Authorization API

The WL-APDP Authorization API provides endpoints for policy-based authorization decisions.

Base URL

http://localhost:8081

Authentication

Currently, the API does not require authentication for authorization requests. Enterprise deployments can enable API key authentication.

Endpoints Overview

Endpoint	Method	Description
/authorize	POST	Evaluate authorization request
/policies	GET	List all policies
/policies	POST	Create a new policy
/policies/:id	GET	Get policy by ID
/policies/:id	DELETE	Delete policy
/policies/validate	GET	Validate all policies
/policies/validate/single	POST	Validate a single policy
/policies/metadata	GET	Get policy metadata
/policies/analyze	POST	Analyze which policies apply
/health	GET	Health check
/ready	GET	Readiness check
/status	GET	Detailed status

Authorization

POST /authorize

Evaluate an authorization request against loaded policies.

Request Body:

{
  "principal": "User::\"alice\"",
  "action": "Action::\"read\"",
  "resource": "Document::\"report-2024\"",
  "context": {
    "intent": "summarize document",
    "goal": "quarterly reporting",
    "delegation_chain": [
      {
        "from": "User::\"alice\"",
        "to": "Agent::\"assistant\""
      }
    ]
  }
}

Response:

{
  "decision": "allow",
  "reasons": [
    {
      "policy_id": "user-document-access",
      "description": "Users can read their own documents"
    }
  ],
  "diagnostics": {
    "policies_evaluated": 5,
    "policies_applicable": 2,
    "evaluation_time_ms": 3
  }
}

Status Codes:

Code	Description
200	Authorization decision returned
400	Invalid request format
500	Internal server error

Policies

GET /policies

List all policies.

Response:

{
  "policies": [
    {
      "id": "admin-full-access",
      "name": "Admin Full Access",
      "code": "permit(principal in Group::\"admins\", action, resource);",
      "description": "Admins have full access",
      "active": true,
      "created_at": "2024-01-01T00:00:00Z",
      "updated_at": "2024-01-01T00:00:00Z"
    }
  ]
}

POST /policies

Create a new policy.

Request Body:

{
  "id": "new-policy",
  "name": "New Policy",
  "code": "permit(principal == User::\"bob\", action, resource);",
  "description": "Allow Bob access to everything",
  "active": true,
  "created_at": "2024-01-15T00:00:00Z",
  "updated_at": "2024-01-15T00:00:00Z"
}

Response: Created policy object

Status Codes:

Code	Description
201	Policy created
400	Invalid policy format or Cedar syntax error
409	Policy ID already exists

GET /policies/:id

Get a specific policy by ID.

Response: Policy object

Status Codes:

Code	Description
200	Policy found
404	Policy not found

DELETE /policies/:id

Delete a policy.

Status Codes:

Code	Description
204	Policy deleted
404	Policy not found

Policy Validation

GET /policies/validate

Validate all loaded policies.

Response:

{
  "valid": true,
  "errors": [],
  "warnings": []
}

POST /policies/validate/single

Validate a single policy without saving it.

Request Body:

{
  "code": "permit(principal == User::\"alice\", action, resource);"
}

Response:

{
  "valid": true,
  "errors": [],
  "parsed_policy": {
    "effect": "permit",
    "principal_constraint": "User::\"alice\"",
    "action_constraint": "*",
    "resource_constraint": "*"
  }
}

Policy Analysis

GET /policies/metadata

Get metadata for all policies (used for intelligent selection).

Response:

{
  "metadata": [
    {
      "policy_id": "admin-access",
      "principal_pattern": "Group::admins",
      "action_pattern": "*",
      "resource_pattern": "*",
      "context_requirements": [],
      "complexity_score": 1
    }
  ]
}

POST /policies/analyze

Analyze which policies would apply to a given request.

Request Body:

{
  "principal": "Agent::\"bot\"",
  "action": "Action::\"execute\"",
  "resource": "Tool::\"search\"",
  "context": {
    "intent": "search_web"
  }
}

Response:

{
  "total_policies": 50,
  "applicable_policies": 3,
  "policies": [
    {
      "id": "agent-tool-access",
      "name": "Agent Tool Access",
      "would_match": true,
      "match_reasons": ["Principal is Agent", "Action is execute", "Resource is Tool"]
    }
  ]
}

Health Checks

GET /health

Basic health check.

Response:

{
  "status": "healthy"
}

GET /ready

Readiness check (includes policy validation).

Response:

{
  "status": "ready",
  "policies_loaded": 25,
  "policies_valid": true
}

GET /status

Detailed server status.

Response:

{
  "status": "running",
  "version": "1.0.0",
  "uptime_seconds": 3600,
  "policies": {
    "total": 25,
    "active": 23,
    "inactive": 2
  },
  "metrics": {
    "requests_total": 10000,
    "requests_allowed": 9500,
    "requests_denied": 500,
    "avg_latency_ms": 5
  }
}

Error Responses

All error responses follow this format:

{
  "error": "InvalidRequest",
  "message": "Principal format is invalid",
  "details": {
    "field": "principal",
    "value": "invalid-format"
  }
}

Rate Limits

Default rate limits (configurable):

Endpoint	Limit
/authorize	10,000 req/min
/policies	100 req/min
Other	1,000 req/min

OpenAPI Specification

The full OpenAPI specification is available at:

• /openapi.json - JSON format
• /openapi.yaml - YAML format

Interactive API explorer coming soon with OpenAPI integration.