VaultWorkflow API Reference
HTTP endpoint reference for creating workflow sessions, submitting steps, managing approvals, and querying workflow status.
All VaultWorkflow endpoints are hosted on the Dispatcher Azure Function. Initiator routes require a valid Entra ID JWT. Participant portal routes use a short-lived portal access token (HMAC-signed, 4-hour TTL) issued at session creation.
Base URL
All paths are relative to your Dispatcher Function base URL, e.g. https://<your-dispatcher>.azurewebsites.net.
Create Workflow Session
POST /api/workflowCreates a new workflow instance and returns a portal URL for the participant.
Auth: Entra ID JWT (initiator)
Request body:
{
"templatePath": "templates/vendor-onboarding.vpdf",
"correlationId": "vc-2026-0601-acme",
"templateSettings": {
"workflow": {
"schemaPath": "Workflows/vendor-onboarding.yaml",
"recipients": [
{ "email": "[email protected]", "displayName": "Vendor Contact" }
],
"requireOtp": false,
"organizationName": "Contoso Ltd",
"message": "Please complete the vendor onboarding form."
}
},
"options": {
"documentId": "VENDOR-2026-001",
"docType": "vendor-contract"
}
}| Field | Type | Required | Description |
|---|---|---|---|
templatePath | string | Yes* | Path to the .vpdf template (SharePoint library path or blob name). Used for the full render engine at seal time. Also accepted as templateId for legacy callers. |
correlationId | string | No | Caller-supplied identifier. Auto-generated UUID if absent. Used to link all downstream records. |
templateSettings.workflow.schemaPath | string | No | Explicit path to the workflow schema YAML (e.g. Workflows/vendor-onboarding.yaml). When absent, schema is discovered from structured_content nodes inside the .vpdf template. |
templateSettings.workflow.recipients | array | No | One or more recipients who receive the portal invitation email. First recipient also receives OTP if requireOtp is true. |
templateSettings.workflow.requireOtp | boolean | No | When true, participant must verify an OTP before accessing workflow steps. Default false. |
templateSettings.workflow.organizationName | string | No | Organization name shown in notification emails. |
templateSettings.workflow.message | string | No | Custom body text included in the invitation email. |
templateSettings.esign | object | No | VaultESign settings to trigger automatically after the final PDF is sealed. Set enabled: true and provide signers, signingMode. |
templateSettings.delivery | object | No | VaultDelivery settings to trigger automatically after sealing. Set enabled: true and provide recipients. |
options.documentId | string | No | Document identifier for audit and display (e.g. contract number, invoice ID). |
options.docType | string | No | Document type label (e.g. vendor-contract, expense-claim). |
initialData | object | No | Pre-populated field data for governance workflows with autoValidateOnCreate: true. Keys must match field key values in the schema. When provided, validation runs immediately and portal interaction is skipped. |
callbackUrl | string | No | Webhook URL called by the Dispatcher when the workflow reaches a terminal state (complete, rejected, cancelled). POST body: { "workflowId": "...", "correlationId": "...", "state": "complete", "completedAt": "..." }. Useful for source systems that need to react to workflow completion without polling. |
Schema path resolution
When templateSettings.workflow.schemaPath is set, the schema YAML is fetched directly from the SP assets library. When absent, VaultWorkflow discovers the schema from structured_content nodes inside the .vpdf template file. Use schemaPath when your PDF layout template and workflow form schema are separate files.
Response 201:
{
"workflowId": "a3f1c2d4-8e9b-4f0a-b2c3-1d4e5f6a7b8c",
"correlationId": "vc-2026-0601-acme",
"state": "in-progress",
"portalUrl": "https://portal.vaultpdf.io/workflow/a3f1c2d4-8e9b-4f0a-b2c3-1d4e5f6a7b8c?pt=<portalToken>"
}| Field | Description |
|---|---|
workflowId | UUID for this workflow session. Use this to poll status and perform approver actions. |
correlationId | Correlation ID (caller-supplied or auto-generated). |
state | in-progress (participant can begin entering data). |
portalUrl | Participant portal URL with embedded portal token (?pt=). Forward to the participant via email or your own notification. Token expires after 4 hours; the portal refreshes it automatically on each valid access. |
Idempotency
Submitting the same correlationId twice returns the existing session (HTTP 200 with idempotent: true) rather than creating a duplicate.
Get Workflow (Portal Bootstrap)
GET /api/workflow/{workflowId}Returns the workflow instance, schema, and current step state for the participant portal.
Auth: Portal access token (query param ?token=<portalToken>)
Response 200: Full WorkflowPortalPayload including schema steps, current data snapshots, and validation state.
Submit Step
PATCH /api/workflow/{workflowId}/step/{stepIndex}Saves the participant's field data for a single step. Can be called multiple times before the step is submitted.
Auth: Portal access token
Request body:
{
"data": {
"vendor_name": "Contoso Supplies Ltd",
"invoice_total": 47500,
"payment_terms": "net30"
}
}Response 200: Updated step entity.
Advance Step
POST /api/workflow/{workflowId}/advanceMarks the current step as submitted and advances to the next step. When called on the final step, triggers schema validation. If validation passes, the workflow transitions to pending-approval.
