Skip to main content
API docs by Redocly

Styra API (2.0.0)

Download OpenAPI specification:Download

E-mail: support@styra.com License: Apache 2.0 Terms of Service

Styra DAS is entirely API-driven.

Access to the APIs requires authentication that should be provided as an Authorization HTTP header including a Styra DAS-issued token:

Authorization: Bearer <YOURTOKENHERE>

To request a token you need to have an Styra account, and create a token via the API Tokens menu.

Styra DAS Documentation

activity

Activity log

Retrieve activity log

Returns at most 256 entries by default, unless Count is provided (max: 4096). If only start_time or end_time is provided by the caller then the request defaults to 1 hour range

Request Body schema: application/json
required
class_type
string

audit or activity

count
integer <int32>
Default: 256

max count of records to return: max(4096)

end_time
string <date-time>

filter time range end_time

forward
boolean
Default: false

search from start(true) or end(false) of table

request_id
string

filter on matching request_id

start_time
string <date-time>

filter time range start_time

Responses

Request samples

Content type
application/json
{
  • "class_type": "string",
  • "count": 256,
  • "end_time": "2019-08-24T14:15:22Z",
  • "forward": false,
  • "request_id": "string",
  • "start_time": "2019-08-24T14:15:22Z"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

activity-v2

Activity log

Retrieve activity records

query Parameters
cursor
string

continue from cursor position of previous query

start_time
string

minimum request time

end_time
string

maximum request time

query
string

search query

limit
integer

maximum number of activity records to return

class
string

filter response to given activity class

outcome
string

filter by outcome type. One of (all, allowed, denied, error)

order
string

ASC, DESC (default)

default_timezone
string

client time zone offset e.g. -07:00, +3:00, Z. Local time expressions in query are adjusted with this offset

compact
boolean

return only essential decision fields

Responses

Response samples

Content type
application/json
{
  • "cursor": "string",
  • "request_id": "string",
  • "results": [
    ]
}

Retrieve activity record for given request UD

path Parameters
id
required
string.*

request ID

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "results": {
    }
}

agents

Agent statuses API

Get current agent statuses

path Parameters
kind
required
string

agent kind such as "agents", "datasources", "datasources-agents", "slps", "exporters"

query Parameters
system
string

return only statuses for one or more system ID

id
string

return only statuses for one or more agent ID

excludes
string

filters keys from agent statuses (separate keys by comma, nest keys using dot notation (e.g. parentKey.nestedKey,parentKey2). lists unsupported

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Post agent status

path Parameters
kind
required
string

agent kind such as "agents", "datasources", "datasources-agents", "slps", "exporters"

Request Body schema: application/json
required
object (status.v1.AgentStatus)

Responses

Request samples

Content type
application/json
{ }

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Delete agent information

path Parameters
kind
required
string

agent kind such as "agents", "datasources", "datasources-agents", "slps", "exporters"

id
required
string.*

agent id

Responses

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Update agent status

path Parameters
kind
required
string

agent kind such as "agents", "datasources", "datasources-agents", "slps", "exporters"

id
required
string.*

agent id

Request Body schema: application/json
required
object (status.v1.AgentStatus)

Responses

Request samples

Content type
application/json
{ }

Response samples

Content type
application/json
{
  • "request_id": "string"
}

authz

Authz management

Evaluate a list of permissions

Request Body schema: application/json
required
Array
action
required
string
body
required
object
check_option
required
string
operation
required
string
path
required
string

Responses

Request samples

Content type
application/json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": [
    ]
}

List all role bindings for all resources of all resource types

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

List role bindings

path Parameters
resourcetype
required
string.*

resource type

resource
required
string.*

resource id

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": [
    ]
}

Delete a resource role binding

path Parameters
resourcetype
required
string.*

resource type

resource
required
string.*

resource id

rolebinding
required
string.*

role binding id

query Parameters
recursive
string

if set to 'false', only deletes the role binding configuration and does not delete associated objects

Responses

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Get a role binding

path Parameters
resourcetype
required
string.*

resource type

resource
required
string.*

resource id

rolebinding
required
string.*

role binding id

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Update a role binding

path Parameters
resourcetype
required
string.*

resource type

resource
required
string.*

resource id

rolebinding
required
string.*

role binding id

Request Body schema: application/json
required
description
required
string
id
required
string
role_name
required
string
subjects
required
Array of strings

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "id": "string",
  • "role_name": "string",
  • "subjects": [
    ]
}

Response samples

Content type
application/json
{
  • "request_id": "string"
}

List Styra-defined roles

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": [
    ]
}

List role bindings

query Parameters
resource_kind
string

if set returns only rolebindings involving the specified resource kind (if supplied multiple times will return rolebindings that match any of the specified resource kinds)

resource_id
string

if set returns only rolebindings involving the specified resource id (if supplied multiple times will return rolebindings that match any of the specified resource ids)

role_id
string

if set returns only rolebindings involving the specified role id (if supplied multiple times will return rolebindings that match any of the specified role ids)

subject_kind
string

if set returns only rolebindings involving the specified subject kind (if supplied multiple times will return rolebindings that match any of the specified subject kinds)

subject_id
string

if set returns only rolebindings involving the specified subject id (if supplied multiple times will return rolebindings that match any of the specified subject ids)

internal
boolean

if set to 'true', returns only internal rolebindings

limit
integer

maximum number of items to return. If no limit is specified, the default is to return all results.

offset
integer

controls the starting point within the list of items. Note that the first item is retrieved by setting a zero offset.

Responses

Response samples

Content type
application/json
{
  • "Offset": 0,
  • "request_id": "string",
  • "rolebindings": [
    ]
}

Create or update rolebinding

header Parameters
If-None-Match
string

if set to '*', will not update existing rolebinding

Request Body schema: application/json
required
id
string

if present, implies updating existing rolebinding in its entirety, otherwise create new

required
object (authz.v2.ResourceFilter)
role_id
required
string

role ID e.g., SystemOwner

required
Array of objects (authz.v2.Subject)

list of subjects

Responses

Request samples

Content type
application/json
{
  • "id": "string",
  • "resource_filter": {
    },
  • "role_id": "string",
  • "subjects": [
    ]
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "rolebinding": {
    }
}

Delete rolebinding

path Parameters
id
required
string.*

rolebinding ID

header Parameters
If-Match
string

if set to '*', will return success if not found

Responses

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Get rolebinding

path Parameters
id
required
string.*

rolebinding ID

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "rolebinding": {
    }
}

Delete rolebinding subjects

path Parameters
id
required
string.*

rolebinding ID

Request Body schema: application/json
required
required
Array of objects (authz.v2.Subject)
Array
object (authz.v2.ClaimConfig)
id
string

subject ID (not needed for claim subjects)

kind
required
string

subject type e.g., user

Responses

Request samples

Content type
application/json
{
  • "subjects": [
    ]
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "rolebinding": {
    }
}

Update rolebinding subjects

path Parameters
id
required
string.*

rolebinding ID

Request Body schema: application/json
required
required
Array of objects (authz.v2.Subject)
Array
object (authz.v2.ClaimConfig)
id
string

subject ID (not needed for claim subjects)

kind
required
string

subject type e.g., user

Responses

Request samples

Content type
application/json
{
  • "subjects": [
    ]
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "rolebinding": {
    }
}

Merge rolebinding subjects

path Parameters
id
required
string.*

rolebinding ID

Request Body schema: application/json
required
required
Array of objects (authz.v2.Subject)
Array
object (authz.v2.ClaimConfig)
id
string

subject ID (not needed for claim subjects)

kind
required
string

subject type e.g., user

Responses

Request samples

Content type
application/json
{
  • "subjects": [
    ]
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "rolebinding": {
    }
}

List roles

query Parameters
resource_kind
string

if set returns only roles applicable to specific resource kind

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "roles": [
    ]
}

blueprints

An api for executing terraform plans.

List available blueprints.

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": [
    ]
}

Execute a blueprint.

path Parameters
name
required
string.*

The blueprint name.

Request Body schema: */*
required
any (blueprints.v1.BlueprintPostRequest)

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

bundles

Policy Bundles

Get a policy bundle

query Parameters
policy
string

policy name

eval_path
string

path to partial evaluation

kind
string
Default: "Plain"
Enum: "Plain" "BJson"

Kind of a bundle

header Parameters
If-None-Match
string

The server will return the requested resource, with a 200 status, only if it doesn't have an ETag matching the given ones. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-None-Match documentation.

Responses

Response samples

Content type
No sample

Get a policy bundle

path Parameters
policy
required
string.*

policy name

query Parameters
eval_path
string

path to partial evaluation

kind
string
Default: "Plain"
Enum: "Plain" "BJson"

Kind of a bundle

header Parameters
If-None-Match
string

The server will return the requested resource, with a 200 status, only if it doesn't have an ETag matching the given ones. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-None-Match documentation.

Responses

Response samples

Content type
No sample

data

Data read/write

List data

Data (whether the result of evaluating policy or the data gathered by datasources) is arranged into a tree. List the locations within the tree that data exists.

query Parameters
rego
string

Rego query to be executed for the documents

jsonpath
string

Json Path expression to extract portions of documents

sandbox
boolean

Only used explicitly provided policies and data. Do not load anything from DAS

strict
boolean

Enable strict Rego compilation mode

data
string

Initial data object in JSON format

download
boolean
Default: false

Download data as data.json file

limit
string

Returns '413 Payload Too Large' response if the body size is greater than given limit. The units KB, MB and etc can be used. Example: 10 MB; 28 kilobytes; 2000

header Parameters
If-None-Match
string

The server will return the requested resource, with a 200 status, only if it doesn't have an ETag matching the given ones. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-None-Match documentation.

