Policies API
The Policies API allows you to create, update, and manage permission policies that control how permission requests are handled.
Endpoints
GET /v1/policies- List all policiesPOST /v1/policies- Create a new policyGET /v1/policies/:id- Get a policyPUT /v1/policies/:id- Update a policyDELETE /v1/policies/:id- Delete a policy
List Policies
Get all policies for your account.
Request
GET /v1/policies?agent_id=agent_xxxx&active=true
Authorization: Bearer ak_live_xxxxQuery Parameters
| Parameter | Type | Description |
|---|---|---|
| agent_id | string | Filter by agent ID |
| active | boolean | Filter by active status |
| limit | number | Results per page (default: 20, max: 100) |
| cursor | string | Pagination cursor |
Response
{
"data": [
{
"id": "pol_xxxxxxxxxxxx",
"name": "Auto-approve file reads",
"description": "Automatically approve small file read operations",
"agent_id": null,
"priority": 10,
"conditions": {
"action": { "equals": "file.read" },
"scope.max_size": { "less_than": 1048576 }
},
"action": "auto_approve",
"scope_template": {
"max_size": 1048576
},
"is_active": true,
"created_at": "2026-01-15T10:00:00Z",
"updated_at": "2026-01-15T10:00:00Z"
}
],
"has_more": false,
"next_cursor": null
}Create Policy
Create a new permission policy.
Request
POST /v1/policies
Content-Type: application/json
Authorization: Bearer ak_live_xxxxBody Parameters
| Field | Type | Required | Description |
|---|---|---|---|
| name | string | Yes | Human-readable policy name |
| description | string | No | Policy description |
| agent_id | string | No | Apply to specific agent (null = all) |
| priority | number | No | Evaluation order (higher = first) |
| conditions | object | Yes | Matching conditions |
| action | string | Yes | auto_approve, require_approval, or deny |
| scope_template | object | No | Default scope to apply |
Example Request
{
"name": "Auto-approve internal emails",
"description": "Auto-approve emails to company domain",
"priority": 50,
"conditions": {
"action": { "equals": "email.send" },
"context.recipient": { "matches": ".*@mycompany\\.com$" }
},
"action": "auto_approve",
"scope_template": {
"max_emails": 5,
"ttl": 600
}
}Response
{
"id": "pol_xxxxxxxxxxxx",
"name": "Auto-approve internal emails",
"description": "Auto-approve emails to company domain",
"agent_id": null,
"priority": 50,
"conditions": {
"action": { "equals": "email.send" },
"context.recipient": { "matches": ".*@mycompany\\.com$" }
},
"action": "auto_approve",
"scope_template": {
"max_emails": 5,
"ttl": 600
},
"is_active": true,
"created_at": "2026-01-28T12:00:00Z",
"updated_at": "2026-01-28T12:00:00Z"
}Condition Operators
Policies support various condition operators:
| Operator | Description | Example |
|---|---|---|
| equals | Exact match | {"equals": "file.read"} |
| not_equals | Not equal | {"not_equals": "admin"} |
| starts_with | String prefix | {"starts_with": "file."} |
| ends_with | String suffix | {"ends_with": ".csv"} |
| matches | Regex match | {"matches": "^Invoice #\\d+$"} |
| less_than | Numeric comparison | {"less_than": 1048576} |
| greater_than | Numeric comparison | {"greater_than": 0} |
| in | Value in list | {"in": ["a", "b"]} |
| not_in | Value not in list | {"not_in": ["admin"]} |
Update Policy
PUT /v1/policies/:id
Content-Type: application/json
Authorization: Bearer ak_live_xxxx{
"name": "Updated policy name",
"is_active": false
}Delete Policy
DELETE /v1/policies/:id
Authorization: Bearer ak_live_xxxxPolicy Evaluation Order
When a permission request is received, policies are evaluated in order:
- Policies are sorted by priority (highest first)
- Agent-specific policies are evaluated before global policies
- First matching policy determines the action
- If no policy matches, the request requires manual approval