DORA API Endpoints for the Digital Operational Resilience Act (EU 2022/2554) — incidents, ICT third-party register, and resilience tests.
Method Path Description POST /dora/incidentsOpen a new ICT incident (Article 17) GET /dora/incidentsList incidents with filters GET /dora/incidents/{uuid}Get one incident PUT /dora/incidents/{uuid}/classifyClassify severity/category (Article 18) PUT /dora/incidents/{uuid}/resolveMark resolved + record lessons learned GET /dora/incidents/{uuid}/reportDownload signed major-incident PDF (Article 19) POST /dora/third-partiesRegister an ICT third party (Article 28) GET /dora/third-partiesList registered third parties GET /dora/third-parties/{uuid}Get one third party PUT /dora/third-parties/{uuid}Update third-party fields (PATCH semantics) POST /dora/testsLog a resilience test (Articles 24–27) GET /dora/testsList resilience tests
All endpoints require a Bearer API key. The route group is gated by the
ENABLE_DORA setting; when disabled all endpoints return 404.
POST /api/v1/dora/incidents Field Type Required Description titlestring yes Human-readable title descriptionstring yes What happened detected_atdatetime yes ISO 8601 UTC affected_servicesstring[] no List of internal service identifiers clients_affected_countint no Defaults to 0 geographic_scopestring[] no List of country/region codes related_action_uuidsstring[] no Aira action UUIDs involved in the incident
{ "uuid" : "i-..." , "title" : "Payments API outage" , "status" : "detected" , "severity" : null , "category" : null , "is_major" : false , "detected_at" : "2026-04-15T10:00:00Z" , "classified_at" : null , "resolved_at" : null , "reported_at" : null , "clients_affected_count" : 1500 , "has_report" : false , "created_at" : "2026-04-15T10:00:00Z" , "org_uuid" : "..." , "description" : "..." , "affected_services" : [ "payments-api" ], "request_id" : "req_..." } PUT /api/v1/dora/incidents/{uuid}/classify Field Type Required Description severitystring yes critical / high / medium / lowcategorystring yes See DORA incident reporting is_majorbool no Override auto-promotion (critical/high → major) root_cause_summarystring no Free-text narrative root_cause_classificationstring no See root cause vocab third_party_uuidstring yes when category = third_party_failureLink into the ICT third-party register
Code When 400 INVALID_STATE Incident is not in detected state 400 THIRD_PARTY_REQUIRED Category is third_party_failure but no third_party_uuid 404 NOT_FOUND Incident does not belong to the caller's org
PUT /api/v1/dora/incidents/{uuid}/resolve Field Type Required resolution_summarystring yes lessons_learnedstring no resolved_atdatetime no — defaults to server time
Only allowed when the incident is in classified state.
GET /api/v1/dora/incidents/{uuid}/report Returns application/pdf. Only valid for incidents where
is_major = true and status != "detected". First call generates
and signs the PDF; subsequent calls serve the cached bytes.
Field Meaning report_content_hashSHA-256 of the canonical PDF bytes report_signatureEd25519 signature over the hash report_signing_key_idJWKS key ID — verifiable at /.well-known/jwks.json report_signed_atWhen the signature was produced
POST /api/v1/dora/third-parties Field Type Required vendor_namestring yes service_descriptionstring yes service_typestring yes — see the type list criticalitystring yes — critical / non_critical / supporting contract_start_datedate no contract_end_datedate no exit_strategy_summarystring required when criticality = critical subcontractorsstring[] no data_categoriesstring[] no jurisdictionstring no
PUT /api/v1/dora/third-parties/{uuid} uses PATCH semantics — only
fields present in the body change, others stay as-is. is_active=false
soft-retires without deleting.
Field Type Required test_typestring yes — tlpt, vulnerability_scan, scenario_based, performance, resilience_drill, other titlestring yes scopestring yes — what was tested conducted_atdate yes conducted_bystring yes — internal team or external tester name statusstring yes — passed / failed / partial findings_summarystring no remediation_planstring no remediation_due_atdate no
TLPT results are append-only — there is no PUT for the test record
(findings and remediation must be tracked in a follow-up test, not by
rewriting history).