Responses

Response samples

Content type
application/json
{
  • "mocks": {
    },
  • "request_id": "string",
  • "result": null,
  • "type_env": null
}

Check size of data

query Parameters
rego
string

Rego query to be executed for the documents

jsonpath
string

Json Path expression to extract portions of documents

header Parameters
If-None-Match
string

The server will return the requested resource, with a 200 status, only if it doesn't have an ETag matching the given ones. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-None-Match documentation.

Responses

Response samples

Content type
application/json
{
  • "code": "string",
  • "errors": [
    ],
  • "message": "string",
  • "request_id": "string"
}

Show all data

header Parameters
If-None-Match
string

The server will return the requested resource, with a 200 status, only if it doesn't have an ETag matching the given ones. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-None-Match documentation.

Request Body schema:
required
data
object

Initial data object

input
object
jsonpath
string

Json Path expression to extract portions of documents

object (data.v1.BuiltinMocks)
object

Cache containing results of non-deterministic built-in functions

query_package
string

The package name to be used with query in case of multiple rego modules

rego
string

Rego query to be executed for the documents

object

List of rego modules to be loaded and executed for the documents

replay
boolean

Inject STYRA_DAS_REPLAY environment variable into opa.runtime().env

sandbox
boolean

Only used explicitly provided policies and data. Do not load anything from DAS

strict
boolean

Enable strict Rego compilation mode

Responses

Request samples

Content type
{
  • "data": { },
  • "input": { },
  • "jsonpath": "string",
  • "mocks": {
    },
  • "nd_builtin_cache": {
    },
  • "query_package": "string",
  • "rego": "string",
  • "rego_modules": {
    },
  • "replay": true,
  • "sandbox": true,
  • "strict": true
}

Response samples

Content type
application/json
{
  • "mocks": {
    },
  • "request_id": "string",
  • "result": null,
  • "type_env": null
}

Get data

Show data at the given name. The name must be an extension of one of the locations of data as returned by GET v1/data

path Parameters
name
required
string.*

Data name

query Parameters
rego
string

Rego query to be executed for the documents

jsonpath
string

JSONPath expression to extract portions of documents

sandbox
boolean

Only used explicitly provided policies and data. Do not load anything from DAS

strict
boolean

Enable strict Rego compilation mode

data
string

Initial data object in JSON format

download
boolean
Default: false

Download data as .json file

limit
string

Returns '413 Payload Too Large' response if the body size is greater than given limit. The units KB, MB and etc can be used. Example: 10 MB; 28 kilobytes; 2000

header Parameters
If-None-Match
string

The server will return the requested resource, with a 200 status, only if it doesn't have an ETag matching the given ones. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-None-Match documentation.

Responses

Response samples

Content type
application/json
{
  • "mocks": {
    },
  • "request_id": "string",
  • "result": null,
  • "type_env": null
}

Check the size of the data

path Parameters
name
required
string.*

data name

query Parameters
rego
string

Rego query to be executed for the documents

jsonpath
string

Json Path expression to extract portions of documents

header Parameters
If-None-Match
string

The server will return the requested resource, with a 200 status, only if it doesn't have an ETag matching the given ones. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-None-Match documentation.

Responses

Response samples

Content type
application/json
{
  • "code": "string",
  • "errors": [
    ],
  • "message": "string",
  • "request_id": "string"
}

Patch data

Modify the data of the push datasource registered at <path> by applying a JSON patch to the JSON document. The content type for the patch is application/json-patch+json. The operation returns the modified data.

path Parameters
name
required
string.*

data name

header Parameters
If-Match
string

etag

Request Body schema:
required
object (meta.v1.RequestObject)

Responses

Request samples

Content type
{ }

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": null
}

Show data

Show data at the given name. The name must be an extension of one of the locations of data as returned by GET v1/data.

path Parameters
name
required
string.*

data name

header Parameters
If-None-Match
string

The server will return the requested resource, with a 200 status, only if it doesn't have an ETag matching the given ones. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-None-Match documentation.

Request Body schema:
required
data
object

Initial data object

input
object
jsonpath
string

Json Path expression to extract portions of documents

object (data.v1.BuiltinMocks)
object

Cache containing results of non-deterministic built-in functions

query_package
string

The package name to be used with query in case of multiple rego modules

rego
string

Rego query to be executed for the documents

object

List of rego modules to be loaded and executed for the documents

replay
boolean

Inject STYRA_DAS_REPLAY environment variable into opa.runtime().env

sandbox
boolean

Only used explicitly provided policies and data. Do not load anything from DAS

strict
boolean

Enable strict Rego compilation mode

Responses

Request samples

Content type
{
  • "data": { },
  • "input": { },
  • "jsonpath": "string",
  • "mocks": {
    },
  • "nd_builtin_cache": {
    },
  • "query_package": "string",
  • "rego": "string",
  • "rego_modules": {
    },
  • "replay": true,
  • "sandbox": true,
  • "strict": true
}

Response samples

Content type
application/json
{
  • "mocks": {
    },
  • "request_id": "string",
  • "result": null,
  • "type_env": null
}

Publish data

Set the data for the datasource registered at <name> to an arbitrary JSON document. This data can be read by doing GET v1/data/<path>

path Parameters
name
required
string.*

data name

header Parameters
If-Match
string

etag

Request Body schema:
required
object (meta.v1.RequestObject)

Responses

Request samples

Content type
{ }

Response samples

Content type
application/json
{
  • "request_id": "string"
}

datasources

Data Sources Management

List data sources

query Parameters
system
string

Filter data source by system ID

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": [
    ]
}

Delete a data source

path Parameters
datasource
required
string.*

Data source ID

Responses

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Get a data source

path Parameters
datasource
required
string.*

Data source ID

query Parameters
execute
boolean

Execute data source

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": { }
}

Execute or Preview a data source

path Parameters
datasource
required
string.*

Data source ID

query Parameters
execute
boolean

Execute data source

preview
boolean

Preview data source

download
boolean
Default: false

This is part of preview workflow. Download preview data as data.json file.

limit
string

This is part of preview workflow. Returns '413 Payload Too Large' response if the body size is greater than given limit. The units KB, MB and etc can be used. Example: 10 MB; 28 kilobytes; 2000

Request Body schema: */*
required
One of
category
required
string

Must be aws/ecr
A Data Source that retrieves the data about AWS IAM deployments.

description
string
enabled
boolean
Default: true
on_premises
boolean
Default: false
rate_limit
number
Default: 3

requests per second

polling_interval
string
Default: "30s"
policy_filter
string

Policy Filter (if set, then policy_query must be set as well)

policy_query
string

Policy Query (if set, then policy_filter must be set as well)

credentials
required
string

Secret ID with AWS credentials

region
required
string

AWS region

RegistryId
string

Registry ID

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": null
}

Upsert a data source

path Parameters
datasource
required
string.*

Data source ID

header Parameters
If-None-Match
string

The server will return the requested resource, with a 200 status, only if it doesn't have an ETag matching the given ones. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-None-Match documentation.

Request Body schema: */*
required
One of
category
required
string

Must be aws/ecr
A Data Source that retrieves the data about AWS IAM deployments.

description
string
enabled
boolean
Default: true
on_premises
boolean
Default: false
rate_limit
number
Default: 3

requests per second

polling_interval
string
Default: "30s"
policy_filter
string

Policy Filter (if set, then policy_query must be set as well)

policy_query
string

Policy Query (if set, then policy_filter must be set as well)

credentials
required
string

Secret ID with AWS credentials

region
required
string

AWS region

RegistryId
string

Registry ID

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

decisions

analysis

Search decision logs

query Parameters
input_max_size
string

input_max_size will remove specified subfield from response if it exceeds the size specified

result_max_size
string

result_max_size will remove specified subfield from response if it exceeds the size specified

cursor
string

continue from cursor position of previous query

start_time
string <date-time>

minimum decision time

end_time
string <date-time>

maximum decision time

search
string

search query

system
string

system ID

stack
string

stack ID

limit
integer
Default: 100

maximum number of decisions to return

result_kind
string
Default: "ALL"

comma-separated list of ALL, UNKNOWN, ADVICE, ALLOWED, DENIED, ERROR

order
string
Default: "DESC"

ASC, DESC

default_timezone
string

client time zone offset e.g. -07:00, +3:00, Z. Local time expressions in query are adjusted with this offset

compact
boolean

return only essential decision fields

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Search decision logs

query Parameters
input_max_size
string

input_max_size will remove specified subfield from response if it exceeds the size specified

result_max_size
string

result_max_size will remove specified subfield from response if it exceeds the size specified

Request Body schema: application/json
required
compact
boolean
Default: false

return only essential decision fields

cursor
string

continue from cursor position of previous query

default_timezone
string

client time zone offset. Local time expressions in query are adjusted with this offset

end_time
string <date-time>

maximum decision time

limit
integer <int64>
Default: 100

maximum number of decisions to return

order
string
Default: "DESC"

