Skip to content

Policy Engine

Unified policy engine configuration and runtime checks.

Authrim currently exposes policy functionality through two surfaces:

  • Tenant policy management: /api/admin/tenant-policy
  • Policy worker runtime checks: /policy/*, /api/rebac/*, and /api/check/*
GET /api/admin/tenant-policy
Authorization: Bearer <admin_token>
PUT /api/admin/tenant-policy
Authorization: Bearer <admin_token>
Content-Type: application/json
{
"ifMatch": "3",
"policy": {
"metadata": { "status": "active" },
"profile": "human"
}
}

Updates require ifMatch to prevent concurrent modification and version rollback.

EndpointMethodDescription
/policy/evaluatePOSTEvaluate a policy context
/policy/check-rolePOSTCheck role membership
/policy/check-accessPOSTCheck resource/action access
/api/rebac/checkPOSTReBAC check
/api/rebac/batch-checkPOSTBatch ReBAC checks
/api/checkPOSTUnified permission check
/api/check/batchPOSTBatch unified checks

Runtime endpoints are service-to-service APIs and require the policy worker internal bearer token.