Skip to content
API Reference
API Reference
Zones

Policy Sets

List policy sets in a zone
GET/zones/{zone_id}/policy-sets
Create a new policy set
POST/zones/{zone_id}/policy-sets
Get a policy set by ID
GET/zones/{zone_id}/policy-sets/{policy_set_id}
Update a policy set
PATCH/zones/{zone_id}/policy-sets/{policy_set_id}
Archive a policy set
DELETE/zones/{zone_id}/policy-sets/{policy_set_id}
ModelsExpand Collapse
Attestation = object { payload, protected, signature }

JWS Flattened JSON Serialization (RFC 7515 §7.2.2) of a policy set attestation. The protected header carries the signing algorithm and key identifier; the payload is a base64url-encoded AttestationStatement canonicalized per RFC 8785 (JCS). Verify using the zone JWKS endpoint (RFC 7517). Currently signed with RS256; future zone key types (e.g. EdDSA) will be indicated by the "alg" header — no envelope changes required.

payload: string

Base64url-encoded AttestationStatement (RFC 7515 §3). Decode to inspect attestation content. The RFC 8785 canonical form of the decoded JSON is the JWS Signing Input alongside the protected header.

protected: string

Base64url-encoded JWS protected header (RFC 7515 §4). Contains at minimum "alg" (signing algorithm — currently RS256, will migrate to EdDSA) and "kid" (signing key identifier resolvable via the zone JWKS endpoint).

signature: string

Base64url-encoded digital signature computed over the JWS Signing Input (ASCII(protected) || '.' || payload) per RFC 7515 §5.1.

AttestationStatement = object { attested_at, attested_by, manifest, 7 more }

Decoded content of an Attestation JWS payload. Describes the exact policy set version composition at attestation time. This schema defines what consumers see after base64url-decoding the Attestation.payload field.

attested_at: string
formatdate-time
attested_by: string
manifest: array of PolicySetManifestEntry { policy_id, policy_version_id, sha }

Snapshot of the policy set manifest at attestation time. Each entry pins a policy version by ID and content SHA.

policy_id: string
policy_version_id: string
sha: optional string

SHA-256 of the policy version content, populated by the server

manifest_sha: string

SHA-256 of the policy set version manifest. Verifiers MUST check this matches the policy_set_version.manifest_sha to detect attestation/version mismatches.

policy_set_id: string
policy_set_version: number
status: "committed" or "re_signed"

Event that produced this attestation. "committed" is the initial attestation at version creation; "re_signed" is a re-attestation after key rotation (same content, new signature).

Accepts one of the following:
"committed"
"re_signed"
type: "policy_set_attestation"

Statement type discriminator

v: 1

Statement schema version

zone_id: string
PolicySet = object { id, created_at, created_by, 9 more }
id: string
created_at: string
formatdate-time
created_by: string
name: string
owner_type: "platform" or "customer"

Who manages this policy set:

  • "platform" — managed by the Keycard platform (system policies).
  • "customer" — managed by the tenant (custom policies).
Accepts one of the following:
"platform"
"customer"
scope_type: "zone" or "resource" or "user" or "session"

The scope at which this policy set applies:

  • "zone" — applies to all requests in the zone.
  • "resource" — scoped to a specific resource.
  • "user" — scoped to a specific user.
  • "session" — scoped to a specific session.
Accepts one of the following:
"zone"
"resource"
"user"
"session"
updated_at: string
formatdate-time
zone_id: string
archived_at: optional string
formatdate-time
latest_version: optional number

Human-readable version number of the latest version (e.g., 1, 2, 3)

latest_version_id: optional string
updated_by: optional string
PolicySetDraft = object { created_at, manifest, policy_set_id, 3 more }
created_at: string
formatdate-time
manifest: PolicySetManifest { entries }
entries: array of PolicySetManifestEntry { policy_id, policy_version_id, sha }
policy_id: string
policy_version_id: string
sha: optional string

SHA-256 of the policy version content, populated by the server

policy_set_id: string
schema_version: string
updated_at: string
formatdate-time
updated_by: string
PolicySetManifest = object { entries }
entries: array of PolicySetManifestEntry { policy_id, policy_version_id, sha }
policy_id: string
policy_version_id: string
sha: optional string

SHA-256 of the policy version content, populated by the server

PolicySetManifestEntry = object { policy_id, policy_version_id, sha }
policy_id: string
policy_version_id: string
sha: optional string

SHA-256 of the policy version content, populated by the server

PolicySetWithBinding = PolicySet { id, created_at, created_by, 9 more }
active: optional boolean

Whether this policy set is currently bound to a scope

active_version: optional number

Human-readable version number of the active version (e.g., 1, 2, 3)

active_version_id: optional string

Public ID of the currently active (bound) version

mode: optional "active" or "shadow"
Accepts one of the following:
"active"
"shadow"
scope_target_id: optional string

Policy SetsVersions

List versions of a policy set
GET/zones/{zone_id}/policy-sets/{policy_set_id}/versions
Create a new immutable policy set version
POST/zones/{zone_id}/policy-sets/{policy_set_id}/versions
Get a specific policy set version
GET/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}
Activate a policy set version
PATCH/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}
Archive a policy set version
DELETE/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}
List policy versions in a policy set version
GET/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}/policies
ModelsExpand Collapse
PolicySetVersion = object { id, created_at, created_by, 9 more }
id: string
created_at: string
formatdate-time
created_by: string
manifest: PolicySetManifest { entries }
entries: array of PolicySetManifestEntry { policy_id, policy_version_id, sha }
policy_id: string
policy_version_id: string
sha: optional string

SHA-256 of the policy version content, populated by the server

manifest_sha: string

Hex-encoded SHA-256 of the canonicalized manifest

policy_set_id: string
schema_version: string

Schema version pinned to this policy set version. Determines the Cedar schema used for evaluation when activated.

version: number
active: optional boolean

Whether this policy set version is currently bound with mode='active'

archived_at: optional string
formatdate-time
archived_by: optional string
attestation: optional Attestation { payload, protected, signature }

JWS Flattened JSON Serialization (RFC 7515 §7.2.2) of a policy set attestation. The protected header carries the signing algorithm and key identifier; the payload is a base64url-encoded AttestationStatement canonicalized per RFC 8785 (JCS). Verify using the zone JWKS endpoint (RFC 7517). Currently signed with RS256; future zone key types (e.g. EdDSA) will be indicated by the "alg" header — no envelope changes required.

payload: string

Base64url-encoded AttestationStatement (RFC 7515 §3). Decode to inspect attestation content. The RFC 8785 canonical form of the decoded JSON is the JWS Signing Input alongside the protected header.

protected: string

Base64url-encoded JWS protected header (RFC 7515 §4). Contains at minimum "alg" (signing algorithm — currently RS256, will migrate to EdDSA) and "kid" (signing key identifier resolvable via the zone JWKS endpoint).

signature: string

Base64url-encoded digital signature computed over the JWS Signing Input (ASCII(protected) || '.' || payload) per RFC 7515 §5.1.