API Reference

Zones

Policy Sets

Versions

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Create a new immutable policy set version

POST/zones/{zone_id}/policy-sets/{policy_set_id}/versions

Validates the manifest, computes SHA, and creates an immutable version snapshot.

Path ParametersExpand Collapse

zone_id: string

policy_set_id: string

Header ParametersExpand Collapse

"X-API-Version": optional string

"X-Client-Request-ID": optional string

formatuuid

Body ParametersJSONExpand Collapse

manifest: PolicySetManifest { entries }

entries: array of PolicySetManifestEntry { policy_id, policy_version_id, sha }

policy_id: string

policy_version_id: string

sha: optional string

SHA-256 of the policy version content, populated by the server

schema_version: string

Schema version to pin to this policy set version.

ReturnsExpand Collapse

PolicySetVersion = object { id, created_at, created_by, 9 more }

id: string

created_at: string

formatdate-time

created_by: string

manifest: PolicySetManifest { entries }

entries: array of PolicySetManifestEntry { policy_id, policy_version_id, sha }

policy_id: string

policy_version_id: string

sha: optional string

SHA-256 of the policy version content, populated by the server

manifest_sha: string

Hex-encoded SHA-256 of the canonicalized manifest

policy_set_id: string

schema_version: string

Schema version pinned to this policy set version. Determines the Cedar schema used for evaluation when activated.

version: number

active: optional boolean

Whether this policy set version is currently bound with mode='active'

archived_at: optional string

formatdate-time

archived_by: optional string

attestation: optional Attestation { payload, protected, signature }

JWS Flattened JSON Serialization (RFC 7515 §7.2.2) of a policy set attestation. The protected header carries the signing algorithm and key identifier; the payload is a base64url-encoded AttestationStatement canonicalized per RFC 8785 (JCS). Verify using the zone JWKS endpoint (RFC 7517). Currently signed with RS256; future zone key types (e.g. EdDSA) will be indicated by the "alg" header — no envelope changes required.

payload: string

Base64url-encoded AttestationStatement (RFC 7515 §3). Decode to inspect attestation content. The RFC 8785 canonical form of the decoded JSON is the JWS Signing Input alongside the protected header.

protected: string

Base64url-encoded JWS protected header (RFC 7515 §4). Contains at minimum "alg" (signing algorithm — currently RS256, will migrate to EdDSA) and "kid" (signing key identifier resolvable via the zone JWKS endpoint).

signature: string

Base64url-encoded digital signature computed over the JWS Signing Input (ASCII(protected) || '.' || payload) per RFC 7515 §5.1.

Create a new immutable policy set version

HTTP

HTTP

TypeScript

Python

Go

curl https://api.keycard.ai/zones/$ZONE_ID/policy-sets/$POLICY_SET_ID/versions \
    -H 'Content-Type: application/json' \
    -d '{
          "manifest": {
            "entries": [
              {
                "policy_id": "policy_id",
                "policy_version_id": "policy_version_id"
              }
            ]
          },
          "schema_version": "schema_version"
        }'

200 example

{
  "id": "id",
  "created_at": "2019-12-27T18:11:19.117Z",
  "created_by": "created_by",
  "manifest": {
    "entries": [
      {
        "policy_id": "policy_id",
        "policy_version_id": "policy_version_id",
        "sha": "sha"
      }
    ]
  },
  "manifest_sha": "manifest_sha",
  "policy_set_id": "policy_set_id",
  "schema_version": "schema_version",
  "version": 0,
  "active": true,
  "archived_at": "2019-12-27T18:11:19.117Z",
  "archived_by": "archived_by",
  "attestation": {
    "payload": "payload",
    "protected": "protected",
    "signature": "signature"
  }
}

Returns Examples

200 example

{
  "id": "id",
  "created_at": "2019-12-27T18:11:19.117Z",
  "created_by": "created_by",
  "manifest": {
    "entries": [
      {
        "policy_id": "policy_id",
        "policy_version_id": "policy_version_id",
        "sha": "sha"
      }
    ]
  },
  "manifest_sha": "manifest_sha",
  "policy_set_id": "policy_set_id",
  "schema_version": "schema_version",
  "version": 0,
  "active": true,
  "archived_at": "2019-12-27T18:11:19.117Z",
  "archived_by": "archived_by",
  "attestation": {
    "payload": "payload",
    "protected": "protected",
    "signature": "signature"
  }
}