> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Evaluate MAIP Policy

> Evaluate all active agent policies against a specific agent and requested scope

# Evaluate MAIP Policy

`POST /v1/maip/policies/evaluate`

Evaluates all active MAIP policies for the authenticated tenant against a specific agent and requested scope. Returns whether the action is allowed, denied, or requires human approval. This is the runtime enforcement checkpoint that agents call before performing sensitive operations.

<Note>
  Policy evaluation uses a **deny-overrides** model: if any active policy with a
  matching `deny` rule triggers, the action is blocked regardless of any `allow`
  rules. The `requires_approval` flag is additive -- it can be set even when the
  action is allowed.
</Note>

### Authentication

Requires `X-API-Key` header or Bearer JWT token. Tenant-scoped via cookie or JWT claim.

### Request Body

<ParamField body="agent_id" type="string" required>
  MAIP-compliant agent identifier (e.g.,
  `"maip:t1234567:01HYX3KPZQ7RJGBN0WFMV8SDEH"`). The agent must exist and belong
  to the authenticated tenant.
</ParamField>

<ParamField body="scope" type="string" required>
  The permission scope being requested (e.g., `"data:write"`, `"tool:execute"`,
  `"model:train"`). Uses the `resource:action` format defined in
  [Scopes](/api-reference/machine-identity/scopes/list).
</ParamField>

<ParamField body="action" type="string">
  The specific action being performed. Provides additional context for policy
  rules beyond what the scope communicates.
</ParamField>

<ParamField body="resource" type="string">
  The specific resource being accessed. Provides additional context for audit
  logging and fine-grained policy conditions.
</ParamField>

### Evaluation Logic

The evaluation performs three sequential checks:

1. **Agent Status Check** -- The agent must have `status: "active"`. Suspended or revoked agents are always denied.
2. **Scope Access Check** -- The requested scope must be present in the agent's granted scopes. Explicitly denied scopes (prefixed with `!`) always block access.
3. **Policy Rules Check** -- All active tenant policies are evaluated in priority order. Each rule's conditions are AND-ed. If any `deny` rule matches, the action is blocked.

### Response

<ResponseField name="allowed" type="boolean">
  `true` if the action is permitted, `false` if denied by any check.
</ResponseField>

<ResponseField name="denied_by" type="string[]">
  Names of the policies that denied the action. Empty array if allowed.
</ResponseField>

<ResponseField name="reason" type="string">
  Human-readable reason for denial. One of: - `"agent is not active"` -- Agent
  is suspended or revoked - `"scope not granted to agent"` -- Scope not in
  agent's granted scopes - `"denied by policy"` -- One or more policies blocked
  the action
</ResponseField>

<ResponseField name="requires_approval" type="boolean">
  `true` if any matching policy rule has `requires_approval: true`, even if the
  action is otherwise allowed. The caller should present a human approval
  workflow before proceeding.
</ResponseField>

### Example

```bash theme={null}
curl -X POST https://api.truthlocks.com/v1/maip/policies/evaluate \
  -H "X-API-Key: tl_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "agent_id": "maip:t1234567:01HYX3KPZQ7RJGBN0WFMV8SDEH",
    "scope": "data:write",
    "action": "update_customer_record",
    "resource": "customers/cust_12345"
  }'
```

```javascript theme={null}
const response = await fetch(
  "https://api.truthlocks.com/v1/maip/policies/evaluate",
  {
    method: "POST",
    headers: {
      "X-API-Key": "tl_live_...",
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      agent_id: "maip:t1234567:01HYX3KPZQ7RJGBN0WFMV8SDEH",
      scope: "data:write",
      action: "update_customer_record",
      resource: "customers/cust_12345",
    }),
  },
);
const result = await response.json();

if (!result.allowed) {
  console.error(`Denied by: ${result.denied_by.join(", ")}`);
} else if (result.requires_approval) {
  // Route to human approval workflow
}
```

```python theme={null}
import requests

response = requests.post(
    "https://api.truthlocks.com/v1/maip/policies/evaluate",
    headers={
        "X-API-Key": "tl_live_...",
        "Content-Type": "application/json",
    },
    json={
        "agent_id": "maip:t1234567:01HYX3KPZQ7RJGBN0WFMV8SDEH",
        "scope": "data:write",
        "action": "update_customer_record",
        "resource": "customers/cust_12345",
    },
)
result = response.json()
```


