Developer-friendly & type-safe Java SDK specifically catered to leverage openapi API.
Conduct an audit: The Auditor API lets audit firms conduct audits from a tool outside of Vanta. Unlock data syncing with Vanta through this API.
Note for Vanta Gov (FedRAMP) customers: Select Vanta Gov (FedRAMP) from the server dropdown to issue requests against https://api.vanta-gov.com. The OAuth token URL shown below defaults to the commercial host — replace it with https://api.vanta-gov.com/oauth/token.
JDK 11 or later is required.
The samples below show how a published SDK artifact is used:
Gradle:
implementation 'com.vanta:vanta-auditor-api:0.4.1'Maven:
<dependency>
<groupId>com.vanta</groupId>
<artifactId>vanta-auditor-api</artifactId>
<version>0.4.1</version>
</dependency>After cloning the git repository to your file system you can build the SDK artifact from source to the build directory by running ./gradlew build on *nix systems or gradlew.bat on Windows systems.
If you wish to build from source and publish the SDK artifact to your local Maven repository (on your filesystem) then use the following command (after cloning the git repo locally):
On *nix:
./gradlew publishToMavenLocal -Pskip.signingOn Windows:
gradlew.bat publishToMavenLocal -Pskip.signingpackage hello.world;
import com.vanta.vanta_auditor_api.Vanta;
import com.vanta.vanta_auditor_api.models.components.AddAuditorInput;
import com.vanta.vanta_auditor_api.models.operations.CreateAuditorResponse;
import java.lang.Exception;
public class Application {
public static void main(String[] args) throws Exception {
Vanta sdk = Vanta.builder()
.bearerAuth(System.getenv().getOrDefault("BEARER_AUTH", ""))
.build();
AddAuditorInput req = AddAuditorInput.builder()
.email("Genesis_Kunze87@yahoo.com")
.givenName("<value>")
.familyName("<value>")
.build();
CreateAuditorResponse res = sdk.auditors().create()
.request(req)
.call();
if (res.auditor().isPresent()) {
System.out.println(res.auditor().get());
}
}
}An asynchronous SDK client is also available that returns a CompletableFuture<T>. See Asynchronous Support for more details on async benefits and reactive library integration.
package hello.world;
import com.vanta.vanta_auditor_api.AsyncVanta;
import com.vanta.vanta_auditor_api.Vanta;
import com.vanta.vanta_auditor_api.models.components.AddAuditorInput;
import com.vanta.vanta_auditor_api.models.operations.async.CreateAuditorResponse;
import java.util.concurrent.CompletableFuture;
public class Application {
public static void main(String[] args) {
AsyncVanta sdk = Vanta.builder()
.bearerAuth(System.getenv().getOrDefault("BEARER_AUTH", ""))
.build()
.async();
AddAuditorInput req = AddAuditorInput.builder()
.email("Genesis_Kunze87@yahoo.com")
.givenName("<value>")
.familyName("<value>")
.build();
CompletableFuture<CreateAuditorResponse> resFut = sdk.auditors().create()
.request(req)
.call();
resFut.thenAccept(res -> {
if (res.auditor().isPresent()) {
System.out.println(res.auditor().get());
}
});
}
}When a response field is a union model:
- Discriminated unions: branch on the discriminator (
switch) and then narrow to the concrete type. - Non-discriminated unions: use generated accessors (for example
string(),asLong(),simpleObject()) to determine the active variant.
For full model-specific examples (including Java 11/16/21 variants), see each union model's Supported Types section in the generated model docs.
The SDK provides comprehensive asynchronous support using Java's CompletableFuture<T> and Reactive Streams Publisher<T> APIs. This design makes no assumptions about your choice of reactive toolkit, allowing seamless integration with any reactive library.
Why Use Async?
Asynchronous operations provide several key benefits:
- Non-blocking I/O: Your threads stay free for other work while operations are in flight
- Better resource utilization: Handle more concurrent operations with fewer threads
- Improved scalability: Build highly responsive applications that can handle thousands of concurrent requests
- Reactive integration: Works seamlessly with reactive streams and backpressure handling
Reactive Library Integration
The SDK returns Reactive Streams Publisher<T> instances for operations dealing with streams involving multiple I/O interactions. We use Reactive Streams instead of JDK Flow API to provide broader compatibility with the reactive ecosystem, as most reactive libraries natively support Reactive Streams.
