Skip to content
Docs

Versions

API Reference
Zones
Policy Sets

Versions

List versions of a policy set
zones.policy_sets.versions.list(strpolicy_set_id, VersionListParams**kwargs) -> VersionListResponse
GET/zones/{zone_id}/policy-sets/{policy_set_id}/versions
Create a new immutable policy set version
zones.policy_sets.versions.create(strpolicy_set_id, VersionCreateParams**kwargs) -> PolicySetVersion
POST/zones/{zone_id}/policy-sets/{policy_set_id}/versions
Get a specific policy set version
zones.policy_sets.versions.retrieve(strversion_id, VersionRetrieveParams**kwargs) -> PolicySetVersion
GET/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}
Activate a policy set version
zones.policy_sets.versions.update(strversion_id, VersionUpdateParams**kwargs) -> PolicySetVersion
PATCH/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}
Archive a policy set version
zones.policy_sets.versions.archive(strversion_id, VersionArchiveParams**kwargs) -> PolicySetVersion
DELETE/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}
List policy versions in a policy set version
zones.policy_sets.versions.list_policies(strversion_id, VersionListPoliciesParams**kwargs) -> VersionListPoliciesResponse
GET/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}/policies
ModelsExpand Collapse
class PolicySetVersion:
id: str
created_at: datetime
formatdate-time
created_by: str
entries: List[PolicySetManifestEntry]
policy_id: str
policy_version_id: str
sha: Optional[str]

SHA-256 of the policy version content, populated by the server

manifest_sha: str

Hex-encoded SHA-256 of the canonicalized manifest

owner_type: Literal["platform", "customer"]

Who manages this policy set version:

  • "platform" — managed by the Keycard platform (system policy set versions).
  • "customer" — managed by the tenant (custom policy set versions).
Accepts one of the following:
"platform"
"customer"
policy_set_id: str
schema_version: str

Schema version pinned to this policy set version. Determines the Cedar schema used for evaluation when activated.

version: int
active: Optional[bool]

Whether this policy set version is currently bound with mode='active'

archived_at: Optional[datetime]
formatdate-time
archived_by: Optional[str]
attestation: Optional[AttestationStatement]

Decoded content of an Attestation JWS payload. Describes the exact policy set version composition at attestation time. This schema defines what consumers see after base64url-decoding the Attestation.payload field.

attested_at: datetime
formatdate-time
attested_by: str
key_id: str

Key ID of the signing key used to produce the attestation signature. Matches the "kid" in the JWS protected header.

manifest_sha: str

SHA-256 of the policy set version manifest. Verifiers MUST check this matches the policy_set_version.manifest_sha to detect attestation/version mismatches.

policy_set_id: str
policy_set_version: int
status: Literal["created", "re_signed"]

Event that produced this attestation. "created" is the initial attestation at version creation; "re_signed" is a re-attestation after key rotation (same content, new signature).

Accepts one of the following:
"created"
"re_signed"
type: Literal["policy_set_attestation"]

Statement type discriminator

v: Literal[1]

Statement schema version

zone_id: str