> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create Compliance Check

> Run an automated compliance check against a regulation for an entity

Executes an automated compliance assessment for a specific entity (agent, model, dataset, or workflow) against a supported regulation. The check evaluates the entity's configuration, access patterns, data handling, and audit trail against the regulation's requirements and produces a compliance determination with detailed findings.

Compliance checks are idempotent for the same entity-regulation pair within a 24-hour window. Repeated calls within that window return the cached result.

### Authentication

Requires `X-API-Key` header or Bearer JWT token. Tenant-scoped via `X-Tenant-ID`.

### Request Body

<ParamField body="entity_type" type="string" required>
  The type of entity to assess. One of: - `agent` -- a registered machine agent

  * `model` -- an AI/ML model - `dataset` -- a data asset or training dataset -
    `workflow` -- an automated workflow or pipeline
</ParamField>

<ParamField body="entity_id" type="string" required>
  The unique identifier of the entity to assess. Must exist within the tenant.
</ParamField>

<ParamField body="regulation" type="string" required>
  The regulation or framework to assess against. Supported values: - `SOC2` --
  SOC 2 Type II controls - `ISO27001` -- ISO 27001 information security
  management - `GDPR` -- EU General Data Protection Regulation - `HIPAA` -- US
  Health Insurance Portability and Accountability Act - `EU_AI_ACT` -- EU
  Artificial Intelligence Act
</ParamField>

<ParamField body="scope" type="string">
  Optional scope qualifier to narrow the assessment. For example,
  `access-control` to assess only access-control-related controls, or
  `data-handling` for data processing controls. If omitted, a full-scope
  assessment is performed.
</ParamField>

### Response

<ResponseField name="id" type="string">
  Unique identifier for the compliance check record. Format: `maip-cc:ULID`.
</ResponseField>

<ResponseField name="entity_type" type="string">
  The type of entity that was assessed.
</ResponseField>

<ResponseField name="entity_id" type="string">
  The identifier of the assessed entity.
</ResponseField>

<ResponseField name="regulation" type="string">
  The regulation that was assessed.
</ResponseField>

<ResponseField name="scope" type="string">
  The scope of the assessment. `full` if no scope was specified.
</ResponseField>

<ResponseField name="status" type="string">
  The compliance determination. One of: - `compliant` -- entity meets all
  assessed requirements - `non_compliant` -- entity fails one or more critical
  requirements - `partial` -- entity meets some but not all requirements
</ResponseField>

<ResponseField name="findings" type="object[]">
  Detailed list of individual findings from the assessment.

  <Expandable title="Finding fields">
    <ResponseField name="findings[].control_id" type="string">
      The control identifier within the regulation (e.g., `CC6.1` for SOC2, `A.9.1.1` for ISO27001).
    </ResponseField>

    <ResponseField name="findings[].control_name" type="string">
      Human-readable name of the control.
    </ResponseField>

    <ResponseField name="findings[].status" type="string">
      Status of this specific control: `pass`, `fail`, `partial`, `not_applicable`.
    </ResponseField>

    <ResponseField name="findings[].severity" type="string">
      Severity of the finding if not passing: `critical`, `high`, `medium`, `low`.
    </ResponseField>

    <ResponseField name="findings[].description" type="string">
      Detailed description of the finding and remediation guidance.
    </ResponseField>
  </Expandable>
</ResponseField>

<ResponseField name="receipt_id" type="string">
  The MAIP receipt minted for this compliance check, providing an immutable
  audit record.
</ResponseField>

<ResponseField name="checked_at" type="string">
  ISO 8601 timestamp of when the assessment was performed.
</ResponseField>

### Supported Regulations

| Regulation  | Controls Assessed                                  | Typical Duration |
| :---------- | :------------------------------------------------- | :--------------- |
| `SOC2`      | Trust Service Criteria (CC1-CC9)                   | 2-5 seconds      |
| `ISO27001`  | Annex A controls (A.5-A.18)                        | 2-5 seconds      |
| `GDPR`      | Articles 5, 6, 12-22, 25, 32-34                    | 3-8 seconds      |
| `HIPAA`     | Administrative, Physical, Technical Safeguards     | 3-8 seconds      |
| `EU_AI_ACT` | Risk classification, transparency, human oversight | 5-10 seconds     |