Why Reactive Streams over JDK Flow?
- Broader ecosystem compatibility: Most reactive libraries (Project Reactor, RxJava, Akka Streams, etc.) natively support Reactive Streams
- Industry standard: Reactive Streams is the de facto standard for reactive programming in Java
- Better interoperability: Seamless integration without additional adapters for most use cases
Integration with Popular Libraries:
- Project Reactor: Use
Flux.from(publisher)to convert to Reactor types - RxJava: Use
Flowable.fromPublisher(publisher)for RxJava integration - Akka Streams: Use
Source.fromPublisher(publisher)for Akka Streams integration - Vert.x: Use
ReadStream.fromPublisher(vertx, publisher)for Vert.x reactive streams - Mutiny: Use
Multi.createFrom().publisher(publisher)for Quarkus Mutiny integration
For JDK Flow API Integration: If you need JDK Flow API compatibility (e.g., for Quarkus/Mutiny 2), you can use adapters:
// Convert Reactive Streams Publisher to Flow Publisher
Flow.Publisher<T> flowPublisher = FlowAdapters.toFlowPublisher(reactiveStreamsPublisher);
// Convert Flow Publisher to Reactive Streams Publisher
Publisher<T> reactiveStreamsPublisher = FlowAdapters.toPublisher(flowPublisher);For standard single-response operations, the SDK returns CompletableFuture<T> for straightforward async execution.
Supported Operations
Async support is available for:
- Server-sent Events: Stream real-time events with Reactive Streams
Publisher<T> - JSONL Streaming: Process streaming JSON lines asynchronously
- Pagination: Iterate through paginated results using
callAsPublisher()andcallAsPublisherUnwrapped() - File Uploads: Upload files asynchronously with progress tracking
- File Downloads: Download files asynchronously with streaming support
- Standard Operations: All regular API calls return
CompletableFuture<T>for async execution
This SDK supports the following security scheme globally:
| Name | Type | Scheme |
|---|---|---|
bearerAuth |
http | HTTP Bearer |
To authenticate with the API the bearerAuth parameter must be set when initializing the SDK client instance. For example:
package hello.world;
import com.vanta.vanta_auditor_api.Vanta;
import com.vanta.vanta_auditor_api.models.components.AddAuditorInput;
import com.vanta.vanta_auditor_api.models.operations.CreateAuditorResponse;
import java.lang.Exception;
public class Application {
public static void main(String[] args) throws Exception {
Vanta sdk = Vanta.builder()
.bearerAuth(System.getenv().getOrDefault("BEARER_AUTH", ""))
.build();
AddAuditorInput req = AddAuditorInput.builder()
.email("Genesis_Kunze87@yahoo.com")
.givenName("<value>")
.familyName("<value>")
.build();
CreateAuditorResponse res = sdk.auditors().create()
.request(req)
.call();
if (res.auditor().isPresent()) {
System.out.println(res.auditor().get());
}
}
}Available methods
- create - Create an auditor
- list - List audits
- getAudit - Get audit by ID
- listComments - List audit comments
- listControls - List audit controls
- createCustomControl - Create a custom control for an audit
- listInformationRequestsForControl - List information requests linked to a control within an audit
- listEvidence - List audit evidence
- createCustomEvidenceRequest - Create a custom evidence request for an audit
- updateEvidence - Update audit evidence
- createCommentForEvidence - Create a comment for audit evidence
- getEvidenceUrls - List audit evidence url
- getFrameworkCodes - Get framework codes for an audit
- listInformationRequests - List information requests for an audit
- createInformationRequest - Create a new information request
- getInformationRequest - Get an information request by ID
- updateInformationRequest - Update an information request for an audit
- deleteInformationRequest - Delete an information request for an audit
- acceptInformationRequestEvidence - Accept evidence for an information request
- listInformationRequestActivity - List information request activity
- listCommentsForInformationRequest - List comments for an information request
- createCommentForInformationRequest - Create a comment for an information request
- updateCommentForInformationRequest - Update a comment for an information request
- deleteCommentForInformationRequest - Delete a comment for an information request
- listInformationRequestEvidence - List evidence for an information request
- getInformationRequestTestSnapshotEvidenceDetail - Get test snapshot detail for an evidence row
- flagInformationRequestEvidence - Flag evidence for an information request
- listAuditIssues - List snapshotted issues for an audit
- listAuditSnapshots - List snapshotted issues for an audit
- shareInformationRequestList - Share information request list with customer
Handling errors in this SDK should largely match your expectations. All operations return a response object or raise an exception.
