> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Set Signing Policy

> Configure which issuers and algorithms may sign receipts of a given type.

Sets or updates the signing policy for a receipt type. The policy controls which issuers can mint receipts and which signing algorithms are permitted.

If no policy is configured, all trusted issuers with any algorithm are permitted.

To read the current policy, use `GET /v1/receipt-types/{name}/signing-policy`.

## Path parameters

<ParamField path="name" type="string" required>
  Receipt type name, optionally versioned: `payment_receipt` or `payment_receipt@1.0.0`.
</ParamField>

## Request

<ParamField body="allow_any_issuer" type="boolean" required>
  If `true`, any trusted issuer meeting the `min_trust_tier` may mint receipts of this type.
</ParamField>

<ParamField body="allowed_issuer_ids" type="string[]">
  UUIDs of explicitly permitted issuers. Used when `allow_any_issuer` is `false`.
</ParamField>

<ParamField body="min_trust_tier" type="string">
  Minimum trust tier: `any`, `self_issued`, `verified_org`, or `regulated_issuer`. Defaults to `any`.
</ParamField>

<ParamField body="allowed_algs" type="string[]">
  Allowed signing algorithms (e.g. `["Ed25519"]`). Empty array means all algorithms are permitted.
</ParamField>

## Response

<ResponseField name="receipt_type" type="string">The receipt type name.</ResponseField>
<ResponseField name="allow_any_issuer" type="boolean">Whether any trusted issuer can mint.</ResponseField>
<ResponseField name="allowed_issuer_ids" type="array">Whitelisted issuer UUIDs.</ResponseField>
<ResponseField name="min_trust_tier" type="string">Minimum trust tier required.</ResponseField>
<ResponseField name="allowed_algs" type="array">Permitted signing algorithms.</ResponseField>
<ResponseField name="updated_at" type="string">ISO 8601 timestamp of last update.</ResponseField>


## OpenAPI

````yaml mint-openapi.yaml POST /v1/receipt-types/{name}/signing-policy
openapi: 3.0.3
info:
  title: Truthlocks API
  description: >
    Truthlocks is a universal verification infrastructure for documents,
    credentials, and digital assets.

    This specification defines the canonical API for interacting with Truthlocks
    services.


    ## Base URLs

    - **Production**: `https://api.truthlocks.com`

    - **Sandbox**: `https://sandbox-api.truthlocks.com`


    ## Authentication

    - **API Keys**: Use `X-API-Key` header for machine-to-machine operations

    - **Bearer Tokens**: Use `Authorization: Bearer <jwt>` for user-initiated
    operations


    ## Tenant Identity

    In production, tenant identity is derived from the authenticated context
    (API key or JWT).

    The `X-Tenant-ID` header is ignored in production to prevent spoofing.
  version: 1.0.0
  contact:
    name: Truthlocks Support
    url: https://truthlocks.com/support
    email: support@truthlocks.com
servers:
  - url: https://api.truthlocks.com
    description: Production API
  - url: https://sandbox-api.truthlocks.com
    description: Sandbox Environment
security:
  - APIKey: []
tags:
  - name: Authentication
    description: API key and token management
  - name: Issuers
    description: Issuer registration and trust management
  - name: Keys
    description: Cryptographic key management for issuers
  - name: Attestations
    description: Attestation lifecycle (mint, revoke, supersede)
  - name: Verification
    description: Attestation verification and proof bundles
  - name: Governance
    description: Issuer governance workflows (admin only)
  - name: Identity
    description: Organization, user, and role management
  - name: Audit
    description: Audit event queries
  - name: Platform
    description: Platform administration (super admin only)
  - name: Platform Review
    description: Staff review workflows for issuer applications
  - name: Tenant Console
    description: Tenant profile and lifecycle endpoints
  - name: Health
    description: Service health and readiness endpoints
  - name: Risk
    description: Risk signal ingestion and fraud detection
  - name: Risk Enforcement
    description: Risk enforcement actions — block, challenge, quarantine, and configuration
  - name: Billing
    description: Billing, subscription, and addon management
  - name: Machine Identity
    description: >-
      Machine Agent Identity Protocol (MAIP) — agent registration, sessions,
      trust, witness, compliance, orchestration, and observability
externalDocs:
  description: Transparency read-only API (separate service spec)
  url: >-
    https://github.com/truthlocks/truthlock/blob/main/docs/transparency/openapi.yaml
paths:
  /v1/receipt-types/{name}/signing-policy:
    post:
      tags:
        - Receipts
      summary: Set signing policy
      description: >-
        Sets the signing policy for a receipt type, controlling which algorithms
        and keys are allowed.
      operationId: receiptTypes.signingPolicy
      parameters:
        - name: name
          in: path
          required: true
          schema:
            type: string
          description: Receipt type name
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - allowed_algorithms
              properties:
                allowed_algorithms:
                  type: array
                  items:
                    type: string
                  description: List of allowed signing algorithms
                require_hsm:
                  type: boolean
                  description: Require HSM-backed keys
      responses:
        '200':
          description: Signing policy updated
          content:
            application/json:
              schema:
                type: object
                properties:
                  name:
                    type: string
                  signing_policy:
                    type: object
        '401':
          description: Authentication required
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
      security:
        - APIKey: []
components:
  schemas:
    ErrorEnvelope:
      type: object
      required:
        - code
        - message
        - http_status
      properties:
        code:
          type: string
          description: Machine-readable error code
          enum:
            - AUTH_REQUIRED
            - AUTH_INVALID
            - PERMISSION_DENIED
            - TENANT_IDENTITY_UNVERIFIED
            - NOT_FOUND
            - VALIDATION_ERROR
            - CONFLICT
            - PAYLOAD_TOO_LARGE
            - RATE_LIMIT_EXCEEDED
            - QUOTA_EXCEEDED
            - SERVICE_UNAVAILABLE
            - INTERNAL_ERROR
        message:
          type: string
          description: Human-readable error message
        http_status:
          type: integer
          description: HTTP status code
        retry_after_ms:
          type: integer
          description: Milliseconds to wait before retrying (for rate limits)
        details:
          type: object
          description: Additional error context
      example:
        code: AUTH_REQUIRED
        message: Authentication required
        http_status: 401
  securitySchemes:
    APIKey:
      type: apiKey
      in: header
      name: X-API-Key
      description: API key for machine-to-machine authentication

````