Q2 2026 Public API Updates | Developper Help Center

Quarter at a glance

Q2 2026 expands integration coverage for supplier screening and validation (v2) and identifier-based external score ingestion. Key releases: history screening with status polling, discovery validation, optional post-onboarding screening and validation on supplier create, bulk external score writes, per-site score history, and event type discovery.

OpenAPI / Swagger remains the source of truth for request and response schemas when features are enabled for your organization.

May 2026

Screening and validation (v2)

Base path: /public/v2/suppliers/sites

Screening

Method	Endpoint	Description
POST	`/public/v2/suppliers/sites/screening`	Request history screening for an existing supplier (async)
GET	`/public/v2/suppliers/sites/screening`	Poll the latest screening status for your requests for that supplier

Key behavior:

POST body requires an identifier with at least one of supplierId, customerId, ownId, prewaveId (optional source), and options.periodInYears — must be 2, 5, or 10.
Exactly one supplier must match. Zero matches returns 404; multiple matches returns 400.
POST returns 202 Accepted with screeningRequestIds (may be empty if the target is skipped, e.g. already screened).
GET returns 200 with status (New, Finished, NoFindings, Aborted, ...). Returns 404 if the supplier is not found or no screening request exists for your user.
Screening can be long-running and may incur cost or quota. Confirm with your Customer Success Manager before running high volumes.

Validation

Method	Endpoint	Description
POST	`/public/v2/suppliers/sites/validation`	Request discovery validation for an existing supplier (async)
GET	`/public/v2/suppliers/sites/validation`	Poll the latest validation status for your requests

Key behavior:

POST body requires an identifier only (same uniqueness rules as screening).
Precondition failures surface as 4xx with messages — see OpenAPI for full list.
POST returns 202 Accepted with a requestId (UUID).
GET returns PENDING, COMPLETED, or REJECTED with optional outcomeTargetId, rejectionReason, etc. Returns 404 if no validation request exists for your user.

Examples

Request screening (2-year window):

curl --request POST \   --url "https://api.prewave.com/public/v2/suppliers/sites/screening" \   --header "Content-Type: application/json" \   --header "X-Auth-Token: YOUR_API_TOKEN" \   --data '{   "identifier": { "supplierId": "SUP-001", "source": "SAP" },   "options": { "periodInYears": 2 } }'

Poll screening status:

curl --request GET \   --url "https://api.prewave.com/public/v2/suppliers/sites/screening?supplierId=SUP-001&source=SAP" \   --header "X-Auth-Token: YOUR_API_TOKEN"

Request validation:

curl --request POST \   --url "https://api.prewave.com/public/v2/suppliers/sites/validation" \   --header "Content-Type: application/json" \   --header "X-Auth-Token: YOUR_API_TOKEN" \   --data '{   "identifier": { "supplierId": "SUP-001", "source": "SAP" } }'

Optional screening and validation on create

POST /public/v2/suppliers/sites accepts two optional fields in the JSON body:

Field	Effect
`screeningPeriodInYears`	If 2, 5, or 10, schedules post-onboarding history screening after the supplier is created. Invalid values are rejected.
`requestValidationOnCreate`	If true, schedules a discovery validation request after onboarding completes.

Omit these fields (or use null / false) to skip. Both require matching entitlements on your API user. After creation, use GET .../screening and GET .../validation with supplier identifiers to track status.

Create supplier with optional screening and validation:

curl --request POST \   --url "https://api.prewave.com/public/v2/suppliers/sites" \   --header "Content-Type: application/json" \   --header "X-Auth-Token: YOUR_API_TOKEN" \   --data '{   "name": "Acme Corporation",   "countryCode": "AT",   "city": "Vienna",   "address": "123 Example Street, Vienna",   "supplierId": { "id": "SUP-001", "source": "SAP" },   "postalCode": "1010",   "screeningPeriodInYears": 5,   "requestValidationOnCreate": true }'

Response is 202 Accepted with a Location header to track pending creation.

