Skip to main content
The Reports API covers the full report workflow: generating transaction summary reports for disclosure cases, listing reports at application or organization scope, and downloading report files. Report generation and download are separate operations with independent permission checks, so you can grant a team member the ability to create reports without giving them download access, and vice versa.

Endpoints

POST /api/applications/:foreignId/case-reports

Generates a transaction summary report for a specific disclosure case. The report captures the transaction data within the case’s approved scope — period, disclosure flags, and contract filters — at the time of generation. Required permission: reports:create (auditor bucket)
foreignId
string
required
The application route segment from GET /auth/me.
case_id
string
required
The ID of the approved case for which to generate the report. The case must belong to the same application and your session must satisfy the case’s assignment and access-window checks.
report_type
string
required
The type of report to generate. Refer to your portal configuration for supported type values.
Returns report metadata for the newly created report: 
{
  "id": "rpt_...",
  "type": "transaction_summary",
  "created_at": "2024-06-01T12:00:00Z",
  "created_by_email": "auditor@example.com"
}

GET /api/applications/:foreignId/reports

Lists all reports that have been generated for the application. Results are scoped to your organization and the specific application identified by :foreignId. Required permission: reports:list (auditor bucket)
foreignId
string
required
The application route segment from GET /auth/me.
Returns an array of report objects. See Report Object Fields for the full field list.

GET /api/applications/:foreignId/reports/:reportId/download

Downloads a specific report for the application. This endpoint streams or returns the report file. Downloading is a separate permission from listing — check your GET /auth/me response for reports:download in the auditor bucket. Required permission: reports:download (auditor bucket)
foreignId
string
required
The application route segment from GET /auth/me.
reportId
string
required
The ID of the report to download. Obtain this from the id field of a report object returned by GET /api/applications/:foreignId/reports or POST /api/applications/:foreignId/case-reports.
Returns the report file. The content type and format depend on the type of the report.

GET /api/reports

Lists all reports at organization scope. This endpoint is available to organization owners and returns reports across all applications in the organization. Required permission: reports:list (owner-level) Returns an array of report objects. Each object includes the application_id field so you can identify which application the report belongs to.

GET /api/reports/:reportId/download

Downloads an organization-scoped report. Use this endpoint when you retrieved the report ID from GET /api/reports rather than from an application-scoped listing. Required permission: reports:download (owner-level)
reportId
string
required
The ID of the report to download.
Returns the report file.
Report generation (reports:create) and report download (reports:download) are separate permission checks and produce separate activity log events. Your account may have one without the other. Check the auditor bucket in your GET /auth/me response to confirm which permissions apply to you.

Report Object Fields

id
string
Unique identifier for the report.
org_id
string
The organization the report belongs to.
application_id
string
The internal application ID the report is scoped to. Use :foreignId in routes rather than this value.
type
string
The report type (e.g. "transaction_summary", "activity_log").
metadata
object
Structured metadata describing the report content, such as the case ID, period covered, and disclosure flags applied at generation time.
created_by_email
string
Email address of the user who generated the report.
created_by_name
string
Display name of the user who generated the report.
created_at
string
ISO 8601 timestamp of when the report was generated.