> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt
> Use this file to discover all available pages before exploring further.

# List MAIP Policies

> List all agent enforcement policies for the authenticated tenant

# List MAIP Policies

`GET /v1/maip/policies`

Returns all MAIP agent policies configured for the authenticated tenant. Policies define runtime enforcement rules that govern what agents can do based on trust scores, scopes, delegation depth, and agent type.

### Authentication

Requires `X-API-Key` header or Bearer JWT token. Tenant-scoped via cookie or JWT claim.

### Response

Returns an array of policy objects.

<ResponseField name="id" type="string">
  UUID primary key of the policy.
</ResponseField>

<ResponseField name="tenant_id" type="string">
  UUID of the owning tenant.
</ResponseField>

<ResponseField name="name" type="string">
  Human-readable policy name. Used in denial messages and audit logs.
</ResponseField>

<ResponseField name="description" type="string">
  Detailed description of what the policy enforces.
</ResponseField>

<ResponseField name="category" type="string">
  Policy category. One of: `"scope"`, `"trust"`, `"rate"`, `"custom"`.
</ResponseField>

<ResponseField name="status" type="string">
  Policy lifecycle status. One of: `"active"`, `"disabled"`, `"archived"`. Only
  `active` policies are evaluated during policy checks.
</ResponseField>

<ResponseField name="priority" type="integer">
  Evaluation priority. Lower numbers are evaluated first. Default: `100`.
</ResponseField>

<ResponseField name="rules" type="object">
  JSON array of policy rules. Each rule contains conditions, an effect
  (`"allow"`, `"deny"`, `"require_approval"`), and an optional
  `requires_approval` flag. See [Create Policy](#create-policy) for the full
  rule schema.
</ResponseField>

<ResponseField name="created_at" type="string">
  ISO 8601 creation timestamp.
</ResponseField>

<ResponseField name="updated_at" type="string">
  ISO 8601 last-updated timestamp.
</ResponseField>

### Example

```bash theme={null}
curl https://api.truthlocks.com/v1/maip/policies \
  -H "X-API-Key: tl_live_..."
```

```javascript theme={null}
const response = await fetch("https://api.truthlocks.com/v1/maip/policies", {
  headers: { "X-API-Key": "tl_live_..." },
});
const policies = await response.json();
```

```python theme={null}
import requests

response = requests.get(
    "https://api.truthlocks.com/v1/maip/policies",
    headers={"X-API-Key": "tl_live_..."},
)
policies = response.json()
```


