Skip to main content

Policy and Permits

Decision outcomes

POST /v1/authorize resolves to:

allowed (permit returned)
pending_approval (request id returned; permit later)
denied (no permit)

Core entities

Action type (action_type)
Policy
Request
Approval
Permit JWT

Contract source

Shared schemas under packages/shared are the primary contract source:

Action request unions and payload schemas
Policy rule schema and reason codes
Permit claims schema

Permit verification

Consumers should verify:

Signature via workspace JWKS
Issuer/API origin
Workspace/audience context
Expiration

Prefer SDK verification helpers over custom JWT handling.

Decision outcomes
Core entities
Contract source
Permit verification