Platform
ScaiWave ScaiGrid ScaiCore ScaiBot ScaiDrive ScaiKey Models Tools & Services
Solutions
Organisations Developers Internet Service Providers Managed Service Providers AI-in-a-Box
Resources
Support Documentation Blog Downloads
Company
About Research Careers Investment Opportunities Contact
Log in

Policies

Endpoint reference for access policies. For the guide, see Policies. For the model, see Policies and Permissions.

Base path: /v1/policies/

GET /v1/policies#

List policies.

Query: scope (tenant|partner), include_inactive, limit, cursor.

Response:

json
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
{
  "policies": [
    {
      "id": "pol_abc",
      "name": "production-read-only",
      "rule_count": 2,
      "binding_count": 5,
      "is_active": true,
      "created_at": "2026-01-01T00:00:00Z",
      "updated_at": "2026-01-15T00:00:00Z"
    }
  ],
  "cursor": null,
  "has_more": false
}

Scope: policies:read.

POST /v1/policies#

Create.

Body:

Field Type Required
name string Yes
description string No
rules array Yes
rules[].path_pattern string Yes
rules[].permissions array Yes
rules[].conditions object No
scope tenant|partner No, default tenant

Response 201 Created: full policy object.

Scope: policies:write.

GET /v1/policies/{id}#

Get one policy, including rules and bindings.

Scope: policies:read.

PUT /v1/policies/{id}#

Replace policy (rules + metadata). Bindings preserved.

Scope: policies:write.

PATCH /v1/policies/{id}#

Partial update (only provided fields).

Scope: policies:write.

DELETE /v1/policies/{id}#

Delete. Returns 409 policy_in_use if bindings exist. Add ?force=true to remove them.

Scope: policies:write.

GET /v1/policies/{id}/bindings#

List bindings for a policy.

Scope: policies:read.

POST /v1/policies/{id}/bindings#

Create binding.

Body:

Field Description
identity_type user, service_account, group
identity_id ScaiKey identity ID
expires_at Optional auto-expiry

Response 201 Created.

Scope: policies:write.

DELETE /v1/policies/{id}/bindings/{binding_id}#

Remove binding.

Scope: policies:write.

POST /v1/policies/test#

Dry-run access check. Does not write audit.

Body:

Field Description
identity_id Who to check
path Target path
permission read, write, delete, list, rotate, admin
context.source_ip For IP range conditions
context.mfa_verified For MFA conditions
context.timestamp For time-window conditions (defaults to now)

Response:

json
1
2
3
4
5
{
  "allowed": true,
  "matching_policies": [{"id": "pol_abc", "name": "...", "matching_rule_index": 0}],
  "evaluated_at": "2026-04-23T..."
}

On deny:

json
1
2
3
4
5
6
{
  "allowed": false,
  "reason": "condition_failed",
  "failed_condition": "require_mfa",
  "matching_rule": {"policy_id": "pol_abc", "rule_index": 0}
}

Scope: policies:read.

Permissions#

Permission What it allows
read Read values
write Create/update
delete Soft/hard delete
list Enumerate, read metadata
rotate Trigger rotation
admin All

Conditions#

Key Description
ip_ranges Array of CIDRs
require_mfa Boolean; token's MFA must be recent (< 15 min)
time_window.start / .end HH:MM UTC
Updated 2026-05-17 13:26:51 View source (.md) rev 2