Skip to main content
POST
/
v1
/
maip
/
policies
Create MAIP Policy
curl --request POST \
  --url https://api.truthlocks.com/v1/maip/policies \
  --header 'Content-Type: application/json' \
  --header 'X-API-Key: <api-key>' \
  --data '
{
  "name": "<string>",
  "rules": [
    {
      "conditions": [
        {
          "field": "trust_score",
          "op": "eq",
          "value": "<unknown>"
        }
      ],
      "effect": "allow",
      "requires_approval": true
    }
  ],
  "description": "<string>",
  "category": "custom",
  "priority": 100
}
'
{
  "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "tenant_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "name": "<string>",
  "description": "<string>",
  "category": "scope",
  "status": "active",
  "priority": 123,
  "rules": [
    {
      "conditions": [
        {
          "field": "trust_score",
          "op": "eq",
          "value": "<unknown>"
        }
      ],
      "effect": "allow",
      "requires_approval": true
    }
  ],
  "created_at": "2023-11-07T05:31:56Z",
  "updated_at": "2023-11-07T05:31:56Z"
}

Create MAIP Policy

POST /v1/maip/policies Creates a new MAIP agent enforcement policy for the authenticated tenant. Policies define runtime rules that are evaluated when agents request access to scoped resources via the Evaluate Policy endpoint.
MAIP policies are different from RBAC issuance policies. MAIP policies govern machine agent behavior at runtime based on trust scores, delegation depth, scopes, and agent type. RBAC policies govern credential issuance and human user access.

Authentication

Requires X-API-Key header or Bearer JWT token. Tenant-scoped via cookie or JWT claim.

Request Body

name
string
required
Human-readable policy name. Used in denial messages and audit logs when the policy blocks an action. Must be unique per tenant. Maximum 256 characters.
description
string
Detailed description of what the policy enforces and why. Maximum 2048 characters.
category
string
Policy category for organizational purposes. One of:
  • "scope" — Restricts access based on scopes or resources
  • "trust" — Restricts access based on trust scores
  • "rate" — Restricts access frequency or volume
  • "custom" — Custom enforcement logic
Defaults to "custom" if omitted.
priority
integer
Evaluation priority. Lower numbers are evaluated first. Range: 1-1000. Defaults to 100 if omitted. Multiple policies at the same priority are evaluated in creation order.
rules
object
required
JSON array of policy rules. Each rule is evaluated independently. If any rule with "effect": "deny" matches, the action is denied.Rule schema:
{
  "conditions": [{ "field": "trust_score", "op": "lt", "value": 0.5 }],
  "effect": "deny",
  "requires_approval": false
}
Condition fields:
FieldTypeOperatorsDescription
trust_scorenumberlt, gt, le, geAgent’s current trust score (0.0-1.0)
scopestringeq, ne, in, containsThe scope being accessed (e.g., "data:write")
agent_typestringeq, ne, inAgent type (e.g., "llm", "worker", "orchestrator")
delegation_depthnumbergt, ge, lt, leAgent’s position in the delegation chain (0 = direct)
Operators:
OperatorDescriptionExample value
eqEquals"data:write"
neNot equals"system"
ltLess than0.5
gtGreater than3
leLess than or equal0.3
geGreater than or equal0.7
inMatches any value in a list["llm", "worker"]
containsString contains substring"write"
Effects:
  • "allow" — Explicitly allow (does not override denials)
  • "deny" — Block the action. First deny wins.
  • "require_approval" — Require human approval before proceeding
All conditions within a single rule are AND-ed. Multiple rules within a policy are evaluated independently.

Response

Returns the created policy object with server-generated fields (id, tenant_id, status, timestamps).
id
string
UUID primary key of the created policy.
tenant_id
string
UUID of the owning tenant.
name
string
Policy name as provided.
description
string
Policy description, if provided.
category
string
Policy category.
status
string
Always "active" on creation.
priority
integer
Evaluation priority.
rules
object
The rules array as provided.
created_at
string
ISO 8601 creation timestamp.
updated_at
string
ISO 8601 last-updated timestamp.

Example

curl -X POST https://api.truthlocks.com/v1/maip/policies \
  -H "X-API-Key: tl_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Block Low-Trust Write Operations",
    "description": "Deny data:write scope access for agents with trust score below 0.5",
    "category": "trust",
    "priority": 10,
    "rules": [
      {
        "conditions": [
          {"field": "trust_score", "op": "lt", "value": 0.5},
          {"field": "scope", "op": "eq", "value": "data:write"}
        ],
        "effect": "deny",
        "requires_approval": false
      }
    ]
  }'

const response = await fetch("https://api.truthlocks.com/v1/maip/policies", {
  method: "POST",
  headers: {
    "X-API-Key": "tl_live_...",
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    name: "Block Low-Trust Write Operations",
    description:
      "Deny data:write scope access for agents with trust score below 0.5",
    category: "trust",
    priority: 10,
    rules: [
      {
        conditions: [
          { field: "trust_score", op: "lt", value: 0.5 },
          { field: "scope", op: "eq", value: "data:write" },
        ],
        effect: "deny",
        requires_approval: false,
      },
    ],
  }),
});
const policy = await response.json();

import requests

response = requests.post(
    "https://api.truthlocks.com/v1/maip/policies",
    headers={
        "X-API-Key": "tl_live_...",
        "Content-Type": "application/json",
    },
    json={
        "name": "Block Low-Trust Write Operations",
        "description": "Deny data:write scope access for agents with trust score below 0.5",
        "category": "trust",
        "priority": 10,
        "rules": [
            {
                "conditions": [
                    {"field": "trust_score", "op": "lt", "value": 0.5},
                    {"field": "scope", "op": "eq", "value": "data:write"},
                ],
                "effect": "deny",
                "requires_approval": False,
            }
        ],
    },
)
policy = response.json()

Authorizations

X-API-Key
string
header
required

API key for machine-to-machine authentication

Body

application/json
name
string
required

Human-readable policy name

Maximum string length: 256
rules
object[]
required

Array of policy rules

description
string

Detailed description of the policy

Maximum string length: 2048
category
enum<string>
default:custom

Policy category

Available options:
scope,
trust,
rate,
custom
priority
integer
default:100

Evaluation priority (lower = first)

Required range: 1 <= x <= 1000

Response

Policy created

id
string<uuid>

UUID primary key

tenant_id
string<uuid>

UUID of the owning tenant

name
string

Human-readable policy name

description
string

Detailed policy description

category
enum<string>

Policy category

Available options:
scope,
trust,
rate,
custom
status
enum<string>

Policy lifecycle status

Available options:
active,
disabled,
archived
priority
integer

Evaluation priority (lower = first)

rules
object[]

Array of policy rules

created_at
string<date-time>
updated_at
string<date-time>