ASC, DESC

result_kind
string
Default: "ALL"

comma-separated list of ALL, UNKNOWN, ADVICE, ALLOWED, DENIED, ERROR

search
string

search query

stack
string

stack ID

start_time
string <date-time>

minimum decision time

system
string

system ID

Responses

Request samples

Content type
application/json
{
  • "compact": false,
  • "cursor": "string",
  • "default_timezone": "-07:00, +3:00, Z",
  • "end_time": "2019-08-24T14:15:22Z",
  • "limit": 100,
  • "order": "DESC",
  • "result_kind": "ALL",
  • "search": "string",
  • "stack": "string",
  • "start_time": "2019-08-24T14:15:22Z",
  • "system": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Get a single decision

path Parameters
cursor
required
string

decision cursor value

query Parameters
input_max_size
string

input_max_size will remove specified subfield from response if it exceeds the size specified

result_max_size
string

result_max_size will remove specified subfield from response if it exceeds the size specified

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

identity-providers

Identity Providers management

List providers

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": [
    ]
}

Create provider

Request Body schema: application/json
required
allow_idp_initiated
required
boolean
allowed_domains
required
Array of strings

allow users from domains

auth_url
required
string
certificate
required
string

send instead of KeyCertificate for new configs

client_id
required
string
client_secret
required
string
effective_client_secret
required
string

send instead of ClientSecret for new configs

email_attribute
required
string
enabled
required
boolean

whether it can be used as a provider or not

id
required
string
issuer_url
required
string
jit
required
boolean

True, if users are provisioned on-demand

key_certificate
required
string
metadata
required
string
override_discovery_issuer_url
string
private_key
required
string

send instead of KeyCertificate for new configs

proxy_url
required
string
redirect_url
required
string
response_mode
required
string
scopes
required
Array of strings
skip_token_issuer_check
boolean
token_url
required
string
type
required
string

OIDC (default) or SAML

unique_claim
required
string

claim to be used as the unique id for users

user_info_url
required
string

Responses

Request samples

Content type
application/json
{
  • "allow_idp_initiated": true,
  • "allowed_domains": [
    ],
  • "auth_url": "string",
  • "certificate": "string",
  • "client_id": "string",
  • "client_secret": "string",
  • "effective_client_secret": "string",
  • "email_attribute": "string",
  • "enabled": true,
  • "id": "string",
  • "issuer_url": "string",
  • "jit": true,
  • "key_certificate": "string",
  • "metadata": "string",
  • "override_discovery_issuer_url": "string",
  • "private_key": "string",
  • "proxy_url": "string",
  • "redirect_url": "string",
  • "response_mode": "string",
  • "scopes": [
    ],
  • "skip_token_issuer_check": true,
  • "token_url": "string",
  • "type": "string",
  • "unique_claim": "string",
  • "user_info_url": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Validate provider

Request Body schema: application/json
required
allow_idp_initiated
required
boolean
allowed_domains
required
Array of strings

allow users from domains

auth_url
required
string
certificate
required
string

send instead of KeyCertificate for new configs

client_id
required
string
client_secret
required
string
effective_client_secret
required
string

send instead of ClientSecret for new configs

email_attribute
required
string
enabled
required
boolean

whether it can be used as a provider or not

id
required
string
issuer_url
required
string
jit
required
boolean

True, if users are provisioned on-demand

key_certificate
required
string
metadata
required
string
override_discovery_issuer_url
string
private_key
required
string

send instead of KeyCertificate for new configs

proxy_url
required
string
redirect_url
required
string
response_mode
required
string
scopes
required
Array of strings
skip_token_issuer_check
boolean
token_url
required
string
type
required
string

OIDC (default) or SAML

unique_claim
required
string

claim to be used as the unique id for users

user_info_url
required
string

Responses

Request samples

Content type
application/json
{
  • "allow_idp_initiated": true,
  • "allowed_domains": [
    ],
  • "auth_url": "string",
  • "certificate": "string",
  • "client_id": "string",
  • "client_secret": "string",
  • "effective_client_secret": "string",
  • "email_attribute": "string",
  • "enabled": true,
  • "id": "string",
  • "issuer_url": "string",
  • "jit": true,
  • "key_certificate": "string",
  • "metadata": "string",
  • "override_discovery_issuer_url": "string",
  • "private_key": "string",
  • "proxy_url": "string",
  • "redirect_url": "string",
  • "response_mode": "string",
  • "scopes": [
    ],
  • "skip_token_issuer_check": true,
  • "token_url": "string",
  • "type": "string",
  • "unique_claim": "string",
  • "user_info_url": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Delete provider

path Parameters
providerId
required
string.+

provider ID

Responses

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Get provider

path Parameters
providerId
required
string.+

provider ID

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Create or update provider

path Parameters
providerId
required
string.+

provider ID

header Parameters
If-None-Match
string

if set to '*' then creates a new provider with type-specific related objects

Request Body schema: application/json
required
allow_idp_initiated
required
boolean
allowed_domains
required
Array of strings

allow users from domains

auth_url
required
string
certificate
required
string

send instead of KeyCertificate for new configs

client_id
required
string
client_secret
required
string
effective_client_secret
required
string

send instead of ClientSecret for new configs

email_attribute
required
string
enabled
required
boolean

whether it can be used as a provider or not

id
required
string
issuer_url
required
string
jit
required
boolean

True, if users are provisioned on-demand

key_certificate
required
string
metadata
required
string
override_discovery_issuer_url
string
private_key
required
string

send instead of KeyCertificate for new configs

proxy_url
required
string
redirect_url
required
string
response_mode
required
string
scopes
required
Array of strings
skip_token_issuer_check
boolean
token_url
required
string
type
required
string

OIDC (default) or SAML

unique_claim
required
string

claim to be used as the unique id for users

user_info_url
required
string

Responses

Request samples

Content type
application/json
{
  • "allow_idp_initiated": true,
  • "allowed_domains": [
    ],
  • "auth_url": "string",
  • "certificate": "string",
  • "client_id": "string",
  • "client_secret": "string",
  • "effective_client_secret": "string",
  • "email_attribute": "string",
  • "enabled": true,
  • "id": "string",
  • "issuer_url": "string",
  • "jit": true,
  • "key_certificate": "string",
  • "metadata": "string",
  • "override_discovery_issuer_url": "string",
  • "private_key": "string",
  • "proxy_url": "string",
  • "redirect_url": "string",
  • "response_mode": "string",
  • "scopes": [
    ],
  • "skip_token_issuer_check": true,
  • "token_url": "string",
  • "type": "string",
  • "unique_claim": "string",
  • "user_info_url": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string"
}

invitations

User invitations

List invitations

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": [
    ]
}

Invite user

query Parameters
email
boolean

set to false to avoid sending an email

Request Body schema: application/json
required
roles
required
Array of strings

list of roles for the invited user

user_id
required
string

user ID to create invitation for

Responses

Request samples

Content type
application/json
{
  • "roles": [
    ],
  • "user_id": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Revoke invitation

path Parameters
id
required
string.+

user ID

Responses

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Get invitation

path Parameters
id
required
string.+

user ID

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Accept invitation

path Parameters
token
required
string.+

token from the invitation URL

Request Body schema: application/json
required
password
required
string

new user password

user_id
required
string

new user ID

Responses

Request samples

Content type
application/json
{
  • "password": "string",
  • "user_id": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string"
}

libraries

API to create and manage libraries

List all libraries

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": [
    ]
}

Verify git access

Verifies that the repository can be accessed with the provided credentials

Request Body schema: application/json
required
commit
required
string

Commit SHA. Only one of reference or commit can be set at any time

credentials
required
string

Credentials are looked under the key /

id
required
string

id of the entity so that the config can be checked for duplicates

path
required
string

Path to limit the import to

reference
required
string

Remote reference. Only one of reference or commit can be set at any time

object (git.v1.SSHCredentials)
url
required
string

Repository URL

Responses

Request samples

Content type
application/json
{
  • "commit": "string",
  • "credentials": "string",
  • "id": "string",
  • "path": "string",
  • "reference": "string",
  • "ssh_credentials": {
    },
  • "url": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Delete a library

path Parameters
id
required
string.*

id

Responses

Get a library

path Parameters
id
required
string.*

id

query Parameters
policies
boolean

set to 'false' to omit policies from the output

modules
boolean

set to 'false' to omit modules from the output

datasources
boolean

set to 'false' to omit datasources from the output

rule_counts
boolean

set to 'false' to omit policy rule counts in the output

dependant_bundles
string

level of report for bundles depending on the library. One of (none, active, all). "active" is the default

Responses

Response samples

Content type
application/json
{
  • "result": {
    }
}

Upsert a new library

path Parameters
id
required
string.*

id

Request Body schema: application/json
required
description
required
string
read_only
required
boolean
object (libraries.v1.SourceControlConfig)

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "read_only": true,
  • "source_control": {
    }
}

Response samples

Content type
application/json
{
  • "result": {
    }
}

Delete a user-owned branch

path Parameters
id
required
string.*

library id

Responses

Response samples

Content type
application/json
{
  • "request_id": "string"
}

List files in Styra DAS-created branch.

Gets the list of files for the branch that the Styra DAS creates when modifying rego in the Styra DAS UI and pushing the changes to GitHub in a branch for review.

path Parameters
id
required
string.*

library id

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Commit files to library source control

Commit files to source control associated with a library

path Parameters
id
required
string.*

library id

Request Body schema: application/json
required
author
required
string
email
required
string
required
object

Map of filenames to file contents

files_to_delete
required
Array of strings

List of filenames to delete from the repo

message
required
string

Responses

Request samples

Content type
application/json
{
  • "author": "string",
  • "email": "string",
  • "files": {
    },
  • "files_to_delete": [
    ],
  • "message": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

List files in current branch.

Gets the list of files in the currently chosen branch.

path Parameters
id
required
string.*

library id

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Validate library unit tests

path Parameters
id
required
string.*

id

Request Body schema: application/json
required
object

draft policies to be used for 'new' violations computation (path => rego)

mode
string
Default: "delta"

validation mode. One of (delta, all, delta-count, all-count)

policy_type
string

policy type to narrow the monitor policy search (e.g. validating, mutating). Default (empty string or missing) is to run all monitoring policies

Responses

Request samples

Content type
application/json
{
  • "drafts": {
    },
  • "mode": "delta",
  • "policy_type": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

logreplay

log-replay is a service that re-evaluates past decision logs in order to estimate what would change if one of the policies would be different. log-replay is used as an analysis tool to analyze the impact of a policy change.

Run log-replay

Request Body schema: application/json
required
compare_full_results
boolean
Default: false

do not compare decisions by system-type-dependent significant fields

data_patches
Array of objects (logreplay.v1.ReplayRequest.data_patches) [ items ]

list of JSON Patches to apply to the data namespace

decision_patches
Array of objects (logreplay.v1.ReplayRequest.decision_patches) [ items ]

list of JSON Patches to apply to the decisions before they evaluated

deterministic_policies
boolean
Default: true

signals that decisions having the same inputs, data and revision always evaluate to the same result and therefore can be cached

duration
string

maximum replay duration (e.g. "20s")

max_samples
integer <int32>

maximum number of samples to return

object (data.v1.BuiltinMocks)
object

modified rego policies (path => rego content)

Array of objects (logreplay.v1.ReplayScope)

list of scopes to narrow the decision search

skip_batches
Array of strings

list of batch IDs to skip

Responses

Request samples

Content type
application/json
{
  • "compare_full_results": false,
  • "data_patches": [
    ],
  • "decision_patches": [
    ],
  • "deterministic_policies": true,
  • "duration": "string",
  • "max_samples": 0,
  • "mocks": {
    },
  • "policies": {
    },
  • "scope": [
    ],
  • "skip_batches": [
    ]
}

Response samples

Content type
application/json
{
  • "analyzed_batches": [
    ],
  • "duration": 0,
  • "samples": [
    ],
  • "started": "2019-08-24T14:15:22Z",
  • "stats": {
    }
}

logreplay-v2

LogReplay Service v2

Run log-replay

Request Body schema: application/json
required
object

system ID -> bundle filter mapping specifying which bundles to consider for each system. Use empty string or '*' to provide default filter

compare_full_results
boolean
Default: false

do not compare decisions by system-type-dependent significant fields

decision_patches
Array of objects (logreplay.v2.ReplayRequest.decision_patches) [ items ]

list of JSON Patches to apply to the decisions before they evaluated

object

modifications to make to policies or data

duration
string

maximum replay duration (e.g. "20s")

max_samples
integer <int32>

maximum number of samples to return

object (data.v1.BuiltinMocks)
path_filters
Array of strings

list of path filters. Each entry is either a path prefix that the decision path must begin with or the decision path must be prefix of the entry

skip_batches
Array of strings

list of batch IDs to skip

systems
Array of strings

list of system IDs. If provided, systems that are not in the list won't be replayed even if affected by one of the drafts'

Responses

Request samples

Content type
application/json
{
  • "bundle_filters": {
    },
  • "compare_full_results": false,
  • "decision_patches": [
    ],
  • "drafts": {
    },
  • "duration": "string",
  • "max_samples": 0,
  • "mocks": {
    },
  • "path_filters": [
    ],
  • "skip_batches": [
    ],
  • "systems": [
    ]
}

Response samples

Content type
application/json
{
  • "mocks": {
    },
  • "request_id": "string",
  • "result": {
    }
}

logs

OPA decision logs API

Post decision logs

Request Body schema: application/json
required
Array
object (meta.v1.RequestObject)

Responses

Request samples

Content type
application/json
[
  • { }
]

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Post decision logs with partition

path Parameters
partition
required
string.*

partition name. Currently not used

Request Body schema: application/json
required
Array
object (meta.v1.RequestObject)

Responses

Request samples

Content type
application/json
[
  • { }
]

Response samples

Content type
application/json
{
  • "request_id": "string"
}

mock/opa

The api for mock opas.

List mock opas.

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": [
    ]
}

Create a mock opa.

Request Body schema: application/json
required
duration
required
string
system_id
required
string

Responses

Request samples

Content type
application/json
{
  • "duration": "string",
  • "system_id": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Get info about the service.

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Delete a mock opa.

path Parameters
id
required
string.*

The mock opa id.

Responses

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Get a mock opa.

path Parameters
id
required
string.*

The mock opa id.

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

notifications

Notification Integration

Handle callbacks from notification applications.

path Parameters
type
required
string.*

notification type

query Parameters
code
string

authorization code from notification tool

state
string

unique identification code

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "response_url": "string"
}

Start installing the notification tool.

path Parameters
type
required
string.*

notification type

query Parameters
redirect_url
string

the landing page when OAuth is successfully done.

Responses

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Uninstall a notification tool.

path Parameters
type
required
string.*

notification type

Responses

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Get the status of a notification tool.

path Parameters
type
required
string.*

notification type

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Insert an access token for the notification tool.

path Parameters
type
required
string.*

notification type

Request Body schema: application/json
required
token
required
string

Responses

Request samples

Content type
application/json
{
  • "token": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string"
}

openapi

OpenAPI Specification

Returns a deprecated version

path Parameters
spec
required
stringv.*

OpenAPI Spec version

version
required
string.*

API version

Responses

Swagger v2 Specification

Responses

OpenAPI v3 Specification

Responses

passwords

Passwords strength and forgotten password request email and reset

Request password reset email

Request Body schema: application/json
required
password
required
string
user_id
required
string

Responses

Request samples

Content type
application/json
{
  • "password": "string",
  • "user_id": "string"
}

Response samples

Content type
application/json
{
  • "url": "string"
}

Reset password

path Parameters
token
required
string.+

Token ID

Request Body schema: application/json
required
password
required
string
user_id
required
string

Responses

Request samples

Content type
application/json
{
  • "password": "string",
  • "user_id": "string"
}

Response samples

Content type
application/json
{
  • "url": "string"
}

Analyze password strength

Request Body schema: application/json
required
password
required
string

Responses

Request samples

Content type
application/json
{
  • "password": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

policies

Policy management

List policies

query Parameters
metadata
string

return rego metadata of specified type or all if no type provided

modules
boolean

return rego metadata for each module separately

drafts
boolean

return rego metadata for draft policies (when metadata flag is used)

prefix
string

return only the policies having the prefix

Responses

Response samples

Content type
application/json
{
  • "metadata": [
    ],
  • "request_id": "string",
  • "result": null
}

Bulk upload policies

Request Body schema: application/gzip
required

Policy bundle

string <binary>

Responses

Response samples

Content type
application/json
{
  • "request_id": "string"
}

List playground policies

query Parameters
metadata
string

return rego metadata of specified type or all if no type provided

drafts
boolean

return rego metadata for draft policies (when metadata flag is used)

Responses

Response samples

Content type
application/json
{
  • "metadata": [
    ],
  • "request_id": "string",
  • "result": null
}

Bulk upload playground policies

Request Body schema: application/gzip
required

Policy bundle

string <binary>

Responses

Response samples

Content type
application/json
{
  • "request_id": "string"
}

List system policies

path Parameters
system
required
string

system id

query Parameters
metadata
string

return rego metadata of specified type or all if no type provided

drafts
boolean

return rego metadata for draft policies (when metadata flag is used)

Responses

Response samples

Content type
application/json
{
  • "metadata": [
    ],
  • "request_id": "string",
  • "result": null
}

Bulk upload system policies

path Parameters
system
required
string

system id

Request Body schema: application/gzip
required

Policy bundle

string <binary>

Responses

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Delete a policy

path Parameters
policy
required
string.+

policy name

Responses

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Get a policy

path Parameters
policy
required
string.+

policy name

query Parameters
dependencies
boolean

include dependencies

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": null
}

Update a policy

path Parameters
policy
required
string.+

policy name

header Parameters
If-None-Match
string

etag

Request Body schema: application/json
required
required
object

module file name to rego (and also data.json/data.yaml if enabled for the tenant) contents dictionary

object (crypto.Signature)

Responses

Request samples

Content type
application/json
{
  • "modules": {
    },
  • "signature": {
    }
}

Response samples

Content type
application/json
{
  • "request_id": "string"
}

rego

Rego

Format Rego code

query Parameters
v1
boolean

Enable formatting to comply with both the RegoV0 and RegoV1 syntax

Request Body schema: application/json
required
required
object
property name*
additional property
string

Responses

Request samples

Content type
application/json
{
  • "input": {
    }
}

Response samples

Content type
application/json
{
  • "errors": {
    },
  • "metadata": [
    ],
  • "output": {
    },
  • "request_id": "string"
}

relay-server

manages relay-clients

Get clients

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": [
    ]
}

Evict client connections

path Parameters
key
required
string[a-zA-Z0-9-_]+

key that the relay client registered with

query Parameters
id
string

id of a specific relay client

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": [
    ]
}

Register Client

path Parameters
key
required
string[a-zA-Z0-9-_]+

key to register the relay client with

query Parameters
id
string

id of the relay client

Responses

secrets

Secrets Management

List secrets

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": [
    ]
}

Delete secret

path Parameters
secretId
required
string.*

secret ID

Responses

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Get secret

path Parameters
secretId
required
string.*

secret ID

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Create/update secret

path Parameters
secretId
required
string.*

secret ID

header Parameters
If-None-Match
string

if set to '*' then the request fill fail if the secret already exists

Request Body schema: application/json
required
description
required
string
name
required
string
secret
required
string