VantaError is the base class for all HTTP error responses. It has the following properties:
| Method | Type | Description |
|---|---|---|
message() |
String |
Error message |
code() |
int |
HTTP response status code eg 404 |
headers |
Map<String, List<String>> |
HTTP response headers |
body() |
byte[] |
HTTP body as a byte array. Can be empty array if no body is returned. |
bodyAsString() |
String |
HTTP body as a UTF-8 string. Can be empty string if no body is returned. |
rawResponse() |
HttpResponse<?> |
Raw HTTP response (body already read and not available for re-read) |
package hello.world;
import com.vanta.vanta_auditor_api.Vanta;
import com.vanta.vanta_auditor_api.models.components.AddAuditorInput;
import com.vanta.vanta_auditor_api.models.errors.VantaError;
import com.vanta.vanta_auditor_api.models.operations.CreateAuditorResponse;
import java.io.UncheckedIOException;
import java.lang.Exception;
import java.util.Optional;
public class Application {
public static void main(String[] args) throws Exception {
Vanta sdk = Vanta.builder()
.bearerAuth(System.getenv().getOrDefault("BEARER_AUTH", ""))
.build();
try {
AddAuditorInput req = AddAuditorInput.builder()
.email("Genesis_Kunze87@yahoo.com")
.givenName("<value>")
.familyName("<value>")
.build();
CreateAuditorResponse res = sdk.auditors().create()
.request(req)
.call();
if (res.auditor().isPresent()) {
System.out.println(res.auditor().get());
}
} catch (VantaError ex) { // all SDK exceptions inherit from VantaError
// ex.ToString() provides a detailed error message including
// HTTP status code, headers, and error payload (if any)
System.out.println(ex);
// Base exception fields
var rawResponse = ex.rawResponse();
var headers = ex.headers();
var contentType = headers.first("Content-Type");
int statusCode = ex.code();
Optional<byte[]> responseBody = ex.body();
} catch (UncheckedIOException ex) {
// handle IO error (connection, timeout, etc)
} }
}Primary error:
VantaError: The base class for HTTP error responses.
Less common errors (6)
Network errors:
java.io.IOException(always wrapped byjava.io.UncheckedIOException). Commonly encountered subclasses ofIOExceptionincludejava.net.ConnectException,java.net.SocketTimeoutException,EOFException(there are many more subclasses in the JDK platform).
