Policy Sets

List policy sets in a zone

client.Zones.PolicySets.List(ctx, zoneID, params) (*ZonePolicySetListResponse, error)

GET/zones/{zone_id}/policy-sets

Create a new policy set

client.Zones.PolicySets.New(ctx, zoneID, params) (*PolicySetWithBinding, error)

POST/zones/{zone_id}/policy-sets

Get a policy set by ID

client.Zones.PolicySets.Get(ctx, policySetID, params) (*PolicySetWithBinding, error)

GET/zones/{zone_id}/policy-sets/{policy_set_id}

Update a policy set

client.Zones.PolicySets.Update(ctx, policySetID, params) (*PolicySetWithBinding, error)

PATCH/zones/{zone_id}/policy-sets/{policy_set_id}

Archive a policy set

client.Zones.PolicySets.Archive(ctx, policySetID, params) (*PolicySetWithBinding, error)

DELETE/zones/{zone_id}/policy-sets/{policy_set_id}

ModelsExpand Collapse

type Attestation struct{…}

JWS Flattened JSON Serialization (RFC 7515 §7.2.2) of a policy set attestation. The protected header carries the signing algorithm and key identifier; the payload is a base64url-encoded AttestationStatement canonicalized per RFC 8785 (JCS). Verify using the zone JWKS endpoint (RFC 7517). Currently signed with RS256; future zone key types (e.g. EdDSA) will be indicated by the "alg" header — no envelope changes required.

Payload string

Base64url-encoded AttestationStatement (RFC 7515 §3). Decode to inspect attestation content. The RFC 8785 canonical form of the decoded JSON is the JWS Signing Input alongside the protected header.

Protected string

Base64url-encoded JWS protected header (RFC 7515 §4). Contains at minimum "alg" (signing algorithm — currently RS256, will migrate to EdDSA) and "kid" (signing key identifier resolvable via the zone JWKS endpoint).

Signature string

Base64url-encoded digital signature computed over the JWS Signing Input (ASCII(protected) || '.' || payload) per RFC 7515 §5.1.

type AttestationStatement struct{…}

Decoded content of an Attestation JWS payload. Describes the exact policy set version composition at attestation time. This schema defines what consumers see after base64url-decoding the Attestation.payload field.

AttestedAt Time

formatdate-time

AttestedBy string

Manifest []PolicySetManifestEntry

Snapshot of the policy set manifest at attestation time. Each entry pins a policy version by ID and content SHA.

PolicyID string

PolicyVersionID string

Sha stringoptional

SHA-256 of the policy version content, populated by the server

ManifestSha string

SHA-256 of the policy set version manifest. Verifiers MUST check this matches the policy_set_version.manifest_sha to detect attestation/version mismatches.

PolicySetID string

PolicySetVersion int64

Status AttestationStatementStatus

Event that produced this attestation. "committed" is the initial attestation at version creation; "re_signed" is a re-attestation after key rotation (same content, new signature).

Accepts one of the following:

const AttestationStatementStatusCommitted AttestationStatementStatus = "committed"

const AttestationStatementStatusReSigned AttestationStatementStatus = "re_signed"

Type AttestationStatementType

Statement type discriminator

V int64

Statement schema version

ZoneID string

type PolicySet struct{…}

ID string

CreatedAt Time

formatdate-time

CreatedBy string

Name string

OwnerType PolicySetOwnerType

Who manages this policy set:

"platform" — managed by the Keycard platform (system policies).
"customer" — managed by the tenant (custom policies).

Accepts one of the following:

const PolicySetOwnerTypePlatform PolicySetOwnerType = "platform"

const PolicySetOwnerTypeCustomer PolicySetOwnerType = "customer"

ScopeType PolicySetScopeType

The scope at which this policy set applies:

"zone" — applies to all requests in the zone.
"resource" — scoped to a specific resource.
"user" — scoped to a specific user.
"session" — scoped to a specific session.

