AAMOS / Docs

Developer Documentation

REST API reference, authentication, evidence levels, and code examples.

Getting Started

Authentication Quick Start

API Reference

POST /api/certify POST /api/chat GET /api/standards GET /api/cert/:id

Evidence System

Evidence Levels E0–E5 GECL — Geographic Layer

Standards

Supported Standards

Responses

Verdict Schema Error Codes

AAMOS API v1

Base URL: https://api.aamos.ai/v1

All requests must include an API key in the X-AAMOS-Key header. All responses are JSON. All verdicts are deterministic — same input + same evidence = same output, every time.

Authentication

AAMOS uses API key authentication. Include your key in every request header:

X-AAMOS-Key: aamos_live_xxxxxxxxxxxxxxxxxxxxxxxx

Get your API key from your account dashboard. Free tier keys are prefixed aamos_free_. Pro keys are prefixed aamos_live_. Never expose your key in client-side code.

Quick Start

Submit a GDPR compliance check in 30 seconds:

# cURL — GDPR Article 13 compliance check curl -X POST https://api.aamos.ai/v1/certify \ -H "X-AAMOS-Key: aamos_live_your_key" \ -H "Content-Type: application/json" \ -d '{ "query": "Does our privacy policy comply with GDPR Article 13?", "document": "...[your privacy policy text]...", "standard": "GDPR", "jurisdiction": "EU", "evidence_level_min": "E3" }'

Response:

{ "verdict": "APPROVED", "verdict_code": 1, "standard": "GDPR 2016/679", "clauses_checked": ["Art.13.1", "Art.13.2", "Art.13.3"], "criteria_met": 7, "criteria_total": 7, "evidence_level": "E4", "cert_id": "AAMOS-CERT-20260410-GD1337", "cert_url": "https://api.aamos.ai/v1/cert/AAMOS-CERT-20260410-GD1337", "timestamp": "2026-04-10T08:31:44Z", "trace_id": "tr_9f3c2a8b1e4d", "reproducible": true }

POST /api/certify

The primary endpoint. Submit a document or claim for compliance verification against a named standard.

POST /v1/certify Submit for compliance verdict

Request Body

{ "query": "string", // Required. The compliance question or claim "document": "string", // Optional. Full document text to analyze "document_url": "string", // Optional. URL to document (PDF/HTML) "standard": "string", // Required. e.g. "GDPR", "ISO27001", "BBR" "clauses": ["string"], // Optional. Specific clauses to check "jurisdiction": "string", // Optional. e.g. "EU", "SE", "DE", "US-DE" "evidence_level_min": "E3", // Optional. Minimum E level (default: E2) "stream": false // Optional. Stream via WebSocket (default: false) }

JavaScript Example

// JavaScript — Node.js / Browser const response = await fetch('https://api.aamos.ai/v1/certify', { method: 'POST', headers: { 'X-AAMOS-Key': 'aamos_live_your_key', 'Content-Type': 'application/json' }, body: JSON.stringify({ query: 'ISO 27001:2022 compliance — access control policy', document: policyText, standard: 'ISO27001', jurisdiction: 'EU', evidence_level_min: 'E3' }) }); const verdict = await response.json(); console.log(verdict.verdict); // "APPROVED" | "REJECTED" | "INSUFFICIENT_EVIDENCE"

Python Example

# Python 3.x import requests response = requests.post( 'https://api.aamos.ai/v1/certify', headers={ 'X-AAMOS-Key': 'aamos_live_your_key', 'Content-Type': 'application/json' }, json={ 'query': 'GDPR Art.13 compliance check', 'document': policy_text, 'standard': 'GDPR', 'jurisdiction': 'EU' } ) verdict = response.json() print(f"Verdict: {verdict['verdict']}") print(f"Cert ID: {verdict.get('cert_id', 'N/A')}")

POST /api/chat

Interactive compliance consultation. Ask AAMOS questions about specific standards. Returns structured answers — not conversational text. Will return INSUFFICIENT_EVIDENCE if the query cannot be answered authoritatively.

