Skip to content
API Reference
API Reference
Zones

Policy Sets

List policy sets in a zone
client.Zones.PolicySets.List(ctx, zoneID, params) (*ZonePolicySetListResponse, error)
GET/zones/{zone_id}/policy-sets
Create a new policy set
client.Zones.PolicySets.New(ctx, zoneID, params) (*PolicySetWithBinding, error)
POST/zones/{zone_id}/policy-sets
Get a policy set by ID
client.Zones.PolicySets.Get(ctx, policySetID, params) (*PolicySetWithBinding, error)
GET/zones/{zone_id}/policy-sets/{policy_set_id}
Update a policy set
client.Zones.PolicySets.Update(ctx, policySetID, params) (*PolicySetWithBinding, error)
PATCH/zones/{zone_id}/policy-sets/{policy_set_id}
Archive a policy set
client.Zones.PolicySets.Archive(ctx, policySetID, params) (*PolicySetWithBinding, error)
DELETE/zones/{zone_id}/policy-sets/{policy_set_id}
ModelsExpand Collapse
type Attestation struct{…}

JWS Flattened JSON Serialization (RFC 7515 §7.2.2) of a policy set attestation. The protected header carries the signing algorithm and key identifier; the payload is a base64url-encoded AttestationStatement canonicalized per RFC 8785 (JCS). Verify using the zone JWKS endpoint (RFC 7517). Currently signed with RS256; future zone key types (e.g. EdDSA) will be indicated by the "alg" header — no envelope changes required.

Payload string

Base64url-encoded AttestationStatement (RFC 7515 §3). Decode to inspect attestation content. The RFC 8785 canonical form of the decoded JSON is the JWS Signing Input alongside the protected header.

Protected string

Base64url-encoded JWS protected header (RFC 7515 §4). Contains at minimum "alg" (signing algorithm — currently RS256, will migrate to EdDSA) and "kid" (signing key identifier resolvable via the zone JWKS endpoint).

Signature string

Base64url-encoded digital signature computed over the JWS Signing Input (ASCII(protected) || '.' || payload) per RFC 7515 §5.1.

type AttestationStatement struct{…}

Decoded content of an Attestation JWS payload. Describes the exact policy set version composition at attestation time. This schema defines what consumers see after base64url-decoding the Attestation.payload field.

AttestedAt Time
formatdate-time
AttestedBy string
KeyID string

Key ID of the signing key used to produce the attestation signature. Matches the "kid" in the JWS protected header.

ManifestSha string

SHA-256 of the policy set version manifest. Verifiers MUST check this matches the policy_set_version.manifest_sha to detect attestation/version mismatches.

PolicySetID string
PolicySetVersion int64
Status AttestationStatementStatus

Event that produced this attestation. "created" is the initial attestation at version creation; "re_signed" is a re-attestation after key rotation (same content, new signature).

Accepts one of the following:
const AttestationStatementStatusCreated AttestationStatementStatus = "created"
const AttestationStatementStatusReSigned AttestationStatementStatus = "re_signed"
Type AttestationStatementType

Statement type discriminator

V int64

Statement schema version

ZoneID string
type PolicySet struct{…}
ID string
CreatedAt Time
formatdate-time
CreatedBy string
Name string
OwnerType PolicySetOwnerType

Who manages this policy set:

  • "platform" — managed by the Keycard platform (system policies).
  • "customer" — managed by the tenant (custom policies).
Accepts one of the following:
const PolicySetOwnerTypePlatform PolicySetOwnerType = "platform"
const PolicySetOwnerTypeCustomer PolicySetOwnerType = "customer"
ScopeType PolicySetScopeType

The scope at which this policy set applies:

  • "zone" — applies to all requests in the zone.
  • "resource" — scoped to a specific resource.
  • "user" — scoped to a specific user.
  • "session" — scoped to a specific session.
Accepts one of the following:
const PolicySetScopeTypeZone PolicySetScopeType = "zone"
const PolicySetScopeTypeResource PolicySetScopeType = "resource"
const PolicySetScopeTypeUser PolicySetScopeType = "user"
const PolicySetScopeTypeSession PolicySetScopeType = "session"
UpdatedAt Time
formatdate-time
ZoneID string
ArchivedAt Timeoptional
formatdate-time
LatestVersion int64optional

Human-readable version number of the latest version (e.g., 1, 2, 3)

LatestVersionID stringoptional
UpdatedBy stringoptional
type PolicySetDraft struct{…}
CreatedAt Time
formatdate-time
PolicyID string
PolicyVersionID string
Sha stringoptional

SHA-256 of the policy version content, populated by the server

PolicySetID string
SchemaVersion string
UpdatedAt Time
formatdate-time
UpdatedBy string
BaseVersionID stringoptional

ID of the policy set version this draft was hydrated from. Null when the draft was created without an existing version.

Description stringoptional
Name stringoptional
Warnings []PolicySetDraftWarningoptional

Warnings about manifest entries that would prevent creating a version from this draft. Present only when there are warnings; omitted when empty.