Accepts one of the following:

const PolicySetScopeTypeZone PolicySetScopeType = "zone"

const PolicySetScopeTypeResource PolicySetScopeType = "resource"

const PolicySetScopeTypeUser PolicySetScopeType = "user"

const PolicySetScopeTypeSession PolicySetScopeType = "session"

UpdatedAt Time

formatdate-time

ZoneID string

ArchivedAt Timeoptional

formatdate-time

LatestVersion int64optional

Human-readable version number of the latest version (e.g., 1, 2, 3)

LatestVersionID stringoptional

UpdatedBy stringoptional

type PolicySetDraft struct{…}

CreatedAt Time

formatdate-time

Manifest PolicySetManifest

Entries []PolicySetManifestEntry

PolicyID string

PolicyVersionID string

Sha stringoptional

SHA-256 of the policy version content, populated by the server

PolicySetID string

SchemaVersion string

UpdatedAt Time

formatdate-time

UpdatedBy string

type PolicySetManifest struct{…}

Entries []PolicySetManifestEntry

PolicyID string

PolicyVersionID string

Sha stringoptional

SHA-256 of the policy version content, populated by the server

type PolicySetManifestEntry struct{…}

PolicyID string

PolicyVersionID string

Sha stringoptional

SHA-256 of the policy version content, populated by the server

type PolicySetWithBinding struct{…}

Active booloptional

Whether this policy set is currently bound to a scope

ActiveVersion int64optional

Human-readable version number of the active version (e.g., 1, 2, 3)

ActiveVersionID stringoptional

Public ID of the currently active (bound) version

Mode stringoptional

Accepts one of the following:

const PolicySetWithBindingModeActive PolicySetWithBindingMode = "active"

const PolicySetWithBindingModeShadow PolicySetWithBindingMode = "shadow"

ScopeTargetID stringoptional

Policy SetsVersions

List versions of a policy set

client.Zones.PolicySets.Versions.List(ctx, policySetID, params) (*ZonePolicySetVersionListResponse, error)

GET/zones/{zone_id}/policy-sets/{policy_set_id}/versions

Create a new immutable policy set version

client.Zones.PolicySets.Versions.New(ctx, policySetID, params) (*PolicySetVersion, error)

POST/zones/{zone_id}/policy-sets/{policy_set_id}/versions

Get a specific policy set version

client.Zones.PolicySets.Versions.Get(ctx, versionID, params) (*PolicySetVersion, error)

GET/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}

Activate a policy set version

client.Zones.PolicySets.Versions.Update(ctx, versionID, params) (*PolicySetVersion, error)

PATCH/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}

Archive a policy set version

client.Zones.PolicySets.Versions.Archive(ctx, versionID, params) (*PolicySetVersion, error)

DELETE/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}

List policy versions in a policy set version

client.Zones.PolicySets.Versions.ListPolicies(ctx, versionID, params) (*ZonePolicySetVersionListPoliciesResponse, error)

GET/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}/policies

ModelsExpand Collapse

type PolicySetVersion struct{…}

ID string

CreatedAt Time

formatdate-time

CreatedBy string

Manifest PolicySetManifest

Entries []PolicySetManifestEntry

PolicyID string

PolicyVersionID string

Sha stringoptional

SHA-256 of the policy version content, populated by the server

ManifestSha string

Hex-encoded SHA-256 of the canonicalized manifest

PolicySetID string

SchemaVersion string

Schema version pinned to this policy set version. Determines the Cedar schema used for evaluation when activated.

Version int64

Active booloptional

Whether this policy set version is currently bound with mode='active'

ArchivedAt Timeoptional

formatdate-time

ArchivedBy stringoptional

Attestation Attestationoptional

Payload string

Base64url-encoded AttestationStatement (RFC 7515 §3). Decode to inspect attestation content. The RFC 8785 canonical form of the decoded JSON is the JWS Signing Input alongside the protected header.

Protected string

Signature string

Base64url-encoded digital signature computed over the JWS Signing Input (ASCII(protected) || '.' || payload) per RFC 7515 §5.1.