POST /v1/chat Standards Q&A — structured answers only
{ "message": "What are the mandatory elements of GDPR Art.13?", "standard": "GDPR", // Optional filter "jurisdiction": "EU" // Optional }

GET /api/standards

List all supported standards, their versions, clause counts, and geographic applicability.

GET /v1/standards List all supported standards
GET /v1/standards/:id Get standard detail + clause list
curl https://api.aamos.ai/v1/standards \ -H "X-AAMOS-Key: aamos_live_your_key" # Response { "standards": [ { "id": "ISO9001", "name": "ISO 9001:2015 Quality Management", "jurisdiction": "GLOBAL", "clauses": 138, "status": "active" }, ... ] }

GET /api/cert/:id

Verify an issued AAMOS certificate by ID. Returns the full audit trace, verdict, and issuing metadata. Publicly accessible — share cert IDs with auditors.

GET /v1/cert/:id Verify certificate (public endpoint)

Evidence Levels E0–E5

AAMOS grades all evidence on a 6-point scale. The minimum evidence level required to issue a verdict is configurable — default is E2 for Chat, E3 for Certify.

E0

No Evidence

Input received but no verifiable sources. Query is rejected — AAMOS returns INSUFFICIENT_EVIDENCE immediately.

E1

Input Only

Claim stated by requester. No external corroboration. Usable for Chat queries. Not sufficient for Certify.

E2

Secondary Reference

Document or claim corroborated by secondary source (guide, commentary, published interpretation). Minimum for Chat verdict.

E3

Standard Reference

Directly matched to the named standard's published text. Minimum for Certify verdict. All clause references verified.

E4

Regulatory Text

Matched to official regulation, law, or government publication (e.g. Official Journal of the EU for GDPR). Highest civilian evidence tier.

E5

Verified Audit Trail

Prior AAMOS-CERT exists for the same entity + standard combination. Re-verification against stored trace. Enterprise only.

GECL — Geographic Evidence Constraint Layer

GECL automatically applies jurisdictional constraints based on the jurisdiction parameter. This ensures that a GDPR check for a Swedish entity applies Swedish DPA guidance in addition to base GDPR text. GECL currently supports:

  • EU — All EU member states (base GDPR, EU directives)
  • SE — Sweden (Datainspektionen, IMY guidance, Swedish law)
  • DE — Germany (BDSG supplement, Landesrecht)
  • US-DE — Delaware, USA (DGCL, CCPA cross-reference)
  • GLOBAL — No geographic constraints (ISO/IEC standards)

Supported Standards

See Standards Library for the full searchable list. API identifiers:

ISO9001 → ISO 9001:2015 Quality Management ISO27001 → ISO/IEC 27001:2022 Information Security ISO45001 → ISO 45001:2018 Occupational Health & Safety ISO14001 → ISO 14001:2015 Environmental Management GDPR → EU Regulation 2016/679 (GDPR) TRV → Trafikverkets tekniska krav (TRVK Väg 2022) BBR → Boverkets Byggregler (BBR 2024)

Verdict Schema

{ "verdict": "APPROVED" | "REJECTED" | "INSUFFICIENT_EVIDENCE", "verdict_code": 1 | 0 | -1, "standard": "string", "standard_version": "string", "clauses_checked": ["string"], "clauses_passed": ["string"], "clauses_failed": ["string"], // Only on REJECTED "criteria_met": integer, "criteria_total": integer, "evidence_level": "E0""E5", "jurisdiction": "string", "cert_id": "string" | null, // null if not APPROVED "cert_url": "string" | null, "timestamp": "ISO8601", "trace_id": "string", // For audit/reproduce "reproducible": true }

Error Codes

HTTP Code Meaning
200 OK Verdict issued. Check verdict field.
400 INVALID_REQUEST Missing required field or invalid standard ID.
401 UNAUTHORIZED Invalid or missing API key.
402 QUOTA_EXCEEDED Monthly review limit reached. Upgrade tier.
422 EVIDENCE_INSUFFICIENT Evidence below minimum threshold. Provide more documentation.
500 ENGINE_ERROR Internal evidence engine error. Retry with trace_id.