Audits

List audits for the authenticated user

GET
/audits

Returns audits based on role (mutually exclusive per organization):

  • Audit Manager (user_global_roles): all audits in the organization.
  • Auditor (team_members.role = Auditor): audits assigned to the user (auditor_user_id), excluding COMPLETED.
  • Peer review (?view=peer-reviews): audits awaiting peer review for users with Auditor or Peer Auditor in team_members. Returns IN_REVIEW audits (excluding those assigned to the caller as auditor_user_id) plus COMPLETED audits for the completed-reviews metric.
  • Pending actions (?view=pending-actions): audits owned by the authenticated IT Owner (owner_user_id), filtered to statuses requiring owner action (DRAFT, IN_PROGRESS, OVERDUE), submitted (IN_REVIEW), and completed (COMPLETED). Requires IT Owner in team_members. Users cannot hold both audit manager and auditor roles for the same organization (403).

Authorization

SupabaseBearer
AuthorizationBearer <token>

Supabase user access token (Authorization: Bearer JWT)

In: header

Query Parameters

view?string

When set to peer-reviews, returns audits awaiting peer review. When set to pending-actions, returns IT Owner pending action audits.

Value in

  • "peer-reviews"
  • "pending-actions"
framework?string

Filter by audit template framework. Comma-separated values match any listed framework.

status?string

Filter by audit status (e.g. DRAFT, IN_PROGRESS, IN_REVIEW, COMPLETED).

auditor_id?string

Filter by assigned auditor user id (auditor_user_id).

Formatuuid
application_id?string

Filter to audits with a submission distributed to this application (audit_submissions.application_id).

Formatuuid
due_date?string

Filter audits where due_date, due_at (when due_date is null), or updated_at (when both are null) falls on the same UTC calendar day as the due_date query parameter.

Formatdate-time

Response Body

application/json

application/json

curl -X GET "https://example.com/audits"
{}
Empty
{  "message": "string"}