Inherit from VantaError:
You can override the default server globally using the .serverIndex(int serverIdx) builder method when initializing the SDK client instance. The selected server will then be used as the default on the operations that use it. This table lists the indexes associated with the available servers:
| # | Server | Description |
|---|---|---|
| 0 | https://api.vanta.com/v1 |
Vanta (Commercial) |
| 1 | https://api.vanta-gov.com/v1 |
Vanta Gov (FedRAMP) |
package hello.world;
import com.vanta.vanta_auditor_api.Vanta;
import com.vanta.vanta_auditor_api.models.components.AddAuditorInput;
import com.vanta.vanta_auditor_api.models.operations.CreateAuditorResponse;
import java.lang.Exception;
public class Application {
public static void main(String[] args) throws Exception {
Vanta sdk = Vanta.builder()
.serverIndex(0)
.bearerAuth(System.getenv().getOrDefault("BEARER_AUTH", ""))
.build();
AddAuditorInput req = AddAuditorInput.builder()
.email("Genesis_Kunze87@yahoo.com")
.givenName("<value>")
.familyName("<value>")
.build();
CreateAuditorResponse res = sdk.auditors().create()
.request(req)
.call();
if (res.auditor().isPresent()) {
System.out.println(res.auditor().get());
}
}
}The default server can also be overridden globally using the .serverURL(String serverUrl) builder method when initializing the SDK client instance. For example:
package hello.world;
import com.vanta.vanta_auditor_api.Vanta;
import com.vanta.vanta_auditor_api.models.components.AddAuditorInput;
import com.vanta.vanta_auditor_api.models.operations.CreateAuditorResponse;
import java.lang.Exception;
public class Application {
public static void main(String[] args) throws Exception {
Vanta sdk = Vanta.builder()
.serverURL("https://api.vanta-gov.com/v1")
.bearerAuth(System.getenv().getOrDefault("BEARER_AUTH", ""))
.build();
AddAuditorInput req = AddAuditorInput.builder()
.email("Genesis_Kunze87@yahoo.com")
.givenName("<value>")
.familyName("<value>")
.build();
CreateAuditorResponse res = sdk.auditors().create()
.request(req)
.call();
if (res.auditor().isPresent()) {
System.out.println(res.auditor().get());
}
}
}The Java SDK makes API calls using an HTTPClient that wraps the native
HttpClient. This
client provides the ability to attach hooks around the request lifecycle that can be used to modify the request or handle
errors and response.
The HTTPClient interface allows you to either use the default SpeakeasyHTTPClient that comes with the SDK,
or provide your own custom implementation with customized configuration such as custom executors, SSL context,
connection pools, and other HTTP client settings.
The interface provides synchronous (send) methods and asynchronous (sendAsync) methods. The sendAsync method
is used to power the async SDK methods and returns a CompletableFuture<HttpResponse<Blob>> for non-blocking operations.
The following example shows how to add a custom header and handle errors:
import com.vanta.vanta_auditor_api.Vanta;
import com.vanta.vanta_auditor_api.utils.HTTPClient;
import com.vanta.vanta_auditor_api.utils.SpeakeasyHTTPClient;
import com.vanta.vanta_auditor_api.utils.Utils;
import java.io.IOException;
import java.net.URISyntaxException;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.io.InputStream;
import java.time.Duration;
public class Application {
public static void main(String[] args) {
// Create a custom HTTP client with hooks
HTTPClient httpClient = new HTTPClient() {
private final HTTPClient defaultClient = new SpeakeasyHTTPClient();
@Override
public HttpResponse<InputStream> send(HttpRequest request) throws IOException, URISyntaxException, InterruptedException {
// Add custom header and timeout using Utils.copy()
HttpRequest modifiedRequest = Utils.copy(request)
.header("x-custom-header", "custom value")
.timeout(Duration.ofSeconds(30))
.build();
try {
HttpResponse<InputStream> response = defaultClient.send(modifiedRequest);
// Log successful response
System.out.println("Request successful: " + response.statusCode());
return response;
} catch (Exception error) {
// Log error
System.err.println("Request failed: " + error.getMessage());
throw error;
}
}
};
Vanta sdk = Vanta.builder()
.client(httpClient)
.build();
}
}Custom HTTP Client Configuration
You can also provide a completely custom HTTP client with your own configuration:
import com.vanta.vanta_auditor_api.Vanta;
import com.vanta.vanta_auditor_api.utils.HTTPClient;
import com.vanta.vanta_auditor_api.utils.Blob;
import com.vanta.vanta_auditor_api.utils.ResponseWithBody;
import java.io.IOException;
