> ## Documentation Index
> Fetch the complete documentation index at: https://docs.masker.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# GET /sessions/{id}/report — download compliance report

> Download a per-session HIPAA compliance report as auditor-ready JSON (Masker Audit Schema v1) or PDF, with Merkle root and Safe Harbor breakdown.

Generates a compliance report for a single session. The report is produced on demand by walking the session's audit log — it is not cached, and each call regenerates it from source. Two formats are available: a structured JSON document conforming to Masker Audit Schema v1 (for programmatic processing or ingestion into your compliance tooling), and an auditor-ready PDF.

Both formats share the same `merkle_root_hex`, which ties the report to the session's immutable audit chain.

## Endpoint

```
GET /api/v1/sessions/{session_id}/report
```

Requires `masker_session` authentication.

## Path parameters

<ParamField path="session_id" type="string" required>
  The session's ID in `sess_*` ULID format, e.g. `sess_01HYZ...`.
</ParamField>

## Query parameters

<ParamField query="format" type="string" default="json">
  Output format. `json` returns Masker Audit Schema v1 JSON. `pdf` returns a binary PDF suitable for auditors and regulators.
</ParamField>

## Response

### JSON format

Returns `200 OK` with `Content-Type: application/json`.

<ResponseField name="report" type="object" required>
  Masker Audit Schema v1 report object.

  <Expandable title="report fields" defaultOpen>
    <ResponseField name="id" type="string" required>
      Report ID in `rep_*` ULID format.
    </ResponseField>

    <ResponseField name="scope" type="string" required>
      Always `session` for this endpoint.
    </ResponseField>

    <ResponseField name="session_id" type="string" required>
      ID of the session this report covers.
    </ResponseField>

    <ResponseField name="generated_at" type="string" required>
      ISO 8601 UTC timestamp of report generation.
    </ResponseField>

    <ResponseField name="merkle_root_hex" type="string" required>
      Hex-encoded Merkle root of the session's audit event chain. Use this to verify the report has not been tampered with.
    </ResponseField>

    <ResponseField name="redactions_by_kind" type="object" required>
      PHI redaction counts per category, e.g. `{"PHONE": 1, "NAME": 2, "DOB": 1}`.
    </ResponseField>

    <ResponseField name="policy_snapshot" type="string" required>
      Full YAML text of the masking policy that was active during this session.
    </ResponseField>

    <ResponseField name="safe_harbor_coverage" type="object" required>
      HIPAA Safe Harbor identifier coverage assessment. Each key corresponds to one of the 18 Safe Harbor identifiers (e.g. `A_names`, `B_geo`, `C_dates`, `D_phone`). Values are `full`, `partial`, or `none`.
    </ResponseField>
  </Expandable>
</ResponseField>

### PDF format

Returns `200 OK` with `Content-Type: application/pdf` and a `Content-Disposition: attachment` header. The response body is a binary PDF. Download it directly to a file.

## Examples

<CodeGroup>
  ```bash JSON format theme={null}
  curl -H "Cookie: masker_session=ey..." \
    "https://masker-voice.fly.dev/api/v1/sessions/sess_01HYZ.../report?format=json"
  ```

  ```bash PDF format theme={null}
  curl -H "Cookie: masker_session=ey..." \
    "https://masker-voice.fly.dev/api/v1/sessions/sess_01HYZ.../report?format=pdf" \
    -o session-report.pdf
  ```
</CodeGroup>

```json JSON response theme={null}
{
  "report": {
    "id": "rep_01HYZ...",
    "scope": "session",
    "session_id": "sess_01HYZ...",
    "generated_at": "2026-05-03T21:30:11Z",
    "merkle_root_hex": "f3a2...",
    "redactions_by_kind": {"PHONE": 1, "NAME": 2, "DOB": 1},
    "policy_snapshot": "name: healthcare-default\n...",
    "safe_harbor_coverage": {
      "A_names": "full",
      "B_geo": "full",
      "C_dates": "partial",
      "D_phone": "full"
    }
  }
}
```

## Notes

* Reports are generated on demand. Each request walks the full audit log for the session; there is no caching.
* The `merkle_root_hex` in the JSON report matches the value in the PDF. You can use it to independently verify that the two representations are consistent.
* Per-agent and account-wide report endpoints (`/api/v1/agents/{id}/report` and `/api/v1/reports`) are on the May 30 production roadmap.

## Errors

| Status | Code                       | Meaning                                                                 |
| ------ | -------------------------- | ----------------------------------------------------------------------- |
| `401`  | `unauthenticated`          | Missing or invalid `masker_session` cookie                              |
| `404`  | `session_not_found`        | No session with this ID exists in your account                          |
| `500`  | `report_generation_failed` | PDF rendering failed; include the `request_id` when reporting the issue |