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "name": "string",
  • "secret": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string"
}

signup-passwords

Passwords strength and forgotten password requests

Request password reset email

Request Body schema: application/json
required
password
required
string
user_id
required
string

Responses

Request samples

Content type
application/json
{
  • "password": "string",
  • "user_id": "string"
}

Response samples

Content type
application/json
{
  • "url": "string"
}

Analyze password strength

Request Body schema: application/json
required
password
required
string

Responses

Request samples

Content type
application/json
{
  • "password": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

stacks

Stacks management

List stacks

query Parameters
policies
boolean

set to 'false' to omit policies from the output

modules
boolean

set to 'false' to omit modules from the output

datasources
boolean

set to 'false' to omit datasources from the output

errors
boolean

set to 'false' to omit errors/warnings from the output

metadata
boolean

set to 'false' to omit metadata from the output

rule_counts
boolean

set to 'false' to omit policy rule counts in the output

matching_systems
boolean

set to 'false' to omit list of matching systems in the output

minimum_opa_version
boolean

set to 'false' to omit minimum OPA version for systems using stack

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": [
    ]
}

Create a stack

Request Body schema: application/json
required
description
required
string
name
required
string
read_only
required
boolean
object (stacks.v1.SourceControlConfig)
type
required
string
type_parameters
object

stack type parameter values (for template.* types)

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "name": "string",
  • "read_only": true,
  • "source_control": {
    },
  • "type": "string",
  • "type_parameters": { }
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Verify git access

Verifies that the repository can be accessed with the provided credentials

Request Body schema: application/json
required
commit
required
string

Commit SHA. Only one of reference or commit can be set at any time

credentials
required
string

Credentials are looked under the key /

id
required
string

id of the entity so that the config can be checked for duplicates

path
required
string

Path to limit the import to

reference
required
string

Remote reference. Only one of reference or commit can be set at any time

object (git.v1.SSHCredentials)
url
required
string

Repository URL

Responses

Request samples

Content type
application/json
{
  • "commit": "string",
  • "credentials": "string",
  • "id": "string",
  • "path": "string",
  • "reference": "string",
  • "ssh_credentials": {
    },
  • "url": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Delete a user-owned branch

path Parameters
id
required
string.*

stack id

Responses

Response samples

Content type
application/json
{
  • "request_id": "string"
}

List files in Styra DAS-created branch.

Gets the list of files for the branch that the Styra DAS creates when modifying rego in the Styra DAS UI and pushing the changes to GitHub in a branch for review.

path Parameters
id
required
string.*

stack id

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Commit files to stack source control

Commit files to source control associated with a stack

path Parameters
id
required
string.*

stack id

Request Body schema: application/json
required
author
required
string
email
required
string
required
object

Map of filenames to file contents

files_to_delete
required
Array of strings

List of filenames to delete from the repo

message
required
string

Responses

Request samples

Content type
application/json
{
  • "author": "string",
  • "email": "string",
  • "files": {
    },
  • "files_to_delete": [
    ],
  • "message": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

List files in current branch.

Gets the list of files in the currently chosen branch.

path Parameters
id
required
string.*

stack id

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Delete a stack

path Parameters
stack
required
string.*

stack id

Responses

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Get a stack configuration

path Parameters
stack
required
string.*

stack id

query Parameters
policies
boolean

set to 'false' to omit policies from the output

modules
boolean

set to 'false' to omit modules from the output

datasources
boolean

set to 'false' to omit datasources from the output

errors
boolean

set to 'false' to omit errors/warnings from the output

metadata
boolean

set to 'false' to omit metadata from the output

rule_counts
boolean

set to 'false' to omit policy rule counts in the output

matching_systems
boolean

set to 'false' to omit list of matching systems in the output

minimum_opa_version
boolean

set to 'false' to omit minimum OPA version for systems using stack

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Create or update a stack. Only the fields sent in the request are updated

path Parameters
stack
required
string.*

stack id

Request Body schema: application/json
required
description
required
string
name
required
string
read_only
required
boolean
object (stacks.v1.SourceControlConfig)
type
required
string
type_parameters
object

stack type parameter values (for template.* types)

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "name": "string",
  • "read_only": true,
  • "source_control": {
    },
  • "type": "string",
  • "type_parameters": { }
}

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Migrate a stack from one type to another

path Parameters
stack
required
string.*

stack id

Request Body schema: application/json
required
type
required
string

The system type ID to migrate the current system to

Responses

Request samples

Content type
application/json
{
  • "type": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Validate stack compliance

path Parameters
stack
required
string.*

stack id

query Parameters
asyncdelay
string

set delay of asynchronous response HTTP(202); range [1s - compliance-api-timeout].

asyncresponse
string

get asynchronous response; see HTTP(202) Location parameter

interval
string

if set to 'latest', get most recent cached results for specified stack.

Request Body schema: application/json
required
object

draft policies to be used for 'new' violations computation (path => rego)

extended
boolean

run extended compliance validation that is specific for the system/stack type

filter
object

filter violations with this selector (dot.path => value)

group_by
Array of strings[ items ]

group results by dot.path values (list of group levels with list of fields at each level)

limit
integer <int32>

maximum number of violations to return per monitor

object (data.v1.BuiltinMocks)
mode
string
Default: "delta"

validation mode. One of (delta, all, delta-count, all-count)

policy_type
string

policy type to narrow the monitor policy search (e.g. validating, mutating). Default (empty string or missing) is to run all monitoring policies

Array of objects (systems.v1.SortField)

list of fields to sort by

Responses

Request samples

Content type
application/json
{
  • "drafts": {
    },
  • "extended": true,
  • "filter": { },
  • "group_by": [
    ],
  • "limit": 0,
  • "mocks": {
    },
  • "mode": "delta",
  • "policy_type": "string",
  • "sort": [
    ]
}

Response samples

Content type
application/json
{
  • "mocks": {
    },
  • "request_id": "string",
  • "result": {
    }
}

Get next page of stack compliance violations

path Parameters
stack
required
string.*

stack id

cursor
required
string.*

paging cursor obtained from previous calls

query Parameters
limit
integer

maximum number of violations to return

Responses

Response samples

Content type
application/json
{
  • "mocks": {
    },
  • "request_id": "string",
  • "result": {
    }
}

Validate stack unit tests

path Parameters
stack
required
string.*

stack id

Request Body schema: application/json
required
object

draft policies to be used for 'new' violations computation (path => rego)

mode
string
Default: "delta"

validation mode. One of (delta, all, delta-count, all-count)

policy_type
string

policy type to narrow the monitor policy search (e.g. validating, mutating). Default (empty string or missing) is to run all monitoring policies

Responses

Request samples

Content type
application/json
{
  • "drafts": {
    },
  • "mode": "delta",
  • "policy_type": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

status

OPA statuses API

Get current OPA statuses

query Parameters
system
string

return only statuses for one or more system ID

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Update current OPA status

Request Body schema: application/json
required
object (status.v1.AgentStatus)

Responses

Request samples

Content type
application/json
{ }

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Update current OPA status

path Parameters
partition
required
string.*

partition name. Currently not used

Request Body schema: application/json
required
object (status.v1.AgentStatus)

Responses

Request samples

Content type
application/json
{ }

Response samples

Content type
application/json
{
  • "request_id": "string"
}

systems

Systems management

List systems

query Parameters
compact
boolean

if set to 'true', returns only minimal configuration information for each system

policies
boolean

set to 'false' to omit policies from the output

modules
boolean

set to 'false' to omit modules from the output

rule_counts
boolean

set to 'false' to omit policy rule counts in the output

datasources
boolean

set to 'false' to omit datasources from the output

errors
boolean

set to 'false' to omit errors/warnings from the output

authz
boolean

set to 'false' to omit authz info from the output

metadata
boolean

set to 'false' to omit metadata from the output

minimum_opa_version
boolean

set to 'false' to omit minimum_opa_version from the output

stacks
boolean

set to 'false' to omit matching_stacks from the output

migration_history
boolean

set to 'false' to omit migration_history from the output

tokens
boolean

set to 'false' to omit tokens from the output

info
boolean

set to 'false' to omit info from the output

type
string

if set returns only systems of the specified type

name
string

if set returns only systems with a name matching the given regex

search
string

if set returns only systems with a name,ID,type, or description matching the given pattern

limit
integer

maximum number of items to return. If no limit is specified, the default is to return all results.

offset
integer

controls the starting point within the list of items. Note that the first item is retrieved by setting a zero offset.

