location
EU (Recommended for GDPR)	`https://eu.auditarmor.polsia.app`	Frankfurt, DE
US	`https://us.auditarmor.polsia.app`	Virginia, US-East

⚠️ GDPR customers: use the EU endpoint to ensure data never leaves EU jurisdiction.

RELIABILITY

Latency & SLA

< 200ms

p95 latency

sync mode, up to 8,000 chars

99.9%

Uptime SLA

Pro & Enterprise plans

Async

Long context mode

Webhook callback when complete

Async Mode

For documents over 8,000 characters, or when you need guaranteed sub-100ms response times, enable async mode:

json — async request

{
  "output": "... very long document ...",
  "ruleset": "gdpr_strict",
  "async": true,
  "webhook_url": "https://yourapp.com/webhooks/auditarmor"
}

// Immediate response:
{
  "job_id": "job_abc123",
  "status": "queued",
  "estimated_ms": 800
}

// Webhook payload (when complete):
{
  "job_id": "job_abc123",
  "verdict": "flag",
  "audit_id": "alog_...",
  "violations": [...]
}

SDKS

SDKs — Coming Soon

We're building native SDKs for the most common integration scenarios.

🐍

Python

pip install auditarmor

In development

⬡

Node.js

npm install auditarmor