Exclusion status, address clusters, name variants, enforcement-wave membership, award-to-debarment timing. One API call per vendor.
Before you team with, subcontract to, or buy parts from a US federal contractor, you probably want to check whether they're on the federal exclusion list and whether anything in the public record suggests caution. This page documents the patterns worth checking and the fields in the underlying SAM.gov data that drive them. Our API combines all seven checks into a single HTTP call per UEI, with normalization, address clustering, and name-variant matching already handled.
Who this page is for: anyone who needs to screen a federal vendor by UEI. Small govcon shops checking a teaming partner, proposal writers verifying a sub, compliance folks running occasional spot checks, journalists and researchers investigating a contractor.
What this page is NOT: a replacement for enterprise compliance tools like Sayari, D&B, or Refinitiv. Those products cover international entities, sanctions lists (OFAC, UN, EU), beneficial-ownership data, and adverse media that we don't. If your screening scope includes any of that, you need one of those. This page and our API cover the US federal exclusion layer only.
A UEI search on sam.gov answers one question: "is this specific entity debarred?" That's the minimum check. The patterns below go further and often surface things the single-UEI search misses, because debarment actions frequently apply to networks (address clusters, name variants, family groups) that the SDO describes with language like "this entity and all affiliated parties."
There are other things worth checking (OFAC/UN sanctions, international criminal records, adverse media) that this page does not cover. Those live in other datasets and other products. This page is specifically about the US federal exclusion layer.
Every signal our API returns is derived from fields already present in SAM.gov's public data. Knowing what the fields are helps you read the response and know what the data does and doesn't carry. Relevant fields, grouped by pattern:
Comes from SAM.gov exclusions records, which carry these fields:
uei_sam: the 12-character identifier. The primary key we look up.exclusion_type: e.g. "Ineligible (Proceedings Pending)", "Voluntary Exclusion", "Prohibition/Restriction". This describes the legal status of the exclusion, not the severity.excluding_agency_code, excluding_agency_name: which federal agency filed it (DLA, USN, GSA, HHS, etc.).create_date, activate_date, termination_date: when the record was entered, when it takes effect, when it expires. Gaps between these dates matter; we surface them.record_status: "Active" means the exclusion is current. Expired or terminated exclusions have this set to something else plus a termination_date.additional_comments: the agency's enforcement language (often the boilerplate "DLA SDO has proposed debarment for this entity and all affiliated parties" when the record is part of a coordinated wave).Uses the address fields on each exclusion record:
address_line1, city, state_or_province_code: the registered physical address. For US addresses all three populate; for international addresses (Singapore, Hong Kong, Ankara) state_or_province_code is often NULL or the string "null", which our clustering logic handles.Matching is done on lowered + trimmed values — SAM data has trailing whitespace on address_line1 and mixed case elsewhere, which are the kinds of edge cases that trip up ad-hoc screening.
Uses the entity_name field, but with legal-form suffixes stripped before matching:
entity_name: raw name as SAM stores it.state_or_province_code when available, to avoid cross-jurisdiction false positives.Comes from the same address fields as above, but filtered to records where classification_type = 'Individual'. The individual's name fields (first_name, middle_name, last_name) are surfaced for your records.
Uses:
create_date: when SAM recorded the exclusion. Same-day records are a strong grouping signal when combined with same agency.excluding_agency_code: groups must share the same agency to count as one coordinated action.We require at least 3 records per day-agency bucket to qualify as a "wave." Two-record groupings are usually a company plus one officer, which is normal enforcement and not a network signal.
Combines SAM exclusion data with SAM award-notice data (the opportunities index) on the same UEI:
award_date (from award notices): the most recent federal award recorded for this UEI.create_date (from exclusions): when the SAM exclusion record was created.cage_code on the entity record. Normally one per UEI; multiple distinct values can indicate a legitimately multi-facility vendor or a registration irregularity. CAGE data is sparsely populated in the public record, so absence of a dual-CAGE flag is not definitive.
Our backend pre-computes the joins, handles the data-quality edges (trailing whitespace, the string "null" in UEI fields, state-missing international addresses, normalized-name collision cases), and keeps the pg_trgm and composite indexes warm so per-request latency stays inside a couple hundred milliseconds. That's what the $39/mo subscription pays for: the data and the infrastructure already set up.