## OpenAPI

````yaml mint-openapi.yaml POST /v1/compliance/check
openapi: 3.0.3
info:
  title: Truthlocks API
  description: >
    Truthlocks is a universal verification infrastructure for documents,
    credentials, and digital assets.

    This specification defines the canonical API for interacting with Truthlocks
    services.


    ## Base URLs

    - **Production**: `https://api.truthlocks.com`

    - **Sandbox**: `https://sandbox-api.truthlocks.com`


    ## Authentication

    - **API Keys**: Use `X-API-Key` header for machine-to-machine operations

    - **Bearer Tokens**: Use `Authorization: Bearer <jwt>` for user-initiated
    operations


    ## Tenant Identity

    In production, tenant identity is derived from the authenticated context
    (API key or JWT).

    The `X-Tenant-ID` header is ignored in production to prevent spoofing.
  version: 1.0.0
  contact:
    name: Truthlocks Support
    url: https://truthlocks.com/support
    email: support@truthlocks.com
servers:
  - url: https://api.truthlocks.com
    description: Production API
  - url: https://sandbox-api.truthlocks.com
    description: Sandbox Environment
security:
  - APIKey: []
tags:
  - name: Authentication
    description: API key and token management
  - name: Issuers
    description: Issuer registration and trust management
  - name: Keys
    description: Cryptographic key management for issuers
  - name: Attestations
    description: Attestation lifecycle (mint, revoke, supersede)
  - name: Verification
    description: Attestation verification and proof bundles
  - name: Governance
    description: Issuer governance workflows (admin only)
  - name: Identity
    description: Organization, user, and role management
  - name: Audit
    description: Audit event queries
  - name: Platform
    description: Platform administration (super admin only)
  - name: Platform Review
    description: Staff review workflows for issuer applications
  - name: Tenant Console
    description: Tenant profile and lifecycle endpoints
  - name: Health
    description: Service health and readiness endpoints
  - name: Risk
    description: Risk signal ingestion and fraud detection
  - name: Risk Enforcement
    description: Risk enforcement actions — block, challenge, quarantine, and configuration
  - name: Billing
    description: Billing, subscription, and addon management
  - name: Machine Identity
    description: >-
      Machine Agent Identity Protocol (MAIP) — agent registration, sessions,
      trust, witness, compliance, orchestration, and observability
externalDocs:
  description: Transparency read-only API (separate service spec)
  url: >-
    https://github.com/truthlocks/truthlock/blob/main/docs/transparency/openapi.yaml
paths:
  /v1/compliance/check:
    post:
      tags:
        - Machine Identity
      summary: Create Compliance Check
      description: |
        Initiates a compliance check for an agent against a specified regulatory
        framework. Returns findings with severity classifications.
      operationId: maip.compliance.check
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - agent_id
                - framework
              properties:
                agent_id:
                  type: string
                  format: uuid
                  description: Agent to evaluate
                framework:
                  type: string
                  enum:
                    - soc2
                    - iso27001
                    - hipaa
                    - gdpr
                  description: Compliance framework
                scope:
                  type: object
                  additionalProperties: true
                  description: Scope parameters for the check
            example:
              agent_id: 550e8400-e29b-41d4-a716-446655440000
              framework: soc2
              scope:
                controls:
                  - CC6.1
                  - CC6.2
                  - CC6.3
      responses:
        '201':
          description: Compliance check created
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/MaipComplianceCheck'
        '400':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
        '401':
          description: Authentication required
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
        '429':
          description: Rate limit exceeded
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
      security:
        - APIKey: []
components:
  schemas:
    MaipComplianceCheck:
      type: object
      properties:
        check_id:
          type: string
          format: uuid
        agent_id:
          type: string
          format: uuid
        framework:
          type: string
          enum:
            - soc2
            - iso27001
            - hipaa
            - gdpr
        scope:
          type: object
          additionalProperties: true
        status:
          type: string
          enum:
            - pending
            - passed
            - failed
            - partial
        findings:
          type: array
          items:
            type: object
            properties:
              finding_id:
                type: string
              severity:
                type: string
                enum:
                  - low
                  - medium
                  - high
                  - critical
              title:
                type: string
              description:
                type: string
        created_at:
          type: string
          format: date-time
    ErrorEnvelope:
      type: object
      required:
        - code
        - message
        - http_status
      properties:
        code:
          type: string
          description: Machine-readable error code
          enum:
            - AUTH_REQUIRED
            - AUTH_INVALID
            - PERMISSION_DENIED
            - TENANT_IDENTITY_UNVERIFIED
            - NOT_FOUND
            - VALIDATION_ERROR
            - CONFLICT
            - PAYLOAD_TOO_LARGE
            - RATE_LIMIT_EXCEEDED
            - QUOTA_EXCEEDED
            - SERVICE_UNAVAILABLE
            - INTERNAL_ERROR
        message:
          type: string
          description: Human-readable error message
        http_status:
          type: integer
          description: HTTP status code
        retry_after_ms:
          type: integer
          description: Milliseconds to wait before retrying (for rate limits)
        details:
          type: object
          description: Additional error context
      example:
        code: AUTH_REQUIRED
        message: Authentication required
        http_status: 401
  securitySchemes:
    APIKey:
      type: apiKey
      in: header
      name: X-API-Key
      description: API key for machine-to-machine authentication

````