REST API Reference
All API endpoints require an API key passed as a Bearer token:
Base URL: https://api.mima.ai
Workspace-scoped endpoints use the path prefix /api/workspaces/{workspace_id}/governance/.
Authentication
GET /api/me
Resolve workspace and user identity from the API key. Used by the SDK to
auto-resolve workspace_id.
Response
GRC Evidence
POST /api/workspaces/{workspace_id}/governance/grc/evidence
Push a single GRC evidence record.
Request body
Dry-run mode
Append ?dry_run=true to preview which controls would be earned without writing:
Response
Dry-run response — record_id is the nil UUID:
Attestations
POST /api/workspaces/{workspace_id}/governance/attestations/external
Push a single attestation record. Used by mima.attest() / mima.wrap().
Request body
Response
Trust tiers
Rate limits: 2000 requests/minute per workspace. Returns 429 with a Retry-After header on excess. The SDK retries once automatically.
POST /api/workspaces/{workspace_id}/governance/attestations/batch
Push multiple attestation records in a single request.
Request body
Response
Posture
GET /api/workspaces/{workspace_id}/governance/posture
Returns overall posture score and per-framework breakdown.
Response
Systems
GET /api/workspaces/{workspace_id}/governance/systems
List all AI systems.
Query parameters: ?name=filter
Response
Evidence records
GET /api/workspaces/{workspace_id}/governance/evidence
List evidence records.
Query parameters
Response
Gates
GET /api/workspaces/{workspace_id}/governance/gates
Returns gate pass/fail status.
Response
Exit codes: 0 = pass, 1 = soft fail, 2 = hard fail (blocking).
Controls
POST /api/workspaces/{workspace_id}/governance/derive-controls
Get recommended record types for a system description.
Request body
Response
HMAC Signing
GRC records can include a client signature to allow auditors to verify records were created by a specific SDK instance.
Canonical message format
The canonical message is a compact JSON string with sorted keys and no spaces:
The key order is always alphabetical: occurred_at < payload < record_type < system_name < workspace_id.
The payload object’s keys are also sorted recursively (matching Python’s json.dumps(sort_keys=True, separators=(',', ':'))).
Signing
TypeScript
Both SDKs use the same canonical format and produce identical signatures.
Error responses
All error responses follow this shape:
