Endpoints
Resolve policy
Explain the compiled scope for a surface — the ACL tokens a key holds and the classifications it may see, without running a search.
POST/v1/policy/resolve
Returns the compiled scope for a key acting under a surface — without running
a retrieval. Use it to debug "why can't this key see that document?" and to show
callers exactly what they're allowed to touch. It is the human-readable form of
the filter that /v1/retrieve ANDs into every query.
Request body
Prop
Type
{ "surface": "agent_assist", "onBehalfOf": "5591" }Response
Prop
Type
{
"audience": "internal_agent",
"namespace": "t_serviceagent",
"aclTokens": ["public", "internal", "confidential", "subject:5591"],
"product": "serviceagent",
"allowedClassifications": ["public", "internal", "confidential"],
"predicates": [
{ "field": "acl", "op": "anyof", "value": ["public", "internal", "confidential", "subject:5591"] }
],
"decisionId": "dec_c40e…"
}Compare an anonymous public key — it holds only ["public"], so the same
document about customer 5591 is invisible to it:
{
"audience": "end_customer",
"namespace": "t_serviceagent",
"aclTokens": ["public"],
"product": "serviceagent",
"allowedClassifications": ["public"],
"predicates": [{ "field": "acl", "op": "anyof", "value": ["public"] }],
"decisionId": "dec_c40f…"
}Try it
POST http://localhost:8080/v1/policy/resolve