> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Create policy
> Create a new issuance policy with rules that control minting, verification, or proof-bundle export.
Creates a policy for the authenticated tenant. Set `status` to `DRAFT` to save without enforcing, or `ACTIVE` to begin enforcement immediately.
Each policy contains a set of rules evaluated in order. The first matching rule determines the outcome. If no rule matches, the `default_effect` applies.
See the [issuance policies guide](/guides/issuance-policies) for a walkthrough of rule syntax, condition operators, and lifecycle management.
### Parameters
A human-readable name for the policy (e.g., "US Issuers Only").
The action this policy applies to: `MINT`, `VERIFY`, or `BUNDLE_EXPORT`.
Initial status: `DRAFT`, `ACTIVE`, or `DISABLED`. Only `ACTIVE` policies are enforced.
Optional description explaining the policy's purpose.
Rule language. Use `json_rules` for the built-in JSON rules engine.
The rule set containing an array of rules and a `default_effect`.
Ordered list of rules. Each rule has an `id`, `description`, array of `conditions`, and an `effect` (`ALLOW` or `DENY`).
Effect when no rule matches: `ALLOW` or `DENY`.
### Responses
## OpenAPI
````yaml mint-openapi.yaml POST /v1/policies
openapi: 3.0.3
info:
title: Truthlocks API
description: >
Truthlocks is a universal verification infrastructure for documents,
credentials, and digital assets.
This specification defines the canonical API for interacting with Truthlocks
services.
## Base URLs
- **Production**: `https://api.truthlocks.com`
- **Sandbox**: `https://sandbox-api.truthlocks.com`
## Authentication
- **API Keys**: Use `X-API-Key` header for machine-to-machine operations
- **Bearer Tokens**: Use `Authorization: Bearer ` for user-initiated
operations
## Tenant Identity
In production, tenant identity is derived from the authenticated context
(API key or JWT).
The `X-Tenant-ID` header is ignored in production to prevent spoofing.
version: 1.0.0
contact:
name: Truthlocks Support
url: https://truthlocks.com/support
email: support@truthlocks.com
servers:
- url: https://api.truthlocks.com
description: Production API
- url: https://sandbox-api.truthlocks.com
description: Sandbox Environment
security:
- APIKey: []
tags:
- name: Authentication
description: API key and token management
- name: Issuers
description: Issuer registration and trust management
- name: Keys
description: Cryptographic key management for issuers
- name: Attestations
description: Attestation lifecycle (mint, revoke, supersede)
- name: Verification
description: Attestation verification and proof bundles
- name: Governance
description: Issuer governance workflows (admin only)
- name: Identity
description: Organization, user, and role management
- name: Audit
description: Audit event queries
- name: Platform
description: Platform administration (super admin only)
- name: Platform Review
description: Staff review workflows for issuer applications
- name: Tenant Console
description: Tenant profile and lifecycle endpoints
- name: Health
description: Service health and readiness endpoints
- name: Risk
description: Risk signal ingestion and fraud detection
- name: Risk Enforcement
description: Risk enforcement actions — block, challenge, quarantine, and configuration
- name: Billing
description: Billing, subscription, and addon management
- name: Machine Identity
description: >-
Machine Agent Identity Protocol (MAIP) — agent registration, sessions,
trust, witness, compliance, orchestration, and observability
externalDocs:
description: Transparency read-only API (separate service spec)
url: >-
https://github.com/truthlocks/truthlock/blob/main/docs/transparency/openapi.yaml
paths:
/v1/policies:
post:
tags:
- Policies
summary: Create policy
description: >-
Creates a new issuance policy with rules for minting, verification, or
proof-bundle export.
operationId: policies.create
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- name
- category
- status
- rules
properties:
name:
type: string
category:
type: string
enum:
- MINT
- VERIFY
- BUNDLE_EXPORT
status:
type: string
enum:
- DRAFT
- ACTIVE
- DISABLED
description:
type: string
language:
type: string
default: json_rules
rules:
type: object
description: Rule set with rules array and default_effect
properties:
rules:
type: array
items:
type: object
properties:
id:
type: string
description:
type: string
conditions:
type: array
items:
type: object
effect:
type: string
enum:
- ALLOW
- DENY
default_effect:
type: string
enum:
- ALLOW
- DENY
responses:
'201':
description: Policy created
content:
application/json:
schema:
type: object
properties:
id:
type: string
name:
type: string
category:
type: string
status:
type: string
version:
type: integer
created_at:
type: string
'401':
description: Authentication required
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorEnvelope'
security:
- APIKey: []
components:
schemas:
ErrorEnvelope:
type: object
required:
- code
- message
- http_status
properties:
code:
type: string
description: Machine-readable error code
enum:
- AUTH_REQUIRED
- AUTH_INVALID
- PERMISSION_DENIED
- TENANT_IDENTITY_UNVERIFIED
- NOT_FOUND
- VALIDATION_ERROR
- CONFLICT
- PAYLOAD_TOO_LARGE
- RATE_LIMIT_EXCEEDED
- QUOTA_EXCEEDED
- SERVICE_UNAVAILABLE
- INTERNAL_ERROR
message:
type: string
description: Human-readable error message
http_status:
type: integer
description: HTTP status code
retry_after_ms:
type: integer
description: Milliseconds to wait before retrying (for rate limits)
details:
type: object
description: Additional error context
example:
code: AUTH_REQUIRED
message: Authentication required
http_status: 401
securitySchemes:
APIKey:
type: apiKey
in: header
name: X-API-Key
description: API key for machine-to-machine authentication
````