Responses

Response samples

Content type
application/json
{
  • "offset": 0,
  • "request_id": "string",
  • "result": [
    ]
}

Create a system

Request Body schema: application/json
required
object (systems.v1.BundleDownloadConfig)
object (systems.v1.BundleRegistryConfig)
context_bundle_data_only
boolean

only put data in the context bundle

context_bundle_roots
Array of strings

list of path prefixes for policies/datasources that go into the second (context) bundle

object

location of key attributes and additional columns in the decisions grouped by policy entry point path

object (workspace.v1.DecisionExporterConfig)
object (systems.v1.SystemDeploymentParameters)
description
string

description for the system

error_setting
string

error/warning configuration: one of "all", "errors", "none"

object (systems.v1.ExternalBundleConfig)
external_id
string

optional parameter to map Styra DAS system ID to external IDs used by a customer. (mapping can be retrieved with TranslateExternalIds operation)

filter_stacks
boolean

when set, stacks that are not linked to this system will be filtered out of its bundles

kafka_topic
string

optional parameter to specify the Kafka topic where the decision logs for this system should be published if exported through the workspace level configuration (ignored if Kafka is not configured for the workspace for decision export)

mock_opa_enabled
boolean

enable mock OPAs for this system

name
required
string

system name

read_only
boolean
Default: false

prevents users from modifying policies using Styra UIs

object (git.v1.SourceControlConfig)
type
required
string

system type e.g. kubernetes

type_parameters
object

system type parameter values (for template.* types)

Responses

Request samples

Content type
application/json
{
  • "bundle_download": {
    },
  • "bundle_registry": {
    },
  • "context_bundle_data_only": true,
  • "context_bundle_roots": [
    ],
  • "decision_mappings": {
    },
  • "decisions_exporter": {
    },
  • "deployment_parameters": {
    },
  • "description": "string",
  • "error_setting": "string",
  • "external_bundles": {
    },
  • "external_id": "string",
  • "filter_stacks": true,
  • "kafka_topic": "string",
  • "mock_opa_enabled": true,
  • "name": "string",
  • "read_only": false,
  • "source_control": {
    },
  • "type": "string",
  • "type_parameters": { }
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Translate identifiers

Translate external identifiers to Styra DAS system identifiers

Request Body schema: application/json
required
external_ids
required
Array of strings

Responses

Request samples

Content type
application/json
{
  • "external_ids": [
    ]
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Handle system metrics

Responses

Verify git access

Verifies that the repository can be accessed with the provided credentials

Request Body schema: application/json
required
commit
required
string

Commit SHA. Only one of reference or commit can be set at any time

credentials
required
string

Credentials are looked under the key /

id
required
string

id of the entity so that the config can be checked for duplicates

path
required
string

Path to limit the import to

reference
required
string

Remote reference. Only one of reference or commit can be set at any time

object (git.v1.SSHCredentials)
url
required
string

Repository URL

Responses

Request samples

Content type
application/json
{
  • "commit": "string",
  • "credentials": "string",
  • "id": "string",
  • "path": "string",
  • "reference": "string",
  • "ssh_credentials": {
    },
  • "url": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Delete a user-owned branch

path Parameters
id
required
string.*

system id

Responses

Response samples

Content type
application/json
{
  • "request_id": "string"
}

List files in Styra DAS-created branch.

Gets the list of files for the branch that the Styra DAS creates when modifying rego in the Styra DAS UI and pushing the changes to GitHub in a branch for review.

path Parameters
id
required
string.*

system id

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Commit files to system source control

Commit files to source control associated with a system

path Parameters
id
required
string.*

system id

Request Body schema: application/json
required
author
required
string
email
required
string
required
object

Map of filenames to file contents

files_to_delete
required
Array of strings

List of filenames to delete from the repo

message
required
string

Responses

Request samples

Content type
application/json
{
  • "author": "string",
  • "email": "string",
  • "files": {
    },
  • "files_to_delete": [
    ],
  • "message": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

List files in current branch.

Gets the list of files in the currently chosen branch.

path Parameters
id
required
string.*

system id

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Delete a system

path Parameters
system
required
string.*

system ID

query Parameters
recursive
string

if set to 'false', only deletes the system configuration and does not delete associated objects

Responses

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Get a system

path Parameters
system
required
string.*

system ID

query Parameters
policies
boolean

set to 'false' to omit policies from the output

modules
boolean

set to 'false' to omit modules from the output

rule_counts
boolean

set to 'false' to omit policy rule counts in the output

datasources
boolean

set to 'false' to omit datasources from the output

errors
boolean

set to 'false' to omit errors/warnings from the output

authz
boolean

set to 'false' to omit authz info from the output

metadata
boolean

set to 'false' to omit metadata from the output

minimum_opa_version
boolean

set to 'false' to omit minimum_opa_version from the output

stacks
boolean

set to 'false' to omit matching_stacks from the output

migration_history
boolean

set to 'false' to omit migration_history from the output

tokens
boolean

set to 'false' to omit tokens from the output

info
boolean

set to 'false' to omit info from the output

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Update or create a system. Only the fields sent in the request are updated

  • Updating the given system with type-specific related objects, except changing the system's type.

  • Creating a system with given ID with type-specific related objects, only, if the If-None-Match header is set to *

    Example:

    curl -H "Authorization: Bearer <token>" \
     -H "Styra-Tenant: <tenant>" \
     -H "If-None-Match: *" \
     -X PUT https://<das-id>.styra.com 
     -d '{<request body>}'
path Parameters
system
required
string.*

system ID

header Parameters
If-None-Match
string

if set to '*' then creates a new system with type-specific related objects

Request Body schema: application/json
required
object (systems.v1.BundleDownloadConfig)
object (systems.v1.BundleRegistryConfig)
context_bundle_data_only
boolean

only put data in the context bundle

context_bundle_roots
Array of strings

list of path prefixes for policies/datasources that go into the second (context) bundle

object

location of key attributes and additional columns in the decisions grouped by policy entry point path

object (workspace.v1.DecisionExporterConfig)
object (systems.v1.SystemDeploymentParameters)
description
string

description for the system

error_setting
string

error/warning configuration: one of "all", "errors", "none"

object (systems.v1.ExternalBundleConfig)
external_id
string

optional parameter to map Styra DAS system ID to external IDs used by a customer. (mapping can be retrieved with TranslateExternalIds operation)

filter_stacks
boolean

when set, stacks that are not linked to this system will be filtered out of its bundles

kafka_topic
string

optional parameter to specify the Kafka topic where the decision logs for this system should be published if exported through the workspace level configuration (ignored if Kafka is not configured for the workspace for decision export)

mock_opa_enabled
boolean

enable mock OPAs for this system

name
required
string

system name

read_only
boolean
Default: false

prevents users from modifying policies using Styra UIs

object (git.v1.SourceControlConfig)
type
required
string

system type e.g. kubernetes

type_parameters
object

system type parameter values (for template.* types)

Responses

Request samples

Content type
application/json
{
  • "bundle_download": {
    },
  • "bundle_registry": {
    },
  • "context_bundle_data_only": true,
  • "context_bundle_roots": [
    ],
  • "decision_mappings": {
    },
  • "decisions_exporter": {
    },
  • "deployment_parameters": {
    },
  • "description": "string",
  • "error_setting": "string",
  • "external_bundles": {
    },
  • "external_id": "string",
  • "filter_stacks": true,
  • "kafka_topic": "string",
  • "mock_opa_enabled": true,
  • "name": "string",
  • "read_only": false,
  • "source_control": {
    },
  • "type": "string",
  • "type_parameters": { }
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Get system agents

path Parameters
system
required
string.*

system ID

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": [
    ]
}

Get system asset

path Parameters
system
required
string.*

system ID

assettype
required
string.*

asset type

Responses

Response samples

Content type
No sample

Compile a system bundle

path Parameters
system
required
string.*

system ID

Request Body schema: application/json
required
bundle_id
string

optional bundle ID: 'policy' or 'context'

Responses

Request samples

Content type
application/json
{
  • "bundle_id": "string"
}

Response samples

Content type
application/json
{
  • "result": {
    }
}

Get a system bundle deployment and build status

path Parameters
system
required
string.*

system ID

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Deploy a system bundle

path Parameters
system
required
string.*

system ID

Request Body schema: application/json
required
force
required
boolean

activate even if bundle is not compatible with running agents

required
object (systems.v1.BundleActivation)

Responses

Request samples

Content type
application/json
{
  • "force": true,
  • "primary": {
    }
}

Response samples

Content type
application/json
{
  • "request_id": "string"
}

List system bundles

List system bundles, starting from the newest towards the oldest

path Parameters
system
required
string.*

system ID

query Parameters
past
boolean

if set to 'true', returns only bundles deployed in the past

version
integer

if set, the newest version to return

type
string

return only bundles of given type (policy, context)

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": [
    ]
}

Import bundle from archive or another system

path Parameters
system
required
string.*

system ID

Request Body schema:
required
source_system_id
required
string

ID of the system to copy bundle from

version
required
integer <int64>

bundle version in source_system_id system

Responses

Request samples

Content type
No sample

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Get system bundle

path Parameters
system
required
string.*

system ID

bundle
required
string.*

bundle ID

version
required
integer

version #

query Parameters
kind
string
Default: "Plain"
Enum: "Plain" "BJson"

Kind of a bundle

Responses

Response samples

Content type
No sample

Get system bundle details

path Parameters
system
required
string.*

system ID

bundle
required
string.*

bundle ID

version
required
integer

version #

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Get default system policies

path Parameters
system
required
string.*

system ID

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Get default system policy

path Parameters
system
required
string.*

system ID

path
required
string.*

policy path

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": "string"
}

Get system delta bundle

path Parameters
system
required
string.*

system ID

bundle
required
string.*

bundle ID

version
required
integer

end version #

etag
required
string.*

start etag

Responses

Get the OPA discovery config for a system

path Parameters
system
required
string.*

system ID

header Parameters
If-None-Match
string

etag

Responses

Get system install/uninstall instructions

path Parameters
system
required
string.*

system ID

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Migrate a system from one system type to another

path Parameters
system
required
string.*

system ID

Request Body schema: application/json
required
type
required
string

The system type ID to migrate the current system to

Responses

Request samples

Content type
application/json
{
  • "type": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Get rule suggestions

path Parameters
system
required
string.*

system ID

query Parameters
stateful
boolean

true to get only the stateful suggestions, false for stateless, omit for both

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Validate system compliance

path Parameters
system
required
string.*

system ID

query Parameters
asyncdelay
string

set delay of asynchronous response HTTP(202); range [1s - compliance-api-timeout].

asyncresponse
string

get asynchronous response; see HTTP(202) Location parameter.

interval
string

if set to 'latest', get most recent cached results for specified system.

