Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt

Use this file to discover all available pages before exploring further.

Create MAIP Policy

POST /v1/maip/policies Creates a new MAIP agent enforcement policy for the authenticated tenant. Policies define runtime rules that are evaluated when agents request access to scoped resources via the Evaluate Policy endpoint.
MAIP policies are different from RBAC issuance policies. MAIP policies govern machine agent behavior at runtime based on trust scores, delegation depth, scopes, and agent type. RBAC policies govern credential issuance and human user access.

Authentication

Requires X-API-Key header or Bearer JWT token. Tenant-scoped via cookie or JWT claim.

Request Body

name
string
required
Human-readable policy name. Used in denial messages and audit logs when the policy blocks an action. Must be unique per tenant. Maximum 256 characters.
description
string
Detailed description of what the policy enforces and why. Maximum 2048 characters.
category
string
Policy category for organizational purposes. One of:
  • "scope" — Restricts access based on scopes or resources
  • "trust" — Restricts access based on trust scores
  • "rate" — Restricts access frequency or volume
  • "custom" — Custom enforcement logic
Defaults to "custom" if omitted.
priority
integer
Evaluation priority. Lower numbers are evaluated first. Range: 1-1000. Defaults to 100 if omitted. Multiple policies at the same priority are evaluated in creation order.
rules
object
required
JSON array of policy rules. Each rule is evaluated independently. If any rule with "effect": "deny" matches, the action is denied.Rule schema:
{
  "conditions": [{ "field": "trust_score", "op": "lt", "value": 0.5 }],
  "effect": "deny",
  "requires_approval": false
}
Condition fields:
FieldTypeOperatorsDescription
trust_scorenumberlt, gt, le, geAgent’s current trust score (0.0-1.0)
scopestringeq, ne, in, containsThe scope being accessed (e.g., "data:write")
agent_typestringeq, ne, inAgent type (e.g., "llm", "worker", "orchestrator")
delegation_depthnumbergt, ge, lt, leAgent’s position in the delegation chain (0 = direct)
Operators:
OperatorDescriptionExample value
eqEquals"data:write"
neNot equals"system"
ltLess than0.5
gtGreater than3
leLess than or equal0.3
geGreater than or equal0.7
inMatches any value in a list["llm", "worker"]
containsString contains substring"write"
Effects:
  • "allow" — Explicitly allow (does not override denials)
  • "deny" — Block the action. First deny wins.
  • "require_approval" — Require human approval before proceeding
All conditions within a single rule are AND-ed. Multiple rules within a policy are evaluated independently.

Response

Returns the created policy object with server-generated fields (id, tenant_id, status, timestamps).
id
string
UUID primary key of the created policy.
tenant_id
string
UUID of the owning tenant.
name
string
Policy name as provided.
description
string
Policy description, if provided.
category
string
Policy category.
status
string
Always "active" on creation.
priority
integer
Evaluation priority.
rules
object
The rules array as provided.
created_at
string
ISO 8601 creation timestamp.
updated_at
string
ISO 8601 last-updated timestamp.

Example

curl -X POST https://api.truthlocks.com/v1/maip/policies \
  -H "X-API-Key: tl_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Block Low-Trust Write Operations",
    "description": "Deny data:write scope access for agents with trust score below 0.5",
    "category": "trust",
    "priority": 10,
    "rules": [
      {
        "conditions": [
          {"field": "trust_score", "op": "lt", "value": 0.5},
          {"field": "scope", "op": "eq", "value": "data:write"}
        ],
        "effect": "deny",
        "requires_approval": false
      }
    ]
  }'

const response = await fetch("https://api.truthlocks.com/v1/maip/policies", {
  method: "POST",
  headers: {
    "X-API-Key": "tl_live_...",
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    name: "Block Low-Trust Write Operations",
    description:
      "Deny data:write scope access for agents with trust score below 0.5",
    category: "trust",
    priority: 10,
    rules: [
      {
        conditions: [
          { field: "trust_score", op: "lt", value: 0.5 },
          { field: "scope", op: "eq", value: "data:write" },
        ],
        effect: "deny",
        requires_approval: false,
      },
    ],
  }),
});
const policy = await response.json();

import requests

response = requests.post(
    "https://api.truthlocks.com/v1/maip/policies",
    headers={
        "X-API-Key": "tl_live_...",
        "Content-Type": "application/json",
    },
    json={
        "name": "Block Low-Trust Write Operations",
        "description": "Deny data:write scope access for agents with trust score below 0.5",
        "category": "trust",
        "priority": 10,
        "rules": [
            {
                "conditions": [
                    {"field": "trust_score", "op": "lt", "value": 0.5},
                    {"field": "scope", "op": "eq", "value": "data:write"},
                ],
                "effect": "deny",
                "requires_approval": False,
            }
        ],
    },
)
policy = response.json()