Policy Sets
List policy sets in a zone
Create a new policy set
Get a policy set by ID
Update a policy set
Archive a policy set
ModelsExpand Collapse
Attestation = object { payload, protected, signature } JWS Flattened JSON Serialization (RFC 7515 §7.2.2) of a policy set attestation. The protected header carries the signing algorithm and key identifier; the payload is a base64url-encoded AttestationStatement canonicalized per RFC 8785 (JCS). Verify using the zone JWKS endpoint (RFC 7517). Currently signed with RS256; future zone key types (e.g. EdDSA) will be indicated by the "alg" header — no envelope changes required.
JWS Flattened JSON Serialization (RFC 7515 §7.2.2) of a policy set attestation. The protected header carries the signing algorithm and key identifier; the payload is a base64url-encoded AttestationStatement canonicalized per RFC 8785 (JCS). Verify using the zone JWKS endpoint (RFC 7517). Currently signed with RS256; future zone key types (e.g. EdDSA) will be indicated by the "alg" header — no envelope changes required.
Base64url-encoded AttestationStatement (RFC 7515 §3). Decode to inspect attestation content. The RFC 8785 canonical form of the decoded JSON is the JWS Signing Input alongside the protected header.
Base64url-encoded JWS protected header (RFC 7515 §4). Contains at minimum "alg" (signing algorithm — currently RS256, will migrate to EdDSA) and "kid" (signing key identifier resolvable via the zone JWKS endpoint).
Base64url-encoded digital signature computed over the JWS Signing Input (ASCII(protected) || '.' || payload) per RFC 7515 §5.1.
AttestationStatement = object { attested_at, attested_by, key_id, 7 more } Decoded content of an Attestation JWS payload. Describes the exact policy set version composition at attestation time. This schema defines what consumers see after base64url-decoding the Attestation.payload field.
Decoded content of an Attestation JWS payload. Describes the exact policy set version composition at attestation time. This schema defines what consumers see after base64url-decoding the Attestation.payload field.
Key ID of the signing key used to produce the attestation signature. Matches the "kid" in the JWS protected header.
SHA-256 of the policy set version manifest. Verifiers MUST check this matches the policy_set_version.manifest_sha to detect attestation/version mismatches.
status: "created" or "re_signed"Event that produced this attestation. "created" is the initial attestation at version creation; "re_signed" is a re-attestation after key rotation (same content, new signature).
Event that produced this attestation. "created" is the initial attestation at version creation; "re_signed" is a re-attestation after key rotation (same content, new signature).
Statement type discriminator
Statement schema version
PolicySet = object { id, created_at, created_by, 9 more }
owner_type: "platform" or "customer"Who manages this policy set:
"platform" — managed by the Keycard platform (system policies)."customer" — managed by the tenant (custom policies).
Who manages this policy set:
"platform"— managed by the Keycard platform (system policies)."customer"— managed by the tenant (custom policies).
scope_type: "zone" or "resource" or "user" or "session"The scope at which this policy set applies:
"zone" — applies to all requests in the zone."resource" — scoped to a specific resource."user" — scoped to a specific user."session" — scoped to a specific session.
The scope at which this policy set applies:
"zone"— applies to all requests in the zone."resource"— scoped to a specific resource."user"— scoped to a specific user."session"— scoped to a specific session.
Human-readable version number of the latest version (e.g., 1, 2, 3)
PolicySetDraft = object { created_at, manifest, policy_set_id, 7 more }
SHA-256 of the policy version content, populated by the server
ID of the policy set version this draft was hydrated from. Null when the draft was created without an existing version.
warnings: optional array of object { message, policy_id, policy_version_id, 2 more } Warnings about manifest entries that would prevent creating a version from this draft. Present only when there are warnings; omitted when empty.
Warnings about manifest entries that would prevent creating a version from this draft. Present only when there are warnings; omitted when empty.
Human-readable description of the warning, e.g. 'validated against schema "2026-02-24", draft targets "2026-03-16"' or 'policy version is archived'.
type: "policy_version_archived" or "schema_version_mismatch"
detail: optional object { draft_schema_version, policy_schema_version } Structured detail payload. Present for warning types that carry additional context (e.g. schema_version_mismatch includes the two schema versions). Omitted when the type alone is sufficient (e.g. policy_version_archived).
Structured detail payload. Present for warning types that carry additional context (e.g. schema_version_mismatch includes the two schema versions). Omitted when the type alone is sufficient (e.g. policy_version_archived).
Schema version the draft targets. Present only for schema_version_mismatch warnings.
Schema version the policy version was validated against. Present only for schema_version_mismatch warnings.
PolicySetManifest = object { entries }
SHA-256 of the policy version content, populated by the server
PolicySetManifestEntry = object { policy_id, policy_version_id, sha }
SHA-256 of the policy version content, populated by the server
Whether this policy set is currently bound to a scope
Human-readable version number of the active version (e.g., 1, 2, 3)
Public ID of the currently active (bound) version
mode: optional "active" or "shadow"
Human-readable version number of the shadow version
Public ID of the shadow (observed) version, if any
Policy SetsVersions
List versions of a policy set
Create a new immutable policy set version
Get a specific policy set version
Activate a policy set version
Archive a policy set version
List policy versions in a policy set version
ModelsExpand Collapse
PolicySetVersion = object { id, created_at, created_by, 10 more }
SHA-256 of the policy version content, populated by the server
Hex-encoded SHA-256 of the canonicalized manifest
owner_type: "platform" or "customer"Who manages this policy set version:
"platform" — managed by the Keycard platform (system policy set versions)."customer" — managed by the tenant (custom policy set versions).
Who manages this policy set version:
"platform"— managed by the Keycard platform (system policy set versions)."customer"— managed by the tenant (custom policy set versions).
Schema version pinned to this policy set version. Determines the Cedar schema used for evaluation when activated.
Whether this policy set version is currently bound with mode='active'
Decoded content of an Attestation JWS payload. Describes the exact policy set version composition at attestation time. This schema defines what consumers see after base64url-decoding the Attestation.payload field.
Decoded content of an Attestation JWS payload. Describes the exact policy set version composition at attestation time. This schema defines what consumers see after base64url-decoding the Attestation.payload field.
Key ID of the signing key used to produce the attestation signature. Matches the "kid" in the JWS protected header.
SHA-256 of the policy set version manifest. Verifiers MUST check this matches the policy_set_version.manifest_sha to detect attestation/version mismatches.
status: "created" or "re_signed"Event that produced this attestation. "created" is the initial attestation at version creation; "re_signed" is a re-attestation after key rotation (same content, new signature).
Event that produced this attestation. "created" is the initial attestation at version creation; "re_signed" is a re-attestation after key rotation (same content, new signature).
Statement type discriminator
Statement schema version