This article explains how to upload, list, and download proof files using the Hyperproof API. It provides a plain-language overview of the official API documentation and includes practical, original examples to help you implement each step.
- Include a Bearer access token in the
Authorizationheader for every request - Tokens are obtained via Hyperproof OAuth
Example header - Authorization: Bearer <ACCESS_TOKEN>
Method and URL - POST https://api.hyperproof.app/v1/proof
Request (multipart/form-data)
proof(file, required) - The file to upload.hp-proof-owned-by(string, optional) - The user ID designating the proof owner.
Behavior
- Upon success, returns JSON metadata about the uploaded proof, including
id,filename,version,size,createdBy/On,updatedBy/On.
Sample
curl --request POST \
--url https://api.hyperproof.app/v1/proof \
--header "Authorization: Bearer $ACCESS_TOKEN" \
--form proof=@"./policies/AcceptableUse.pdf"With explicit owner
curl --request POST \
--url https://api.hyperproof.app/v1/proof \
--header "Authorization: Bearer $ACCESS_TOKEN" \
--form proof=@"./policies/AcceptableUse.pdf" \
--form hp-proof-owned-by="$USER_ID"Uploading Testable CSV proof
When sending CSV files, you need to explicitly declare the type as text/csv. This tells Hyperproof to treat the uploaded blob as tabular data. This allows the CSV proof to be usable in automated tests.
curl --request POST \
--url https://api.hyperproof.app/v1/proof \
--header "Authorization: Bearer $ACCESS_TOKEN" \
--form proof=@"./policies/AcceptableUse.csv:type=text/csv" \
--form hp-proof-owned-by="$USER_ID"
--form contentType="text/csv"Updating Testable CSV proof
After uploading a CSV file intended for automated testing, a PATCH request should be made to create the schema to be tested. The body of the request will define the CSV fields and types for the automated testing feature. Available types include text , number , boolean , and date.
curl --request PATCH 'https://api.hyperproof.app/v1/proof/:proofid' \
--header 'Content-Type: application/json' \
--header 'Authorization: ••••••' \
--data '{
"isPrivate": false,
"schema": {
"class": "CsvFileSchema",
"fields": [{
"name": "Name",
"type": "text"
}, {
"name": "Email",
"type": "text"
}]
}
}'Method and URL - POST https://api.hyperproof.app/v1/proof/{proofId}/versions
Request (multipart/form-data)
proof(file, required) - The new file contents.
Behavior
- Creates a new version for the referenced proof item.
- The
versionvalue increases by 1 from the highest existing version.
Sample
curl --request POST \
--url "https://api.hyperproof.app/v1/proof/$PROOF_ID/versions" \
--header "Authorization: Bearer $ACCESS_TOKEN" \
--form proof=@"./policies/AcceptableUse_v7.pdf"You can upload a proof file and directly link it to an object such as a control, label, or task.
URL pattern - POST https://api.hyperproof.app/v1/{objectType}s/{objectId}/proof
objectTypecan becontrol,label, ortask.- Use multi-part/form-data with a
prooffile field.
Sample (control)
CONTROL_ID=12345678-90ab-cdef-1234-567890abcdef
curl --request POST \
--url "https://api.hyperproof.app/v1/controls/$CONTROL_ID/proof" \
--header "Authorization: Bearer $ACCESS_TOKEN" \
--form proof=@"./evidence/PrivacyPolicy.pdf"Method and URL - GET https://api.hyperproof.app/v1/proof
Pagination
limit(integer, optional) - This is the page size. The default is 25.- If more items exist than the page size, the response includes an
offsetTokenyou can pass asoffsetto fetch the next page.
Sorting
sortBy- One ofcreatedBy,createdOn,filename, oruploadedOn. The default isuploadedOn.sortDirection- Choose eitherasc(ascending) ordesc(descending). The default isdesc.uploadedOn- Updates when you add a new version;createdOnremains fixed.
Filtering
ownedByMe=true- Returns proof owned by the currently authorized user.search=<value>- Filters by filename matches.
Sample
curl --silent \
--header "Authorization: Bearer $ACCESS_TOKEN" \
"https://api.hyperproof.app/v1/proof?limit=100&sortBy=filename&sortDirection=asc&ownedByMe=true"Follow-up page using offset token
curl --silent \
--header "Authorization: Bearer $ACCESS_TOKEN" \
"https://api.hyperproof.app/v1/proof?offset=$OFFSET_TOKEN"Use the same endpoint with object filters.
Method and URL - GET https://api.hyperproof.app/v1/proof?objectType=<control|label|task>&objectId=<ID>
Sample (first page for a control)
curl --silent \
--header "Authorization: Bearer $ACCESS_TOKEN" \
"https://api.hyperproof.app/v1/proof?objectType=control&objectId=$CONTROL_ID&limit=100"Method and URL - GET https://api.hyperproof.app/v1/proof/{proofId}/contents
Behavior
- Returns the raw file in the response body.
- The original file name is provided by the
content-dispositionresponse header. - To fetch a particular version, add
?version=<n>.
Sample (latest version)
curl -O --remote-header-name \
-H "Authorization: Bearer $ACCESS_TOKEN" \
"https://api.hyperproof.app/v1/proof/$PROOF_ID/contents"Sample (specific version)
curl -O --remote-header-name \
-H "Authorization: Bearer $ACCESS_TOKEN" \
"https://api.hyperproof.app/v1/proof/$PROOF_ID/contents?version=3"While the exact shape can evolve, responses commonly include:
id(UUID)filenameversion(integer)size(bytes)createdBy(user ID)createdOn(ISO-8601 timestamp)updatedBy(user ID)uploadedOn/updatedOn(ISO-8601 timestamp)
- Keep your access tokens secure. Regenerate or rotate them according to your organization’s policies.
- When paginating, always check for an
offsetTokenand pass it back via theoffsetquery parameter until no token is returned. - Prefer
uploadedOnto sort by "Most recently changed" since it advances when new versions are added. - Use
hp-proof-owned-byif you need to attribute a proof item to a particular user at upload time.