Single UEI:
curl -H "Authorization: Bearer $KEY" \
"https://govconapi.com/api/v1/vendor-risk/N2EDPB1SMN55"Bulk (up to 100 UEIs per request):
curl -X POST -H "Authorization: Bearer $KEY" \
-H "Content-Type: application/json" \
-d '{"ueis": ["N2EDPB1SMN55", "C1BVCA2N9YB4", "SH2ER4W6LH13"]}' \
"https://govconapi.com/api/v1/vendor-risk/bulk"Both return the full signal set plus a mechanical triage verdict (high / elevated / needs_review / clean / unknown) with the rules that fired. Part of our $39/mo Pro Bundle, same API key as the other endpoints. Full request / response shape in the API reference.
Is this UEI currently on the federal exclusion list? Returns the exclusion type (Ineligible (Proceedings Pending), Voluntary Exclusion, Prohibition/Restriction, etc.), the excluding agency, the activate_date, the create_date, and the record status. Direct match against the SAM.gov exclusions table; we ingest the full 163,000+ record dataset and keep it current.
How many other entities on the federal exclusion list share the target UEI's registered physical address? Example: the November 20, 2025 DLA action debarred seven SAM registrations at 2475 NW 38th St., Miami (Miami Cordage LLC plus six name variants). For a UEI at that address, this signal returns total_at_address: 7, excluded_at_address: 7 and lists the co-tenants. Addresses with more than 50 exclusion-listed tenants are flagged likely_registered_agent so registered-agent offices and mail drops don't produce misleading clusters.
Other federal-exclusion-listed entities whose normalized name matches this one. Normalization strips legal-form suffixes (LLC, Co., Inc., Company, Corp, Ltd, etc.) and collapses punctuation variants (& vs and, Co. vs Company). So "Miami Cordage, LLC" and "Miami Cordage Co., Inc." and "Miami Cordage Company, Inc." all reduce to the same normalized key. Generic single-word names ("Defense Solutions LLC") are deliberately skipped to avoid noise clusters; we require at least two non-stopword tokens in the normalized form.
Named individuals on the federal exclusion list whose registered address matches this entity's address. Surfaces cases where family members, corporate officers, or connected individuals have been debarred even though the queried entity itself hasn't. We don't claim these individuals are principals of the queried entity (the public record doesn't always tell us that); we report the address coincidence as the fact it is.
If the target is itself excluded, is it part of a same-day coordinated action by the same agency? The agency's own enforcement language ("DLA SDO HAS PROPOSED DEBARMENT FOR THIS ENTITY AND ALL AFFILIATED PARTIES") applies to the whole wave simultaneously. Between November 2025 and March 2026, the DLA Suspension and Debarment Official executed seven coordinated waves covering 83 entities. Being in one of those waves is itself information. We require at least three same-day same-agency exclusions to call a grouping a "wave."
Days between the target's most recent SAM.gov award notice and their exclusion create_date. Gaps of days or weeks (rather than months) indicate enforcement caught the vendor while they were still actively transacting. For Bella Mia Donna LLC, the gap was four days: last SAM award November 17, 2025; exclusion created November 21, 2025. Gaps near zero are the kind of finding that feeds directly into False Claims Act case evaluation.
Does the target UEI carry multiple CAGE codes in the SAM data? Normally a UEI maps to one primary CAGE code; multiple CAGEs can indicate legitimately multi-facility vendors or a registration irregularity. Descriptive signal; the buyer interprets. CAGE data is sparsely populated in the public record, so absence is not definitive.
The API also returns a triage object with a single category field. Rules are mechanical and documented here so you can read, disagree, or override:
Why signals, not a numeric score. A "Fraud Risk: 87/100" output sounds useful but creates two problems. First, it claims a predictive judgment about a named entity that we can't defend without a conviction or finding of fact, which is a defamation exposure. Second, it pushes the interpretation work onto us when the person doing the screening is better positioned to make the call. You know your own context (who the vendor is to you, what the contract is for, what you already know) and we don't. So we publish the facts (the signals) and a mechanical triage over those facts, and let you override.
This matches how the underlying agency data is organized: SAM.gov lists exclusions and their types; it doesn't rank them. We follow that pattern.
Three real cases from the November 2025 through March 2026 DLA Suspension and Debarment Official actions. Every UEI below is on the active federal exclusion list; every fact is verifiable on sam.gov and usaspending.gov in under a minute.
N2EDPB1SMN55)triage.category = high. Our API returns: in a 24-entity coordinated Broward County enforcement wave (wave_membership.wave_size: 24), last SAM award four days before exclusion (timing_gap.days_between: 4), 478 total federal awards across 2021-2025 totaling $3.44M per USASpending. Looking up this UEI today gets you the full picture in one call.