Message string

Human-readable description of the warning, e.g. 'validated against schema "2026-02-24", draft targets "2026-03-16"' or 'policy version is archived'.

PolicyID string
PolicyVersionID string
Type string
Accepts one of the following:
const PolicySetDraftWarningTypePolicyVersionArchived PolicySetDraftWarningType = "policy_version_archived"
const PolicySetDraftWarningTypeSchemaVersionMismatch PolicySetDraftWarningType = "schema_version_mismatch"
Detail PolicySetDraftWarningDetailoptional

Structured detail payload. Present for warning types that carry additional context (e.g. schema_version_mismatch includes the two schema versions). Omitted when the type alone is sufficient (e.g. policy_version_archived).

DraftSchemaVersion stringoptional

Schema version the draft targets. Present only for schema_version_mismatch warnings.

PolicySchemaVersion stringoptional

Schema version the policy version was validated against. Present only for schema_version_mismatch warnings.

type PolicySetManifest struct{…}
PolicyID string
PolicyVersionID string
Sha stringoptional

SHA-256 of the policy version content, populated by the server

type PolicySetManifestEntry struct{…}
PolicyID string
PolicyVersionID string
Sha stringoptional

SHA-256 of the policy version content, populated by the server

type PolicySetWithBinding struct{…}
Active booloptional

Whether this policy set is currently bound to a scope

ActiveVersion int64optional

Human-readable version number of the active version (e.g., 1, 2, 3)

ActiveVersionID stringoptional

Public ID of the currently active (bound) version

Mode stringoptional
Accepts one of the following:
const PolicySetWithBindingModeActive PolicySetWithBindingMode = "active"
const PolicySetWithBindingModeShadow PolicySetWithBindingMode = "shadow"
ScopeTargetID stringoptional
ShadowVersion int64optional

Human-readable version number of the shadow version

ShadowVersionID stringoptional

Public ID of the shadow (observed) version, if any

Policy SetsVersions

List versions of a policy set
client.Zones.PolicySets.Versions.List(ctx, policySetID, params) (*ZonePolicySetVersionListResponse, error)
GET/zones/{zone_id}/policy-sets/{policy_set_id}/versions
Create a new immutable policy set version
client.Zones.PolicySets.Versions.New(ctx, policySetID, params) (*PolicySetVersion, error)
POST/zones/{zone_id}/policy-sets/{policy_set_id}/versions
Get a specific policy set version
client.Zones.PolicySets.Versions.Get(ctx, versionID, params) (*PolicySetVersion, error)
GET/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}
Activate a policy set version
client.Zones.PolicySets.Versions.Update(ctx, versionID, params) (*PolicySetVersion, error)
PATCH/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}
Archive a policy set version
client.Zones.PolicySets.Versions.Archive(ctx, versionID, params) (*PolicySetVersion, error)
DELETE/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}
List policy versions in a policy set version
client.Zones.PolicySets.Versions.ListPolicies(ctx, versionID, params) (*ZonePolicySetVersionListPoliciesResponse, error)
GET/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}/policies
ModelsExpand Collapse
type PolicySetVersion struct{…}
ID string
CreatedAt Time
formatdate-time
CreatedBy string
PolicyID string
PolicyVersionID string
Sha stringoptional

SHA-256 of the policy version content, populated by the server

ManifestSha string

Hex-encoded SHA-256 of the canonicalized manifest

OwnerType PolicySetVersionOwnerType

Who manages this policy set version:

  • "platform" — managed by the Keycard platform (system policy set versions).
  • "customer" — managed by the tenant (custom policy set versions).
Accepts one of the following:
const PolicySetVersionOwnerTypePlatform PolicySetVersionOwnerType = "platform"
const PolicySetVersionOwnerTypeCustomer PolicySetVersionOwnerType = "customer"
PolicySetID string
SchemaVersion string

Schema version pinned to this policy set version. Determines the Cedar schema used for evaluation when activated.

Version int64
Active booloptional

Whether this policy set version is currently bound with mode='active'

ArchivedAt Timeoptional
formatdate-time
ArchivedBy stringoptional
Attestation AttestationStatementoptional

Decoded content of an Attestation JWS payload. Describes the exact policy set version composition at attestation time. This schema defines what consumers see after base64url-decoding the Attestation.payload field.

AttestedAt Time
formatdate-time
AttestedBy string
KeyID string

Key ID of the signing key used to produce the attestation signature. Matches the "kid" in the JWS protected header.

ManifestSha string

SHA-256 of the policy set version manifest. Verifiers MUST check this matches the policy_set_version.manifest_sha to detect attestation/version mismatches.

PolicySetID string
PolicySetVersion int64
Status AttestationStatementStatus

Event that produced this attestation. "created" is the initial attestation at version creation; "re_signed" is a re-attestation after key rotation (same content, new signature).

Accepts one of the following:
const AttestationStatementStatusCreated AttestationStatementStatus = "created"
const AttestationStatementStatusReSigned AttestationStatementStatus = "re_signed"
Type AttestationStatementType

Statement type discriminator

V int64

Statement schema version

ZoneID string