The API Submission Protocol is the standardized technical interface enabling automated, machine-to-machine submission of registration data and technical documentation directly to the EU compliance database. It defines the RESTful endpoints, authentication mechanisms, and payload schemas required for providers to programmatically register high-risk AI systems without manual portal interaction.
Glossary
API Submission Protocol

What is API Submission Protocol?
The API Submission Protocol defines the standardized technical interface enabling automated, machine-to-machine submission of registration data and technical documentation directly to the EU compliance database.
This protocol ensures cryptographic integrity and non-repudiation of submissions through digital signatures, linking each payload to a specific Authorized Representative Mandate. It supports bulk operations for large portfolios and returns a Unique Registration ID upon successful validation, enabling seamless integration with continuous compliance monitoring and Digital Product Passport generation pipelines.
Core Characteristics of the API Submission Protocol
The API Submission Protocol defines the standardized technical interface enabling automated, machine-to-machine submission of registration data and technical documentation directly to the EU compliance database.
RESTful Architecture
The protocol is built on REST (Representational State Transfer) principles, using standard HTTP methods for resource manipulation. POST requests submit new registrations, PUT updates existing entries, and GET retrieves submission status. All endpoints return standard HTTP status codes (201 Created, 422 Unprocessable Entity) for predictable error handling. The API uses JSON as its primary data interchange format, with endpoints structured around logical resources like /registrations, /technical-documentation, and /conformity-assessments.
Authentication & Authorization
Access is secured through OAuth 2.1 with mutual TLS (mTLS) for transport-layer security. Providers must register an application and obtain scoped access tokens. Key authorization flows include:
- Client Credentials Grant: For automated server-to-server submissions
- Scoped Permissions: Granular roles like
registration:write,documentation:upload, andstatus:read - Digital Certificates: eIDAS-compliant Qualified Website Authentication Certificates (QWACs) bind the API client to a verified legal entity All requests are non-repudiable through cryptographic signing, creating an immutable audit trail of submission activity.
Payload Structure & Validation
Submission payloads conform to a JSON Schema defined by the European Commission, ensuring structural consistency. The schema enforces:
- Required Fields: Unique Registration ID, Intended Purpose Declaration, and Risk Classification
- Conditional Logic: Fields that become mandatory based on prior answers (e.g., Notified Body ID required only if conformity assessment type is 'third-party')
- Format Constraints: Regex patterns for identifiers, ISO 8601 date formats, and controlled vocabularies for enumerations like
risk_levelReal-time validation returns detailed error objects with JSON Pointer references (RFC 6901) to the exact invalid field, enabling automated correction loops.
Asynchronous Processing
Registration submissions are processed asynchronously to handle large technical documentation files and complex validation workflows. The protocol implements:
- 202 Accepted Responses: Immediate acknowledgment with a
Locationheader pointing to a status endpoint - Webhook Callbacks: Registered URLs receive POST notifications on status changes (
submission.validated,submission.rejected) - Polling with Exponential Backoff: Clients can query
/submissions/{id}/statuswith recommended retry intervals This decouples submission from processing, preventing timeouts when uploading multi-gigabyte Technical Documentation Files.
Bulk & Batch Operations
For providers managing large portfolios of AI systems, the protocol supports bulk registration through a dedicated /batch endpoint. Capabilities include:
- Multipart Uploads: Submitting arrays of registration objects in a single request
- CSV Ingestion: Accepting structured spreadsheets for legacy system migration during the grace period
- Transaction Boundaries: Atomic processing where all registrations in a batch succeed or fail together, preventing partial compliance states
- Rate Limiting: Tiered quotas communicated via
X-RateLimit-Remainingheaders, with 429 responses triggering backoff Batch operations are critical for enterprises registering hundreds of embedded AI components simultaneously.
Idempotency & Conflict Resolution
The protocol enforces idempotency to prevent duplicate registrations from network retries. Each submission request includes an Idempotency-Key header—a client-generated UUID. The server stores the key with the response for a defined window (typically 24 hours). Subsequent requests with the same key return the original response without re-processing. For legitimate updates, the protocol uses optimistic concurrency control via ETags: clients must send an If-Match header with the current version hash to update a registration, preventing lost updates when multiple systems modify the same record.
Frequently Asked Questions
Technical answers to common questions regarding the machine-to-machine interface for submitting high-risk AI system registration data to the EU compliance database.
The API Submission Protocol is the standardized technical interface enabling automated, machine-to-machine submission of registration data and technical documentation directly to the EU compliance database. It defines a set of RESTful endpoints, authentication mechanisms, and data schemas that allow providers and their authorized representatives to programmatically register high-risk AI systems, submit Technical Documentation Files, and update post-market monitoring records without manual portal interaction. The protocol ensures that submissions are validated against the EU AI Act's essential requirements before acceptance, returning a Unique Registration ID upon successful processing.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
The API Submission Protocol does not operate in isolation. It is the technical conduit linking a high-risk AI system's Technical Documentation File to the EU AI Act Database. Understanding the following related terms is essential for engineering a compliant, automated registration pipeline.
EU AI Act Database
The centralized European Commission repository serving as the single destination for all API submissions. It stores the Unique Registration ID, technical documentation, and conformity status for every high-risk system placed on the Union market. The database exposes programmatic endpoints for automated machine-to-machine registration, query, and update operations.
Technical Documentation File
The comprehensive dossier that constitutes the primary payload of an API submission. It must contain:
- System architecture and design specifications
- Risk management protocols and residual risk disclosure
- Training data provenance records
- Model card evaluation results
- Intended purpose declaration
The API protocol defines the structured schema for transmitting this file as machine-readable JSON or XML.
Unique Registration ID
An alphanumeric identifier assigned synchronously by the EU database upon successful API submission. This ID becomes the primary key for all subsequent compliance operations, including Post-Market Monitoring data uploads, Incident Reporting Linkage, and Market Withdrawal Notification. The API response object must parse and persist this identifier within the provider's internal Quality Management System.
Conformity Assessment
The mandatory verification process that must be completed before an API submission can be accepted. The protocol requires the digital signature of the Declaration of Conformity and, where applicable, the Notified Body certificate reference. The API validates the cryptographic integrity of these attestations against the issuing authority's public key infrastructure.
Authorized Representative Mandate
For non-EU providers, the API submission must include a verified Authorized Representative identifier. This natural or legal person established within the Union serves as the legal point of contact. The protocol enforces a validation step that cross-references the representative's registration number with the member state's National Competent Authority directory before accepting the submission.
Substantial Modification Trigger
A change to the AI system's intended purpose or performance characteristics that invalidates the existing registration. The API protocol supports a re-submission workflow that links the new Unique Registration ID to the legacy identifier, maintaining an auditable lineage. The submission schema includes a mandatory boolean flag indicating whether the filing is an initial registration or a modification-triggered re-assessment.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us