C1BVCA2N9YB4)address_cluster.total_at_address: 7, address_cluster.excluded_at_address: 7. Six of the seven have name variants on "Miami Cordage" or "Florida Wire & Rigging" (name_variant_cluster.match_count: 4). Part of an 11-entity coordinated wave. The parent entity has $18.2M of USASpending history including a $6.48M Navy IDIQ awarded 56 days before debarment.
GXEJM5W26WQ5)likely_registered_agent because 50 exclusion-listed tenants share it. This is how the API handles mail-drop style addresses: we don't generate false "this vendor is clustered with 49 bad actors" signals when the address is really a registered-agent office.
See our USASpending API guide for how the contract-dollar figures above are sourced; see the federal contractor research guide for how we reconcile SAM.gov entity registrations with USASpending award history.
The patterns on this page and our API cover one specific thing: the US federal exclusion layer, plus clustering signals over that data. Things this does NOT cover:
In short: if you need broader or deeper coverage than "is this US federal vendor debarred, and are there any red-flag patterns in the public record around them," use the enterprise tools made for that. This page and our API exist for people whose screening need fits inside those boundaries.
Vendor Risk Intelligence is included in the Pro Bundle ($39/month) along with Company Intelligence, unlimited GovCon Contacts, and MCP access for Claude and Cursor. Same Authorization: Bearer <key> header as the rest of the API. Rate limits: 1,000 requests per hour (per key) plus a 60/minute burst cap (per IP). 100-UEI bulk calls count as 100 hourly-quota hits.
No separate tier, no per-lookup fees. If you need volume beyond the Pro Bundle limits or a white-label / redistribution arrangement, email us. Most normal use (occasional screening, teaming checks, or a few hundred lookups a month) fits comfortably inside Pro Bundle limits.
Why do you say signals instead of risk scores?
Because a score is a judgment. Saying "Vendor X has Risk 87/100" makes a claim about the entity that we can't defend without a finding of fact. Listing the signals ("entity is on the exclusion list; 24 co-tenants at the same address are also excluded") is describing the public record, which we can defend and you can act on.
How fresh is the data?
SAM.gov opportunities are refreshed daily via a 48-hour rolling delta sync. SAM.gov exclusions are refreshed weekly from the bulk CSV.
What happens if SAM.gov adds a new exclusion type we don't recognize?
We pass through whatever exclusion_type string SAM reports. The triage engine considers any record_status = 'Active' exclusion as grounds for the high verdict regardless of type. New exclusion types don't break the API.
Can I screen against OFAC or UN sanctions too?
Not via this API. OFAC's SDN list is a separate dataset with a different legal framework (foreign policy sanctions, not federal contracting eligibility). OFAC publishes the list free at sanctionssearch.ofac.treas.gov; integrate it yourself if you need sanctions coverage alongside federal contracting risk.
What's the difference between "Ineligible (Proceedings Pending)" and "Voluntary Exclusion"?
Proceedings Pending: active legal or administrative proceedings are underway. The entity is barred until resolved. Voluntary Exclusion: the entity accepted an administrative settlement in lieu of contested debarment. Both are recorded in SAM and treated as active exclusions for contracting purposes. The triage verdict doesn't distinguish between them; the signals.exclusion_status.exclusion_type field preserves the original classification for your compliance records.
What about debarments that were overturned or expired?
Expired or terminated exclusions have record_status != 'Active' and termination_date populated. The triage engine treats only active records as the basis for the high verdict. Historical (terminated) exclusions are returned in the response so you can see the full history.
How do I audit your triage rules?
Everything is in this page's triage section, plus the triage.reasons field in every response tells you exactly which rules fired. No hidden weights, no ML. If you disagree with a verdict, the signals field has the underlying data for you to interpret directly.
Can I get a free trial?
Yes. The Free tier (25 requests/day, no auth required on some endpoints) lets you hit the vendor-risk API for a handful of UEIs. For any real usage, Pro Bundle at $39/month is the answer.
Is there a GUI / web lookup tool, or only the API?
Both. The free web lookup at /vendor-risk takes a UEI and returns the same triage + 7 signals as the API, in a readable layout. Use it for one-off checks. Use the API when you want to bulk-screen a vendor list, integrate into a procurement workflow, or pull reports into your own dashboard.
Can I use this data commercially / redistribute it?
For internal compliance, screening, and vetting: yes, the Pro Bundle license covers it. For redistribution (reselling the data as part of a commercial product), contact us for a custom arrangement. Everything we surface is derived from public federal records; our pricing is for the aggregation, normalization, triage, and serving layer.
Ready to try it? Pro Bundle is $39/month. Or read the full API reference. Questions about fit: [email protected].
Last updated: April 2026 · API reference · Researching a federal contractor · USASpending API guide