Shared identifier rules

For v2 screening, validation, and other supplier endpoints, identifiers must include at least one of supplierId, customerId, ownId, prewaveId, with optional source to disambiguate string IDs. Exactly one supplier site must match — 400 if multiple match, 404 if none match.

June 2026

External scores (identifier-based)

Method	Endpoint	Description
POST	`/public/v1/scores/externals`	Create or update external scores for one or more supplier sites (bulk)
GET	`/public/v1/scores/externals`	Return external score history for exactly one supplier site
GET	`/public/v1/scores/externals/event-types`	List `eventTypeKey` values configured for a perspective (requires `perspectiveId`)

These endpoints are documented in OpenAPI when the feature is enabled for your organization. They may not appear in the public Swagger UI until your rollout.

Important: HTTP 200 does not mean all rows succeeded

For POST /public/v1/scores/externals, HTTP 200 means the request was accepted — not that every row was applied. Always inspect the response body:

success — overall outcome signal
errors[] — per-problem detail: entryIndex, optional scoreIndex, reason, message, and related fields

200 with a non-empty errors[] is expected behavior when some rows are skipped or invalid.

Bulk write request body

data is a non-empty array. Each element requires:

identifier — how the supplier site is resolved (see shared identifier rules below)
scores — non-empty array, each with:
- eventTypeKey — stable machine-readable key for the event type; valid values depend on your organization
- scoreValue — integer 1–100
- comment — optional string

Common error reasons

Reason	Meaning
`INVALID_IDENTIFIER`	No usable lookup key on the identifier
`TARGET_NOT_FOUND`	No matching supplier site
`MULTIPLE_TARGETS_MATCHED`	More than one site matched; narrow identifiers or set `source`
`UNKNOWN_EVENT_TYPE`	Unknown `eventTypeKey` for your tenant
`PERSIST_ERROR` / `UNEXPECTED_ERROR`	Server-side failure

Recommended flow before your first bulk upload

Call GET /public/v1/scores/externals/event-types?perspectiveId={id} to retrieve valid eventTypeKey values and their human-readable names for your perspective.
Use those keys in your bulk POST body.
Keys that do not exist appear in errors[] — they do not cause an HTTP error on POST.
If the write response reports per-entry errors, reconcile keys against this list and your source data.

You can also use GET /public/v1/infotags for broader tag data.

Examples

Bulk write (two suppliers):

curl --request POST \   --url "https://api.prewave.com/public/v1/scores/externals" \   --header "Content-Type: application/json" \   --header "X-Auth-Token: YOUR_API_TOKEN" \   --data '{   "data": [     {       "identifier": { "supplierId": "SUP-001", "source": "SAP" },       "scores": [         { "eventTypeKey": "carbon", "scoreValue": 72, "comment": "Annual self-assessment" }       ]     },     {       "identifier": { "prewaveId": 102006215 },       "scores": [         { "eventTypeKey": "flood", "scoreValue": 55 }       ]     }   ] }'

Read score history for one supplier:

curl --request GET \   --url "https://api.prewave.com/public/v1/scores/externals?supplierId=SUP-001&source=SAP" \   --header "X-Auth-Token: YOUR_API_TOKEN"

List event types for a perspective:

curl --request GET \   --url "https://api.prewave.com/public/v1/scores/externals/event-types?perspectiveId=5484774" \   --header "X-Auth-Token: YOUR_API_TOKEN"

Replace 5484774 with a perspective ID your API token can access.

Shared identifier rules (external scores)

For bulk and history calls on /public/v1/scores/externals, use the identifier fields documented in OpenAPI. Exactly one site must match for a history GET. Bulk POST reports per-entry errors when a row cannot be resolved or applied.

Questions?

Contact support at [email protected], reach out to your Customer Success Manager, or visit help.prewave.com.

Q1 2026 Public API Updates