Knogin
[Developers]

Defence Supply Chain GraphQL API

One endpoint that turns a fragmented, multi-tier defence supplier network into a single, queryable, auditable procurement picture. The Defence Supply Chain GraphQL API aggregates five physical domains - supplier roster,

Back to All Modules
Category: ModulesLast Updated: Jun 1, 2026
modulesreal-timecompliancegeospatial

Overview#

One endpoint that turns a fragmented, multi-tier defence supplier network into a single, queryable, auditable procurement picture. The Defence Supply Chain GraphQL API aggregates five physical domains - supplier roster, tier-N buyer and seller graph, certificate lifecycle, corrective and preventive action records, and waiver governance - into one coherent surface that prime contractors and procurement agencies can interrogate and act on without leaving the Argus platform.

Defence procurement teams routinely manage thousands of subcontractors spread across many tiers, each holding accreditations that expire, raising findings that need corrective action, and contributing content that must satisfy origin rules. Stitching this together across separate spreadsheets and a bolt-on quality-management system is slow, error-prone, and impossible to audit. This capability replaces that patchwork with a typed, role-gated API that answers a procurement question and lets an authorised user act on the answer in the same workflow.

The result is verifiable assurance at the point of decision. A programme office can confirm that every subcontractor on a milestone holds a current accreditation, raise a finding against one that does not, and prove EU-content compliance for a funded programme, all through standards-aligned operations with a complete four-eyes approval trail.

Key Features#

  • Unified supplier roster: Every supplier carries its CAGE Code, D-U-N-S Number, and NATO supplier code alongside capability codes, prime or subcontractor status, country of registration, and EDIP eligibility, so a single record answers both commercial and compliance questions.
  • Tier-N buyer and seller graph: Upstream and downstream traversal walks the full multi-tier network from any node, with per-programme tier-coverage statistics counting tier one, tier two, tier three, deeper, and onboarded relationships against the programme total.
  • Certificate lifecycle tracking: Accreditations such as AS9100D, NADCAP, and ISO 27001 are tracked from issue to expiry, with automatic 90-day and 30-day expiry warnings and a dedicated lookup for certificates lapsing within a chosen window.
  • CAPA lifecycle management: Corrective and preventive action records move through defined status transitions, capture root cause and closure evidence, and can optionally auto-disqualify a supplier whose action is opened against an overdue or critical finding.
  • Four-eyes waiver governance: A request, approve, reject, and revoke workflow separates the requester from the approver, with approval, rejection, and revocation reserved for administrators so no single user can waive a programme requirement alone.
  • Read-only EDIP origin rollup: A per-supplier, per-programme view surfaces EU-origin, NATO-origin, and third-country content percentages with reporting period and total value, giving an at-a-glance origin-content position for funded programmes.
  • Tenant scoping and role gates: Every operation is scoped to the caller's organisation and gated by RBAC roles, with reads open to authenticated users, operational writes requiring manager and above, and governance actions requiring administrator authorisation.
  • Live subscriptions with re-authentication: Composite risk score changes, certificate-expiry events, and CAPA updates are pushed in real time through subscriptions that re-validate the caller's organisation context on a fixed interval and close the stream if it disappears.

Use Cases#

Defence Prime Contractors#

Primes managing deep subcontractor networks can traverse the full tier graph from any node, confirm that every supplier on an upcoming milestone holds a current AS9100D or NADCAP accreditation before authorising payment, and raise a corrective action the moment a finding appears - with optional automatic disqualification of any supplier whose action lapses.

National Procurement Agencies#

Agencies running competitions and framework agreements can verify supplier identity through CAGE Code and D-U-N-S Number, monitor accreditation health across an entire vendor base, and maintain a defensible, auditable record of every waiver granted against a published requirement.

Government Programme Offices#

Programme offices supervising funded work can prove EDIP Article 10 EU-content compliance from the origin rollup, watch composite risk scores and certificate expiries move in real time through subscriptions, and hold a complete four-eyes trail for any exception they authorise.

Quality and Compliance Teams#

Quality teams can run the corrective and preventive action lifecycle directly against supplier and certificate records, attach closure evidence to each transition, and surface accreditations expiring within a chosen window so renewals are actioned well before lapse.

Integration#

The capability is exposed as a single Strawberry GraphQL surface combining typed reads, state-changing writes, and polling subscriptions, so a customer plugs one strongly-typed endpoint into existing tooling rather than wiring up several disparate systems. Reads cover suppliers, tier graphs, tier-coverage statistics, certificates, certificates expiring within a window, corrective and preventive actions, waivers, and the EDIP origin rollup. Writes cover supplier create and update, disqualification, soft delete, tier-edge add and remove, certificate issue and revoke, CAPA open and status transition, and the full waiver request, approve, reject, and revoke flow.

  • GraphQL endpoint: A coherent, typed schema with a camelCase wire shape so client-side code generation and front-end consumers bind directly to a stable contract, removing hand-written serialisation and reducing breakage when fields evolve.
  • OAuth2 and JWT: Every operation is authenticated and tenant-scoped, with role gates enforced per operation, so a customer reuses their existing identity provider and inherits least-privilege access without building a separate authorisation layer.
  • Polling subscriptions: Score, certificate-expiry, and CAPA streams deliver near-real-time change notifications over the same endpoint with periodic re-authentication, letting dashboards and alerting react to supplier risk movement without bespoke polling logic.
  • Normalised supplier model: CAGE Code, D-U-N-S Number, and NATO supplier code are first-class fields on every supplier, so records reconcile cleanly against external registries and partner systems without custom mapping.
  • Connector-friendly structure: Because certificate, CAPA, and waiver state live behind the same endpoint, customers retire a separate quality-management integration and consume assurance data through one consistent interface, lowering integration cost and audit overhead.

Open Standards#

  • AS9100D: SAE and IAQG aerospace quality management system standard; tracked as a certificate type with full issue, expiry, and warning lifecycle.
  • NADCAP: National Aerospace and Defense Contractors Accreditation Program; tracked as a certificate type so special-process accreditations are verified before milestone sign-off.
  • ISO/IEC 27001: International information security management system standard; tracked as a supplier certificate type alongside aerospace accreditations.
  • EDIP Article 10: European Defence Industry Programme origin-content rules; implemented as a read-only per-supplier per-programme rollup of EU-origin, NATO-origin, and third-country percentages.
  • CAGE Code: NATO and DoD Commercial and Government Entity identification; carried as a first-class supplier identifier for registry reconciliation.
  • D-U-N-S Number: Global supplier identification number; carried as a first-class supplier identifier alongside the CAGE Code.
  • ISO 9001 CAPA: The corrective and preventive action lifecycle from the ISO 9001 quality management family; implemented as a status-driven CAPA workflow with optional auto-disqualification.

Security and Compliance#

All operations are scoped to the caller's organisation, with cross-tenant access refused before any data is read. Role gates apply per operation: reads require an authenticated user, operational writes require the manager role and above, and governance actions - soft delete, certificate revocation, and waiver approve, reject, and revoke - require the administrator role. Classification-level guards ensure callers see only suppliers and records at or below their clearance.

The waiver workflow enforces four-eyes control by design, separating the user who requests a waiver from the administrator who approves, rejects, or revokes it, and recording requester, approver, timestamps, and revocation reason to produce an auditable exception trail suitable for EDF and PESCO programme governance. Live subscriptions re-authenticate the caller on a fixed interval and close automatically if the organisation context is lost, preventing stale streams from leaking data after a session changes.

Last Reviewed: 2026-06-01 Last Updated: 2026-06-03

Ready to Build?

Get started with our APIs or contact our integration team for support.