Skip to content
API Reference
API Reference
Zones
Policy Sets
Versions

Get a specific policy set version

zones.policy_sets.versions.retrieve(strversion_id, VersionRetrieveParams**kwargs) -> PolicySetVersion
GET/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}

Get a specific policy set version

ParametersExpand Collapse
zone_id: str
policy_set_id: str
version_id: str
x_api_version: Optional[str]
x_client_request_id: Optional[str]
formatuuid
ReturnsExpand Collapse
class PolicySetVersion:
id: str
created_at: datetime
formatdate-time
created_by: str
entries: List[PolicySetManifestEntry]
policy_id: str
policy_version_id: str
sha: Optional[str]

SHA-256 of the policy version content, populated by the server

manifest_sha: str

Hex-encoded SHA-256 of the canonicalized manifest

policy_set_id: str
schema_version: str

Schema version pinned to this policy set version. Determines the Cedar schema used for evaluation when activated.

version: int
active: Optional[bool]

Whether this policy set version is currently bound with mode='active'

archived_at: Optional[datetime]
formatdate-time
archived_by: Optional[str]
attestation: Optional[Attestation]

JWS Flattened JSON Serialization (RFC 7515 §7.2.2) of a policy set attestation. The protected header carries the signing algorithm and key identifier; the payload is a base64url-encoded AttestationStatement canonicalized per RFC 8785 (JCS). Verify using the zone JWKS endpoint (RFC 7517). Currently signed with RS256; future zone key types (e.g. EdDSA) will be indicated by the "alg" header — no envelope changes required.

payload: str

Base64url-encoded AttestationStatement (RFC 7515 §3). Decode to inspect attestation content. The RFC 8785 canonical form of the decoded JSON is the JWS Signing Input alongside the protected header.

protected: str

Base64url-encoded JWS protected header (RFC 7515 §4). Contains at minimum "alg" (signing algorithm — currently RS256, will migrate to EdDSA) and "kid" (signing key identifier resolvable via the zone JWKS endpoint).

signature: str

Base64url-encoded digital signature computed over the JWS Signing Input (ASCII(protected) || '.' || payload) per RFC 7515 §5.1.

Get a specific policy set version

from keycardai_api import KeycardAPI

client = KeycardAPI()
policy_set_version = client.zones.policy_sets.versions.retrieve(
    version_id="version_id",
    zone_id="zone_id",
    policy_set_id="policy_set_id",
)
print(policy_set_version.id)
{
  "id": "id",
  "created_at": "2019-12-27T18:11:19.117Z",
  "created_by": "created_by",
  "manifest": {
    "entries": [
      {
        "policy_id": "policy_id",
        "policy_version_id": "policy_version_id",
        "sha": "sha"
      }
    ]
  },
  "manifest_sha": "manifest_sha",
  "policy_set_id": "policy_set_id",
  "schema_version": "schema_version",
  "version": 0,
  "active": true,
  "archived_at": "2019-12-27T18:11:19.117Z",
  "archived_by": "archived_by",
  "attestation": {
    "payload": "payload",
    "protected": "protected",
    "signature": "signature"
  }
}
Returns Examples
{
  "id": "id",
  "created_at": "2019-12-27T18:11:19.117Z",
  "created_by": "created_by",
  "manifest": {
    "entries": [
      {
        "policy_id": "policy_id",
        "policy_version_id": "policy_version_id",
        "sha": "sha"
      }
    ]
  },
  "manifest_sha": "manifest_sha",
  "policy_set_id": "policy_set_id",
  "schema_version": "schema_version",
  "version": 0,
  "active": true,
  "archived_at": "2019-12-27T18:11:19.117Z",
  "archived_by": "archived_by",
  "attestation": {
    "payload": "payload",
    "protected": "protected",
    "signature": "signature"
  }
}