GET /sessions/{id}/report — download compliance report

Generates a compliance report for a single session. The report is produced on demand by walking the session’s audit log — it is not cached, and each call regenerates it from source. Two formats are available: a structured JSON document conforming to Masker Audit Schema v1 (for programmatic processing or ingestion into your compliance tooling), and an auditor-ready PDF. Both formats share the same merkle_root_hex, which ties the report to the session’s immutable audit chain.

Endpoint

GET /api/v1/sessions/{session_id}/report

Requires masker_session authentication.

Path parameters

session_id

string

required

The session’s ID in sess_* ULID format, e.g. sess_01HYZ....

Query parameters

format

string

default:"json"

Output format. json returns Masker Audit Schema v1 JSON. pdf returns a binary PDF suitable for auditors and regulators.

Response

JSON format

Returns 200 OK with Content-Type: application/json.

report

object

required

Masker Audit Schema v1 report object.

Hide report fields

string

required

Report ID in rep_* ULID format.

scope

string

required

Always session for this endpoint.

session_id

string

required

ID of the session this report covers.

generated_at

string

required

ISO 8601 UTC timestamp of report generation.

merkle_root_hex

string

required

Hex-encoded Merkle root of the session’s audit event chain. Use this to verify the report has not been tampered with.

redactions_by_kind

object

required

PHI redaction counts per category, e.g. {"PHONE": 1, "NAME": 2, "DOB": 1}.

policy_snapshot

string

required

Full YAML text of the masking policy that was active during this session.

safe_harbor_coverage

object

required

HIPAA Safe Harbor identifier coverage assessment. Each key corresponds to one of the 18 Safe Harbor identifiers (e.g. A_names, B_geo, C_dates, D_phone). Values are full, partial, or none.

PDF format

Returns 200 OK with Content-Type: application/pdf and a Content-Disposition: attachment header. The response body is a binary PDF. Download it directly to a file.

Examples

curl -H "Cookie: masker_session=ey..." \
  "https://masker-voice.fly.dev/api/v1/sessions/sess_01HYZ.../report?format=json"

JSON response

{
  "report": {
    "id": "rep_01HYZ...",
    "scope": "session",
    "session_id": "sess_01HYZ...",
    "generated_at": "2026-05-03T21:30:11Z",
    "merkle_root_hex": "f3a2...",
    "redactions_by_kind": {"PHONE": 1, "NAME": 2, "DOB": 1},
    "policy_snapshot": "name: healthcare-default\n...",
    "safe_harbor_coverage": {
      "A_names": "full",
      "B_geo": "full",
      "C_dates": "partial",
      "D_phone": "full"
    }
  }
}

Notes

Reports are generated on demand. Each request walks the full audit log for the session; there is no caching.
The merkle_root_hex in the JSON report matches the value in the PDF. You can use it to independently verify that the two representations are consistent.
Per-agent and account-wide report endpoints (/api/v1/agents/{id}/report and /api/v1/reports) are on the May 30 production roadmap.

Errors

Status	Code	Meaning
`401`	`unauthenticated`	Missing or invalid `masker_session` cookie
`404`	`session_not_found`	No session with this ID exists in your account
`500`	`report_generation_failed`	PDF rendering failed; include the `request_id` when reporting the issue

Overview

Agents

Sessions

Proxy & Webhooks

GET /sessions/{id}/report — download compliance report

Endpoint

Path parameters

Query parameters

Response

JSON format

PDF format

Examples

Notes

Errors

Overview

Agents

Sessions

Proxy & Webhooks

Documentation Index

​Endpoint

​Path parameters

​Query parameters

​Response

​JSON format

​PDF format

​Examples

​Notes

​Errors

Endpoint

Path parameters

Query parameters

Response

JSON format

PDF format

Examples

Notes

Errors