Skip to main content
POST
/
api
/
v1
/
applications
Create an application
curl --request POST \
  --url https://api.accessowl.com/api/v1/applications \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "title": "<string>",
  "admin_user_ids": [
    "3c90c3cc-0d44-4b50-8888-8dd25736052a"
  ],
  "data_location": "<string>",
  "description": "<string>",
  "last_vendor_review_at": "2023-12-25",
  "mfa_activated": true,
  "notes": "<string>",
  "owner_user_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "processed_data_types": [],
  "resources": [
    {
      "title": "<string>",
      "description": "<string>",
      "permissions": [
        {
          "title": "<string>",
          "description": "<string>",
          "elevated": true,
          "requestable": true
        }
      ],
      "requestable": true
    }
  ],
  "tags": [
    "<string>"
  ],
  "url": "<string>",
  "user_setup_url": "<string>",
  "vendor_certificates": []
}
'
{
  "admin_user_ids": [
    "7488a646-e31f-11e4-aace-600308960665"
  ],
  "auth_method": "okta",
  "data_location": "EU",
  "description": "Team communication platform",
  "id": "7488a646-e31f-11e4-aace-600308960662",
  "inserted_at": "2023-01-01T00:00:00Z",
  "last_vendor_review_at": "2026-01-15",
  "mfa_activated": true,
  "notes": "Reviewed in Q4",
  "owner_user_id": "7488a646-e31f-11e4-aace-600308960663",
  "processed_data_types": [
    "customer_data"
  ],
  "provisioning_type": "automatic",
  "risk_level": "medium",
  "status": "requestable",
  "tags": [
    {
      "id": "7488a646-e31f-11e4-aace-600308960666",
      "title": "Communication"
    }
  ],
  "title": "Slack",
  "updated_at": "2023-01-01T00:00:00Z",
  "url": "https://slack.com",
  "user_count": 150,
  "user_setup_url": "https://slack.com/get-started",
  "vendor_certificates": [
    "soc2_t2",
    "iso_27001"
  ]
}

Authorizations

Authorization
string
header
required

Bearer token authentication. Pass your AccessOwl API token in the Authorization header as Bearer <token>.

Headers

Idempotency-Key
string

Optional key (1–255 chars) for safely retrying a request. Reusing the same key for the same request returns 409 Conflict and is not processed again — this confirms the request was already received. Keys are retained for 14 days.

Required string length: 1 - 255

Body

application/json

Application create parameters

Request body for creating an application

title
string
required

Application title (required)

admin_user_ids
string<uuid>[]

User IDs of the application's admins. Send [] to clear; unknown IDs return 422.

auth_method
enum<string> | null

Authentication method used to sign in

Available options:
google,
microsoft,
okta,
sso_provider,
credentials,
other
data_location
string | null

Where the vendor stores data

description
string | null
last_vendor_review_at
string<date> | null

Date of the last vendor security review

mfa_activated
boolean | null

Whether MFA is activated for this application

notes
string | null

Internal notes

owner_user_id
string<uuid>

Required when status is "approved" or "requestable"

processed_data_types
enum<string>[]

Data-processing-scope slugs. Send [] to clear; unknown slugs return 422.

Available options:
customer_metadata,
customer_pii,
company_metadata,
company_sensitive_data,
employee_pii,
employee_sensitive_data,
ephi
resources
object[]

Initial resources with permissions. Required for status="requestable".

risk_level
enum<string> | null
Available options:
low,
medium,
high
status
enum<string>

Defaults to "requestable"

Available options:
ignored,
approved,
requestable
tags
string[]

Tag titles. New titles are created automatically; send [] to clear.

url
string | null
user_setup_url
string | null

URL where existing users are shown and new users are invited

vendor_certificates
enum<string>[]

Security/compliance certifications held by the vendor

Available options:
iso_22301,
iso_27001,
iso_27017,
iso_27701,
iso_31000,
iso_42001,
soc1,
soc2_t1,
soc2_t2,
soc3,
pci_dss,
nist_csf,
fed_ramp,
hipaa,
hitrust_csf,
gdpr,
csa_star,
fsd_safe

Response

Application

An application in the organization

id
string<uuid>
required

Application ID

status
enum<string>
required

Application status

Available options:
ignored,
discovered,
approved,
requestable
title
string
required

Application title

admin_user_ids
string<uuid>[]

User IDs of the application's admins

auth_method
enum<string> | null

Authentication method used to sign in

Available options:
google,
microsoft,
okta,
sso_provider,
credentials,
other
data_location
string | null

Where the vendor stores data

description
string | null

Description

inserted_at
string<date-time>

Creation timestamp

last_vendor_review_at
string<date> | null

Date of the last vendor security review

mfa_activated
boolean | null

Whether MFA is activated for this application

notes
string | null

Internal notes

owner_user_id
string<uuid> | null

Owner user ID

processed_data_types
enum<string>[]

Types of data this application processes

Available options:
customer_metadata,
customer_pii,
company_metadata,
company_sensitive_data,
employee_pii,
employee_sensitive_data,
ephi
provisioning_type
enum<string>

Provisioning type

Available options:
application_admin,
automatic
risk_level
enum<string> | null

Risk level assessment

Available options:
low,
medium,
high
tags
object[]

Tags assigned to this application

updated_at
string<date-time>

Last update timestamp

url
string | null

Application URL

user_count
integer | null

Number of users with access

user_setup_url
string | null

URL where existing users are shown and new users are invited

vendor_certificates
enum<string>[]

Security/compliance certifications held by the vendor

Available options:
iso_22301,
iso_27001,
iso_27017,
iso_27701,
iso_31000,
iso_42001,
soc1,
soc2_t1,
soc2_t2,
soc3,
pci_dss,
nist_csf,
fed_ramp,
hipaa,
hitrust_csf,
gdpr,
csa_star,
fsd_safe