import java.net.URISyntaxException;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.io.InputStream;
import java.time.Duration;
import java.util.concurrent.Executors;
import java.util.concurrent.CompletableFuture;
public class Application {
public static void main(String[] args) {
// Custom HTTP client with custom configuration
HTTPClient customHttpClient = new HTTPClient() {
private final HttpClient client = HttpClient.newBuilder()
.executor(Executors.newFixedThreadPool(10))
.connectTimeout(Duration.ofSeconds(30))
// .sslContext(customSslContext) // Add custom SSL context if needed
.build();
@Override
public HttpResponse<InputStream> send(HttpRequest request) throws IOException, URISyntaxException, InterruptedException {
return client.send(request, HttpResponse.BodyHandlers.ofInputStream());
}
@Override
public CompletableFuture<HttpResponse<Blob>> sendAsync(HttpRequest request) {
// Convert response to HttpResponse<Blob> for async operations
return client.sendAsync(request, HttpResponse.BodyHandlers.ofPublisher())
.thenApply(resp -> new ResponseWithBody<>(resp, Blob::from));
}
};
Vanta sdk = Vanta.builder()
.client(customHttpClient)
.build();
}
}You can also enable debug logging on the default SpeakeasyHTTPClient:
import com.vanta.vanta_auditor_api.Vanta;
import com.vanta.vanta_auditor_api.utils.SpeakeasyHTTPClient;
public class Application {
public static void main(String[] args) {
SpeakeasyHTTPClient httpClient = new SpeakeasyHTTPClient();
httpClient.enableDebugLogging(true);
Vanta sdk = Vanta.builder()
.client(httpClient)
.build();
}
}You can setup your SDK to emit debug logs for SDK requests and responses.
For request and response logging (especially json bodies), call enableHTTPDebugLogging(boolean) on the SDK builder like so:
SDK.builder()
.enableHTTPDebugLogging(true)
.build();Example output:
Sending request: http://localhost:35123/bearer#global GET
Request headers: {Accept=[application/json], Authorization=[******], Client-Level-Header=[added by client], Idempotency-Key=[some-key], x-speakeasy-user-agent=[speakeasy-sdk/java 0.0.1 internal 0.1.0 org.openapis.openapi]}
Received response: (GET http://localhost:35123/bearer#global) 200
Response headers: {access-control-allow-credentials=[true], access-control-allow-origin=[*], connection=[keep-alive], content-length=[50], content-type=[application/json], date=[Wed, 09 Apr 2025 01:43:29 GMT], server=[gunicorn/19.9.0]}
Response body:
{
"authenticated": true,
"token": "global"
}
WARNING: This logging should only be used for temporary debugging purposes. Leaving this option on in a production system could expose credentials/secrets in logs. Authorization headers are redacted by default and there is the ability to specify redacted header names via SpeakeasyHTTPClient.setRedactedHeaders.
NOTE: This is a convenience method that calls HTTPClient.enableDebugLogging(). The SpeakeasyHTTPClient honors this setting. If you are using a custom HTTP client, it is up to the custom client to honor this setting.
Another option is to set the System property -Djdk.httpclient.HttpClient.log=all. However, this second option does not log bodies.
The SDK ships with a pre-configured Jackson ObjectMapper accessible via
JSON.getMapper(). It is set up with type modules, strict deserializers, and the feature flags
needed for full SDK compatibility (including ISO-8601 OffsetDateTime serialization):
import com.vanta.vanta_auditor_api.utils.JSON;
String json = JSON.getMapper().writeValueAsString(response);To compose with your own ObjectMapper, register the provided VantaAuditorApiJacksonModule, which
bundles all the same modules and feature flags as a single plug-and-play module:
import com.vanta.vanta_auditor_api.utils.VantaAuditorApiJacksonModule;
import com.fasterxml.jackson.databind.ObjectMapper;
ObjectMapper myMapper = new ObjectMapper()
.registerModule(new VantaAuditorApiJacksonModule());
String json = myMapper.writeValueAsString(response);This SDK is in beta, and there may be breaking changes between versions without a major version update. Therefore, we recommend pinning usage to a specific package version. This way, you can install the same version each time without breaking changes unless you are intentionally looking for the latest version.
While we value open-source contributions to this SDK, this library is generated programmatically. Any manual changes added to internal files will be overwritten on the next generation. We look forward to hearing your feedback. Feel free to open a PR or an issue with a proof of concept and we'll do our best to include it in a future release.