## OpenAPI

````yaml mint-openapi.yaml GET /v1/maip/policies
openapi: 3.0.3
info:
  title: Truthlocks API
  description: >
    Truthlocks is a universal verification infrastructure for documents,
    credentials, and digital assets.

    This specification defines the canonical API for interacting with Truthlocks
    services.


    ## Base URLs

    - **Production**: `https://api.truthlocks.com`

    - **Sandbox**: `https://sandbox-api.truthlocks.com`


    ## Authentication

    - **API Keys**: Use `X-API-Key` header for machine-to-machine operations

    - **Bearer Tokens**: Use `Authorization: Bearer <jwt>` for user-initiated
    operations


    ## Tenant Identity

    In production, tenant identity is derived from the authenticated context
    (API key or JWT).

    The `X-Tenant-ID` header is ignored in production to prevent spoofing.
  version: 1.0.0
  contact:
    name: Truthlocks Support
    url: https://truthlocks.com/support
    email: support@truthlocks.com
servers:
  - url: https://api.truthlocks.com
    description: Production API
  - url: https://sandbox-api.truthlocks.com
    description: Sandbox Environment
security:
  - APIKey: []
tags:
  - name: Authentication
    description: API key and token management
  - name: Issuers
    description: Issuer registration and trust management
  - name: Keys
    description: Cryptographic key management for issuers
  - name: Attestations
    description: Attestation lifecycle (mint, revoke, supersede)
  - name: Verification
    description: Attestation verification and proof bundles
  - name: Governance
    description: Issuer governance workflows (admin only)
  - name: Identity
    description: Organization, user, and role management
  - name: Audit
    description: Audit event queries
  - name: Platform
    description: Platform administration (super admin only)
  - name: Platform Review
    description: Staff review workflows for issuer applications
  - name: Tenant Console
    description: Tenant profile and lifecycle endpoints
  - name: Health
    description: Service health and readiness endpoints
  - name: Risk
    description: Risk signal ingestion and fraud detection
  - name: Risk Enforcement
    description: Risk enforcement actions — block, challenge, quarantine, and configuration
  - name: Billing
    description: Billing, subscription, and addon management
  - name: Machine Identity
    description: >-
      Machine Agent Identity Protocol (MAIP) — agent registration, sessions,
      trust, witness, compliance, orchestration, and observability
externalDocs:
  description: Transparency read-only API (separate service spec)
  url: >-
    https://github.com/truthlocks/truthlock/blob/main/docs/transparency/openapi.yaml
paths:
  /v1/maip/policies:
    get:
      tags:
        - Machine Identity
      summary: List MAIP Policies
      description: >
        Returns all MAIP agent enforcement policies configured for the
        authenticated

        tenant. Only active policies are evaluated during runtime policy checks.
      operationId: maip.policies.list
      responses:
        '200':
          description: Array of policies
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/MaipPolicy'
        '401':
          description: Authentication required
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
      security:
        - APIKey: []
components:
  schemas:
    MaipPolicy:
      type: object
      properties:
        id:
          type: string
          format: uuid
          description: UUID primary key
        tenant_id:
          type: string
          format: uuid
          description: UUID of the owning tenant
        name:
          type: string
          description: Human-readable policy name
        description:
          type: string
          description: Detailed policy description
        category:
          type: string
          enum:
            - scope
            - trust
            - rate
            - custom
          description: Policy category
        status:
          type: string
          enum:
            - active
            - disabled
            - archived
          description: Policy lifecycle status
        priority:
          type: integer
          description: Evaluation priority (lower = first)
        rules:
          type: array
          items:
            $ref: '#/components/schemas/MaipPolicyRule'
          description: Array of policy rules
        created_at:
          type: string
          format: date-time
        updated_at:
          type: string
          format: date-time
    ErrorEnvelope:
      type: object
      required:
        - code
        - message
        - http_status
      properties:
        code:
          type: string
          description: Machine-readable error code
          enum:
            - AUTH_REQUIRED
            - AUTH_INVALID
            - PERMISSION_DENIED
            - TENANT_IDENTITY_UNVERIFIED
            - NOT_FOUND
            - VALIDATION_ERROR
            - CONFLICT
            - PAYLOAD_TOO_LARGE
            - RATE_LIMIT_EXCEEDED
            - QUOTA_EXCEEDED
            - SERVICE_UNAVAILABLE
            - INTERNAL_ERROR
        message:
          type: string
          description: Human-readable error message
        http_status:
          type: integer
          description: HTTP status code
        retry_after_ms:
          type: integer
          description: Milliseconds to wait before retrying (for rate limits)
        details:
          type: object
          description: Additional error context
      example:
        code: AUTH_REQUIRED
        message: Authentication required
        http_status: 401
    MaipPolicyRule:
      type: object
      properties:
        conditions:
          type: array
          items:
            $ref: '#/components/schemas/MaipPolicyCondition'
          description: Conditions that must all match (AND logic)
        effect:
          type: string
          enum:
            - allow
            - deny
            - require_approval
          description: Action to take when conditions match
        requires_approval:
          type: boolean
          description: Whether human approval is required
    MaipPolicyCondition:
      type: object
      properties:
        field:
          type: string
          enum:
            - trust_score
            - scope
            - agent_type
            - delegation_depth
          description: The field to evaluate
        op:
          type: string
          enum:
            - eq
            - ne
            - lt
            - gt
            - le
            - ge
            - in
            - contains
          description: Comparison operator
        value:
          description: Value to compare against (type depends on field)
  securitySchemes:
    APIKey:
      type: apiKey
      in: header
      name: X-API-Key
      description: API key for machine-to-machine authentication

````