Auth: Portal access token
Response 200:
{
"state": "pending-approval",
"validationOutcome": "passed",
"validationResults": []
}On validation failure:
{
"state": "validation-failed",
"validationOutcome": "failed",
"validationResults": [
{
"ruleId": "po_amount_match",
"passed": false,
"severity": "error",
"message": "Invoice total exceeds the approved PO amount.",
"fieldKey": "invoice_total"
}
]
}Approve Workflow
POST /api/workflow/{workflowId}/approveRecords the approver's decision and enqueues the seal message. The workflow transitions to sealing.
Auth: Entra ID JWT (approver)
Request body:
{
"comment": "Approved — within budget and policy."
}Response 200:
{ "state": "sealing", "workflowId": "a3f1c2d4-8e9b-4f0a-b2c3-1d4e5f6a7b8c" }Reject Workflow
POST /api/workflow/{workflowId}/rejectRecords a rejection decision. No PDF is produced.
Auth: Entra ID JWT (approver or reviewer)
Request body:
{
"comment": "Vendor not on approved supplier list."
}Request Changes
POST /api/workflow/{workflowId}/request-changesReturns the submission to the participant with structured change requests. Workflow transitions to changes-requested.
Auth: Portal access token — issued to the reviewer when the approval notification is sent
Request body:
{
"changes": [
{
"message": "Invoice total does not match attached invoice PDF.",
"fieldKey": "invoice_total",
"severity": "error"
}
]
}| Field | Type | Description |
|---|---|---|
message | string | Human-readable correction instruction shown to participant. |
fieldKey | string | Optional; links the change request to a specific field for portal highlighting. |
severity | info | warning | error | Urgency indicator. |
category | string | Optional grouping label (e.g. missing-document). |
dueDate | string | Optional ISO 8601 date by which the correction should be made. |
Get Workflow Status
GET /api/workflow/{workflowId}/statusReturns the current state, validation outcome, and resolved routing.
Auth: Entra ID JWT (initiator) or portal access token
Response 200:
{
"workflowId": "a3f1c2d4-8e9b-4f0a-b2c3-1d4e5f6a7b8c",
"state": "pending-approval",
"currentStepIndex": 2,
"totalSteps": 2,
"validationOutcome": "passed",
"currentApprovalStage": 0,
"totalApprovalStages": 1
}Export Workflow Data
GET /api/workflow/{workflowId}/export?format=jsonExports the complete collected data snapshot. Useful for audit or downstream integrations.
Auth: Entra ID JWT
Query params: format=json (default) or format=csv
Seal Workflow
POST /api/workflow/{workflowId}/sealManually enqueues the seal message. Called automatically by the approve endpoint — use this only to retry a failed seal or trigger sealing without the normal approval gate (admin use).
Auth: Entra ID JWT (initiator / admin)
Response 200: { "state": "sealing", "workflowId": "..." }
Fix Validation
POST /api/workflow/{workflowId}/fix-validationResets a validation-failed workflow to in-progress at the first failing field's step. Allows the participant to correct data and resubmit without creating a new session.
Auth: Portal access token
Governance Decision
POST /api/workflow/{workflowId}/governance-decisionRecords an approver decision on a governance workflow — Approve, Approve with Exception, or Reject. The request includes the decision and (for exceptions) a mandatory justification text.
Auth: Portal access token (reviewer)
Request body:
{
"decision": "approve-with-exception",
"justification": "Invoice exceeds PO by 1.6% — within tolerance; approved."
}decision value | Behaviour |
|---|---|
approve | All rules passed; normal approval. |
approve-with-exception | One or more error rules failed; approver overrides with written justification. Justification sealed into PDF. |
reject | Submission rejected. No PDF produced. |
Resend Invitation
POST /api/workflow/{workflowId}/resend-inviteRe-sends the workflow invitation email to the current pending approver or participant. Subject to portal-side rate limiting.
Auth: Portal access token
Escalate Workflow
POST /api/workflow/{workflowId}/escalateManually escalates the workflow to the next approver in the routing sequence. Normally triggered automatically via escalateAfterDays; this endpoint allows manual escalation.
Auth: Entra ID JWT (initiator)
OTP — Send Code
POST /api/workflow/{workflowId}/otp/sendSends a one-time passcode to the participant's email. Only valid when requireOtp: true.
Auth: Portal access token. Rate-limited to one send per 60 seconds.
OTP — Verify Code
POST /api/workflow/{workflowId}/otp/verifyVerifies the participant's OTP code.
Auth: Portal access token
Request body: { "otp": "483921" }
OTP constraints: 6 digits, 10-minute TTL, 5-attempt lockout.
Configure Your First Workflow
See the Workflow Schema reference for step definitions, validation rules, and approval routing.
Workflow Schema Reference
Complete reference for the VaultWorkflow YAML schema, covering step definitions, field types, validation rules, and approval routing configuration.
Example: Vendor Onboarding
A complete data-collection workflow schema for vendor onboarding. Collects contact details, compliance declarations, and supporting documents across three steps, then routes to an approver before sealing the onboarding record.