Request Body schema: application/json
required
object

draft policies to be used for 'new' violations computation (path => rego)

extended
boolean

run extended compliance validation that is specific for the system/stack type

filter
object

filter violations with this selector (dot.path => value)

group_by
Array of strings[ items ]

group results by dot.path values (list of group levels with list of fields at each level)

limit
integer <int32>

maximum number of violations to return per monitor

object (data.v1.BuiltinMocks)
mode
string
Default: "delta"

validation mode. One of (delta, all, delta-count, all-count)

policy_type
string

policy type to narrow the monitor policy search (e.g. validating, mutating). Default (empty string or missing) is to run all monitoring policies

Array of objects (systems.v1.SortField)

list of fields to sort by

Responses

Request samples

Content type
application/json
{
  • "drafts": {
    },
  • "extended": true,
  • "filter": { },
  • "group_by": [
    ],
  • "limit": 0,
  • "mocks": {
    },
  • "mode": "delta",
  • "policy_type": "string",
  • "sort": [
    ]
}

Response samples

Content type
application/json
{
  • "mocks": {
    },
  • "request_id": "string",
  • "result": {
    }
}

Get next page of system compliance violations

path Parameters
system
required
string.*

system ID

cursor
required
string.*

paging cursor obtained from previous calls

query Parameters
limit
integer

maximum number of violations to return

Responses

Response samples

Content type
application/json
{
  • "mocks": {
    },
  • "request_id": "string",
  • "result": {
    }
}

Validate system unit tests

path Parameters
system
required
string.*

system ID

Request Body schema: application/json
required
object

draft policies to be used for 'new' violations computation (path => rego)

mode
string
Default: "delta"

validation mode. One of (delta, all, delta-count, all-count)

policy_type
string

policy type to narrow the monitor policy search (e.g. validating, mutating). Default (empty string or missing) is to run all monitoring policies

Responses

Request samples

Content type
application/json
{
  • "drafts": {
    },
  • "mode": "delta",
  • "policy_type": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

terraform-integration

API to manage Terraform Run Task integration

Handle callbacks for Terraform Run Task integrations.

Request Body schema: application/json
required
access_token
string
is_speculative
required
boolean
organization_name
string
payload_version
integer <int32>
plan_json_api_url
string
run_app_url
string
run_created_at
string
run_created_by
string
run_id
string
run_message
string
stage
string
task_result_callback_url
string
task_result_enforcement_level
string
task_result_id
string
vcs_branch
string
vcs_commit_url
string
vcs_pull_request_url
string
vcs_repo_url
string
workspace_app_url
string
workspace_id
string
workspace_name
string

Responses

Request samples

Content type
application/json
{
  • "access_token": "string",
  • "is_speculative": true,
  • "organization_name": "string",
  • "payload_version": 0,
  • "plan_json_api_url": "string",
  • "run_app_url": "string",
  • "run_created_at": "string",
  • "run_created_by": "string",
  • "run_id": "string",
  • "run_message": "string",
  • "stage": "string",
  • "task_result_callback_url": "string",
  • "task_result_enforcement_level": "string",
  • "task_result_id": "string",
  • "vcs_branch": "string",
  • "vcs_commit_url": "string",
  • "vcs_pull_request_url": "string",
  • "vcs_repo_url": "string",
  • "workspace_app_url": "string",
  • "workspace_id": "string",
  • "workspace_name": "string"
}

Delete the current Terraform Run Task integration. This does not delete the integration within Terraform Cloud or Enterprise.

Responses

Get the current Terraform Run Task integration.

Responses

Response samples

Content type
application/json
{
  • "data": {
    }
}

Upsert a new Terraform Run Task integration. This also creates the Terraform Run Task within Terraform Cloud or Enterprise.

Request Body schema: application/json
required
terraform_org
required
string
terraform_run_task_domain
required
string
terraform_token
required
string

Responses

Request samples

Content type
application/json
{
  • "terraform_org": "string",
  • "terraform_run_task_domain": "string",
  • "terraform_token": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    }
}

Get the mappings of Terrafrom workspaces to DAS systems.

Responses

Response samples

Content type
application/json
{
  • "result": [
    ]
}

Upsert the mappings of Terrafrom workspaces to DAS systems.

Request Body schema: application/json
required
required
Array of objects (integrations.v1.Mapping)
Array
das_system
required
string
terraform_workspaces
required
Array of strings

Responses

Request samples

Content type
application/json
{
  • "mappings": [
    ]
}

Response samples

Content type
application/json
{
  • "result": [
    ]
}

timeseries

Timeseries

Handle advice

Request Body schema: application/json
required
data_kind
required
string
end_time
required
string <date-time>
policy
required
string
resolution
required
integer <int64>

resolution must be a multiple of minutes, this can be represented as a string or an integer e.g. '1m' or '60000000000'. Except when calling /violation then it must be a multiple of hours, e.g. '60m' or '3600000000000'

stack
required
string
start_time
required
string <date-time>
system
required
string

Responses

Request samples

Content type
application/json
{
  • "data_kind": "string",
  • "end_time": "2019-08-24T14:15:22Z",
  • "policy": "string",
  • "resolution": 0,
  • "stack": "string",
  • "start_time": "2019-08-24T14:15:22Z",
  • "system": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Handle decision

query Parameters
filter
string
Value: "billing"

filter out decisions from aggregation (supported options: [billing])

Request Body schema: application/json
required
data_kind
required
string
end_time
required
string <date-time>
policy
required
string
resolution
required
integer <int64>

resolution must be a multiple of minutes, this can be represented as a string or an integer e.g. '1m' or '60000000000'. Except when calling /violation then it must be a multiple of hours, e.g. '60m' or '3600000000000'

stack
required
string
start_time
required
string <date-time>
system
required
string

Responses

Request samples

Content type
application/json
{
  • "data_kind": "string",
  • "end_time": "2019-08-24T14:15:22Z",
  • "policy": "string",
  • "resolution": 0,
  • "stack": "string",
  • "start_time": "2019-08-24T14:15:22Z",
  • "system": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Handle deny

Request Body schema: application/json
required
data_kind
required
string
end_time
required
string <date-time>
policy
required
string
resolution
required
integer <int64>

resolution must be a multiple of minutes, this can be represented as a string or an integer e.g. '1m' or '60000000000'. Except when calling /violation then it must be a multiple of hours, e.g. '60m' or '3600000000000'

stack
required
string
start_time
required
string <date-time>
system
required
string

Responses

Request samples

Content type
application/json
{
  • "data_kind": "string",
  • "end_time": "2019-08-24T14:15:22Z",
  • "policy": "string",
  • "resolution": 0,
  • "stack": "string",
  • "start_time": "2019-08-24T14:15:22Z",
  • "system": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Handle error

Request Body schema: application/json
required
data_kind
required
string
end_time
required
string <date-time>
policy
required
string
resolution
required
integer <int64>

resolution must be a multiple of minutes, this can be represented as a string or an integer e.g. '1m' or '60000000000'. Except when calling /violation then it must be a multiple of hours, e.g. '60m' or '3600000000000'

stack
required
string
start_time
required
string <date-time>
system
required
string

Responses

Request samples

Content type
application/json
{
  • "data_kind": "string",
  • "end_time": "2019-08-24T14:15:22Z",
  • "policy": "string",
  • "resolution": 0,
  • "stack": "string",
  • "start_time": "2019-08-24T14:15:22Z",
  • "system": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Handle latency

Request Body schema: application/json
required
data_kind
required
string
end_time
required
string <date-time>
policy
required
string
resolution
required
integer <int64>

resolution must be a multiple of minutes, this can be represented as a string or an integer e.g. '1m' or '60000000000'. Except when calling /violation then it must be a multiple of hours, e.g. '60m' or '3600000000000'

stack
required
string
start_time
required
string <date-time>
system
required
string

Responses

Request samples

Content type
application/json
{
  • "data_kind": "string",
  • "end_time": "2019-08-24T14:15:22Z",
  • "policy": "string",
  • "resolution": 0,
  • "stack": "string",
  • "start_time": "2019-08-24T14:15:22Z",
  • "system": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Handle timeseries metrics

Responses

Handle timeseries report

query Parameters
year
integer

if set, a report is generated for a month in this year (month must be specified)

month
integer

if set, starts the report is generate for this month (year must be specified)

system_id
string

if set, only returns decision counts related to the system

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Handle timeseries report

query Parameters
year
integer

if set, starts the yearly report in this year (month must be specified)

month
integer

if set, starts the yearly report on this month (year must be specified)

system_id
string

if set, only returns decision counts related to the system

Responses

Response samples

Content type
application/json
{
  • "data": [
    ]
}

Handle unknown

Request Body schema: application/json
required
data_kind
required
string
end_time
required
string <date-time>
policy
required
string
resolution
required
integer <int64>

resolution must be a multiple of minutes, this can be represented as a string or an integer e.g. '1m' or '60000000000'. Except when calling /violation then it must be a multiple of hours, e.g. '60m' or '3600000000000'

stack
required
string
start_time
required
string <date-time>
system
required
string

