Policies
CRUD, lifecycle, and AI-assisted generation for governance policies.
The Policies API is the programmatic equivalent of the dashboard policy editor. Use it to roll out policies from infrastructure-as-code, to bulk-generate policies from regulations, or to sync policies between projects.
GET /api/v1/policies
List policies with optional filters.
GET /api/v1/policies?status=ACTIVE&agent_id=agent_...| Query | Default | Description |
|---|---|---|
status | — | DRAFT, ACTIVE, DEPRECATED |
agent_id | — | Only policies scoped to (or applicable to) this agent |
detection_mode | — | AUTO, EXACT, SEMANTIC |
cursor / limit | — / 50 | Pagination |
GET /api/v1/policies/{id}
Returns the full policy record including version history.
POST /api/v1/policies
Create a new policy.
{
"name": "Block financial PII",
"neural_instruction": "Block any prompt containing credit card numbers, IBANs, or SSNs.",
"enforcement_action": "BLOCK",
"detection_mode": "AUTO",
"scope": { "type": "all_agents" },
"attestation_level": "AUTOMATIC",
"status": "DRAFT"
}Policies start in DRAFT by default — set status: "ACTIVE" on creation, or activate later via the lifecycle endpoint.
PATCH /api/v1/policies/{id}
Update fields on an existing policy. Each update creates a new version — old versions remain queryable via GET /policies/{id}/versions.
Lifecycle
| Endpoint | Effect |
|---|---|
POST /policies/{id}/activate | DRAFT → ACTIVE |
POST /policies/{id}/deprecate | ACTIVE → DEPRECATED |
DELETE /policies/{id} | Soft-delete; creates a Flare attestation of the deletion event |
Deprecated policies stay queryable in traces and audit logs but are no longer evaluated against new requests.
POST /api/v1/policies/generate
Generate one or more DRAFT policies from a regulation document (e.g. EU AI Act, GDPR, HIPAA, an internal AUP).
{
"regulation": "eu_ai_act",
"sections": ["art_5", "art_6"],
"target_agent_type": "chatbot"
}Returns an array of generated policies, each in DRAFT status. Review every one in the dashboard before activating — the generator is high-recall, not high-precision.
POST /api/v1/ai-assist
The same endpoint that powers the dashboard's NL Policy Builder. Given a plain-English description of intent, returns a fully-formed policy ready to review.
{
"intent": "Block credit card numbers and IBANs in customer-support prompts.",
"context": { "agent_type": "chatbot", "data_protection_level": "PSEUDONYMIZED" }
}Response:
{
"policy": {
"name": "Block financial PII",
"neural_instruction": "Block any prompt containing credit card numbers (PAN format) or IBAN-formatted bank account numbers.",
"enforcement_action": "BLOCK",
"detection_mode": "EXACT",
"suggested_keywords": ["IBAN", "CARD_PAN"],
"scope": { "type": "agent_type", "agent_type": "chatbot" }
},
"confidence": 0.91,
"alternatives": [ ... ]
}Use programmatically to:
- Generate policies from a CSV of risks during onboarding
- Suggest policies based on a new agent's purpose (the agent wizard calls this endpoint under the hood)
- Power custom internal tooling that turns AUP documents into Palveron policies
Errors
| Status | Code | Meaning |
|---|---|---|
400 | INVALID_SCOPE | The scope object is malformed |
400 | INVALID_ENFORCEMENT_ACTION | Not one of BLOCK, APPROVAL, MODIFY, FLAG |
403 | POLICY_LIMIT_EXCEEDED | Tier's policy cap reached — upgrade or deprecate an existing policy |
409 | DUPLICATE_NAME | Another active policy already uses this name |