## OpenAPI

````yaml mint-openapi.yaml POST /v1/maip/policies/evaluate
openapi: 3.0.3
info:
  title: Truthlocks API
  description: >
    Truthlocks is a universal verification infrastructure for documents,
    credentials, and digital assets.

    This specification defines the canonical API for interacting with Truthlocks
    services.


    ## Base URLs

    - **Production**: `https://api.truthlocks.com`

    - **Sandbox**: `https://sandbox-api.truthlocks.com`


    ## Authentication

    - **API Keys**: Use `X-API-Key` header for machine-to-machine operations

    - **Bearer Tokens**: Use `Authorization: Bearer <jwt>` for user-initiated
    operations


    ## Tenant Identity

    In production, tenant identity is derived from the authenticated context
    (API key or JWT).

    The `X-Tenant-ID` header is ignored in production to prevent spoofing.
  version: 1.0.0
  contact:
    name: Truthlocks Support
    url: https://truthlocks.com/support
    email: support@truthlocks.com
servers:
  - url: https://api.truthlocks.com
    description: Production API
  - url: https://sandbox-api.truthlocks.com
    description: Sandbox Environment
security:
  - APIKey: []
tags:
  - name: Authentication
    description: API key and token management
  - name: Issuers
    description: Issuer registration and trust management
  - name: Keys
    description: Cryptographic key management for issuers
  - name: Attestations
    description: Attestation lifecycle (mint, revoke, supersede)
  - name: Verification
    description: Attestation verification and proof bundles
  - name: Governance
    description: Issuer governance workflows (admin only)
  - name: Identity
    description: Organization, user, and role management
  - name: Audit
    description: Audit event queries
  - name: Platform
    description: Platform administration (super admin only)
  - name: Platform Review
    description: Staff review workflows for issuer applications
  - name: Tenant Console
    description: Tenant profile and lifecycle endpoints
  - name: Health
    description: Service health and readiness endpoints
  - name: Risk
    description: Risk signal ingestion and fraud detection
  - name: Risk Enforcement
    description: Risk enforcement actions — block, challenge, quarantine, and configuration
  - name: Billing
    description: Billing, subscription, and addon management
  - name: Machine Identity
    description: >-
      Machine Agent Identity Protocol (MAIP) — agent registration, sessions,
      trust, witness, compliance, orchestration, and observability
externalDocs:
  description: Transparency read-only API (separate service spec)
  url: >-
    https://github.com/truthlocks/truthlock/blob/main/docs/transparency/openapi.yaml
paths:
  /v1/maip/policies/evaluate:
    post:
      tags:
        - Machine Identity
      summary: Evaluate MAIP Policy
      description: >
        Evaluates all active MAIP policies against a specific agent and
        requested scope.

        Uses deny-overrides model: any matching deny rule blocks the action.
      operationId: maip.policies.evaluate
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - agent_id
                - scope
              properties:
                agent_id:
                  type: string
                  description: MAIP-compliant agent identifier
                scope:
                  type: string
                  description: Permission scope being requested
                action:
                  type: string
                  description: Specific action being performed
                resource:
                  type: string
                  description: Specific resource being accessed
      responses:
        '200':
          description: Evaluation result
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/MaipPolicyEvaluateResponse'
        '400':
          description: Missing required fields
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
        '401':
          description: Authentication required
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
        '404':
          description: Agent not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
      security:
        - APIKey: []
components:
  schemas:
    MaipPolicyEvaluateResponse:
      type: object
      properties:
        allowed:
          type: boolean
          description: Whether the action is permitted
        denied_by:
          type: array
          items:
            type: string
          description: Names of policies that denied the action
        reason:
          type: string
          description: Human-readable denial reason
        requires_approval:
          type: boolean
          description: Whether human approval is required
    ErrorEnvelope:
      type: object
      required:
        - code
        - message
        - http_status
      properties:
        code:
          type: string
          description: Machine-readable error code
          enum:
            - AUTH_REQUIRED
            - AUTH_INVALID
            - PERMISSION_DENIED
            - TENANT_IDENTITY_UNVERIFIED
            - NOT_FOUND
            - VALIDATION_ERROR
            - CONFLICT
            - PAYLOAD_TOO_LARGE
            - RATE_LIMIT_EXCEEDED
            - QUOTA_EXCEEDED
            - SERVICE_UNAVAILABLE
            - INTERNAL_ERROR
        message:
          type: string
          description: Human-readable error message
        http_status:
          type: integer
          description: HTTP status code
        retry_after_ms:
          type: integer
          description: Milliseconds to wait before retrying (for rate limits)
        details:
          type: object
          description: Additional error context
      example:
        code: AUTH_REQUIRED
        message: Authentication required
        http_status: 401
  securitySchemes:
    APIKey:
      type: apiKey
      in: header
      name: X-API-Key
      description: API key for machine-to-machine authentication

````