Responses

Request samples

Content type
application/json
{
  • "data_kind": "string",
  • "end_time": "2019-08-24T14:15:22Z",
  • "policy": "string",
  • "resolution": 0,
  • "stack": "string",
  • "start_time": "2019-08-24T14:15:22Z",
  • "system": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Handle usage

Request Body schema: application/json
required
end_time
required
string <date-time>
latest
required
boolean
resolution
required
integer <int64>
start_time
required
string <date-time>
system
required
string

Responses

Request samples

Content type
application/json
{
  • "end_time": "2019-08-24T14:15:22Z",
  • "latest": true,
  • "resolution": 0,
  • "start_time": "2019-08-24T14:15:22Z",
  • "system": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Handle violation

Request Body schema: application/json
required
data_kind
required
string
end_time
required
string <date-time>
policy
required
string
resolution
required
integer <int64>

resolution must be a multiple of minutes, this can be represented as a string or an integer e.g. '1m' or '60000000000'. Except when calling /violation then it must be a multiple of hours, e.g. '60m' or '3600000000000'

stack
required
string
start_time
required
string <date-time>
system
required
string

Responses

Request samples

Content type
application/json
{
  • "data_kind": "string",
  • "end_time": "2019-08-24T14:15:22Z",
  • "policy": "string",
  • "resolution": 0,
  • "stack": "string",
  • "start_time": "2019-08-24T14:15:22Z",
  • "system": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

tokens

API tokens management

List tokens

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": [
    ]
}

Revoke token

path Parameters
tokenId
required
string.+

token ID

Responses

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Get token

path Parameters
tokenId
required
string.+

token ID

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Create or update a token

If If-None-Match header is set to *, tries to create a token, otherwise will try to either update or create depending on whether an unexpired token with that ID already exists. Token creation errors with a 409 code if an unexpired one already exists, on success returns the token secret (valid for the TTL whose default value is ~10 years). Token updates return nothing unless regenerate is true, in which case it returns the new secret. WARNING: If allow_path_patterns is unset or an empty list, all paths are allowed.

path Parameters
tokenId
required
string.+

token ID

Request Body schema: application/json
required
allow_path_patterns
required
Array of strings
description
required
string
regenerate
required
boolean
ttl
string

Responses

Request samples

Content type
application/json
{
  • "allow_path_patterns": [
    ],
  • "description": "string",
  • "regenerate": true,
  • "ttl": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": "string"
}

users

User management

List users

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": [
    ]
}

Delete user

path Parameters
userId
required
string.+

user ID

Responses

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Get user

path Parameters
userId
required
string.+

user ID

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Create/update user

path Parameters
userId
required
string.+

user ID

header Parameters
If-None-Match
string

if set to '*' then the request fill fail if the user already exists

Request Body schema: application/json
required
enabled
required
boolean
old_password
string
password
string
roles
Array of strings

Responses

Request samples

Content type
application/json
{
  • "enabled": true,
  • "old_password": "string",
  • "password": "string",
  • "roles": [
    ]
}

Response samples

Content type
application/json
{
  • "request_id": "string"
}

workspace

Workspace management

Get workspace

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Patch workspace configuration. Similar to PUT but keeps current values for the top level fields

Patches workspace configuration

Request Body schema: application/json
required
object (workspace.v1.ActivityExporterConfig)
object (workspace.v1.DecisionExporterConfig)
object (workspace.v1.GithubConfiguration)
object (workspace.v1.MetricsExporterConfig)
object (git.v1.SourceControlConfig)

Responses

Request samples

Content type
application/json
{
  • "activity_exporter": {
    },
  • "decisions_exporter": {
    },
  • "github": {
    },
  • "metrics_exporter": {
    },
  • "source_control": {
    }
}

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Update workspace

Updates workspace configuration

Request Body schema: application/json
required
object (workspace.v1.ActivityExporterConfig)
object (workspace.v1.DecisionExporterConfig)
object (workspace.v1.GithubConfiguration)
object (workspace.v1.MetricsExporterConfig)
object (git.v1.SourceControlConfig)

Responses

Request samples

Content type
application/json
{
  • "activity_exporter": {
    },
  • "decisions_exporter": {
    },
  • "github": {
    },
  • "metrics_exporter": {
    },
  • "source_control": {
    }
}

Response samples

Content type
application/json
{
  • "request_id": "string"
}

Get DAS ARN

Responses

Response samples

Content type
application/json
{
  • "das_trust_role": {
    },
  • "request_id": "string",
  • "result": "string"
}

Kafka connectivity test

Verifies that the Kafka topic can be accessed with the provided credentials.

Request Body schema: application/json
required
authentication
required
string

Kafka authentication mechanism: OPEN, PLAINTEXT, SASL, TLS

brokers
required
Array of strings

Kafka brokers

compression
string

Compression mechanism: GZIP, SNAPPY, LZ4, ZSTD

idempotent
boolean

Enable Kafka idempotent exactly once reliability semantics

max_message_size
integer <int32>
Default: 1000000

Max message size

max_retries
integer <int32>
Default: 3

Max send retries

object (workspace.v1.KafkaPlain)
required_acks
required
string

Required acks: WaitForLocal, WaitForAll replica ack(s)

object (workspace.v1.KafkaSasl)
timeout
string
Default: "10s"

Message timeout duration

object (workspace.v1.KafkaTls)
topic
required
string

Kafka topic

version
string

Kafka version: e.g. 2.0.0

Responses

Request samples

Content type
application/json
{
  • "authentication": "string",
  • "brokers": [
    ],
  • "compression": "string",
  • "idempotent": true,
  • "max_message_size": 1000000,
  • "max_retries": 3,
  • "plain": {
    },
  • "required_acks": "string",
  • "sasl": {
    },
  • "timeout": "10s",
  • "tls": {
    },
  • "topic": "string",
  • "version": "string"
}

Response samples

Content type
application/json
{
  • "kafka_code": "string",
  • "kafka_message": "string",
  • "request_id": "string"
}

Get S3 regions list

Get list of valid regions for S3 integration type

path Parameters
storagesvc
required
string.*

storagesvc id

Responses

Response samples

Content type
application/json
{
  • "result": [
    ]
}

Rotate master tenant key

Request Body schema: application/json
required
any (workspace.v1.RotateKeyRequest)

Responses

Request samples

Content type
application/json
null

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "s3_code": "string",
  • "s3_message": "string"
}

Get S3 decision configuration Deprecated

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Update S3 decision configuration Deprecated

Request Body schema: application/json
required
interval
string
Default: "30s"

S3 exporter interval: range [30s,1h]

object (workspace.v1.KafkaConfig)
object (workspace.v1.S3DecisionConfig)

Responses

Request samples

Content type
application/json
{
  • "interval": "30s",
  • "kafka": {
    },
  • "s3_decisions": {
    }
}

Response samples

Content type
application/json
{
  • "request_id": "string"
}

S3 connectivity test

Verifies that the S3 bucket can be accessed with the provided credentials. Creates styra_test.json file

Request Body schema: application/json
required
access_keys
string

Access key ID and secret access key are stored at /v1/secrets/${access_keys}

endpoint
string

Custom endpoint or S3 compatible system endpoint (ie: https://storage.googleapis.com)

region
required
string

S3 Region (ie: us-east-1 or auto)

role_arn
string

S3 RoleARN to assume access, as an alternative to access keys

url
required
string

S3 Bucket URL (ie: s3://styra-storage or gs://styra-storage/folder)

Responses

Request samples

Content type
application/json
{
  • "access_keys": "string",
  • "endpoint": "string",
  • "region": "string",
  • "role_arn": "string",
  • "url": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "s3_code": "string",
  • "s3_message": "string"
}

Verify git access

Verifies that the repository can be accessed with the provided credentials

Request Body schema: application/json
required
commit
required
string

Commit SHA. Only one of reference or commit can be set at any time

credentials
required
string

Credentials are looked under the key /

id
required
string

id of the entity so that the config can be checked for duplicates

path
required
string

Path to limit the import to

reference
required
string

Remote reference. Only one of reference or commit can be set at any time

object (git.v1.SSHCredentials)
url
required
string

Repository URL

Responses

Request samples

Content type
application/json
{
  • "commit": "string",
  • "credentials": "string",
  • "id": "string",
  • "path": "string",
  • "reference": "string",
  • "ssh_credentials": {
    },
  • "url": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Delete a user-owned branch

path Parameters
id
required
string.*

workspace id

Responses

Response samples

Content type
application/json
{
  • "request_id": "string"
}

List files in Styra DAS-created branch.

Gets the list of files for the branch that the Styra DAS creates when modifying rego in the Styra DAS UI and pushing the changes to GitHub in a branch for review.

path Parameters
id
required
string.*

workspace id

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

Commit files to workspace source control

Commit files to source control associated with a workspace

path Parameters
id
required
string.*

workspace id

Request Body schema: application/json
required
author
required
string
email
required
string
required
object

Map of filenames to file contents

files_to_delete
required
Array of strings

List of filenames to delete from the repo

message
required
string

Responses

Request samples

Content type
application/json
{
  • "author": "string",
  • "email": "string",
  • "files": {
    },
  • "files_to_delete": [
    ],
  • "message": "string"
}

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}

List files in current branch.

Gets the list of files in the currently chosen branch.

path Parameters
id
required
string.*

workspace id

Responses

Response samples

Content type
application/json
{
  • "request_id": "string",
  • "result": {
    }
}