Resource Policies API
CRUD for attribute-based resource policies.
Resource policies provide standalone ABAC rules evaluated during the permission check pipeline.
Scope: permissions:manage
Rate limit: 500/hr
List policies
GET /api/v1/permissions/policies
curl https://api.platformxe.com/api/v1/permissions/policies \
-H "x-api-key: pxk_live_your_api_key_here"
const policies = await px.permissions.listPolicies();
Create a policy
POST /api/v1/permissions/policies
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Policy name |
resource | string | Yes | Resource path to match |
action | string | Yes | Action to govern |
effect | string | Yes | ALLOW or DENY |
priority | number | Yes | Evaluation order (lower = first) |
conditions | object | Yes | Condition tree with operators and combinators |
curl -X POST https://api.platformxe.com/api/v1/permissions/policies \
-H "Content-Type: application/json" \
-H "x-api-key: pxk_live_your_api_key_here" \
-d '{
"name": "Deny deletion of published articles",
"resource": "articles",
"action": "delete",
"effect": "DENY",
"priority": 1,
"conditions": {
"all": [
{ "field": "resource.status", "operator": "equals", "value": "published" }
]
}
}'
await px.permissions.createPolicy({
name: 'Deny deletion of published articles',
resource: 'articles',
action: 'delete',
effect: 'DENY',
priority: 1,
conditions: {
all: [
{ field: 'resource.status', operator: 'equals', value: 'published' },
],
},
});
Update a policy
PATCH /api/v1/permissions/policies/:id
curl -X PATCH https://api.platformxe.com/api/v1/permissions/policies/pol_abc123 \
-H "Content-Type: application/json" \
-H "x-api-key: pxk_live_your_api_key_here" \
-d '{
"priority": 5,
"conditions": {
"all": [
{ "field": "resource.status", "operator": "in", "value": ["published", "archived"] }
]
}
}'
Delete a policy
DELETE /api/v1/permissions/policies/:id
curl -X DELETE https://api.platformxe.com/api/v1/permissions/policies/pol_abc123 \
-H "x-api-key: pxk_live_your_api_key_here"
When multiple policies match the same resource and action, deny-effect policies always win regardless of priority. Design your policy set accordingly.
Error responses
| Code | Description |
|---|---|
BAD_REQUEST | Invalid conditions, missing fields, or unknown operator |
NOT_FOUND | Policy ID does not exist |
FORBIDDEN | API key missing permissions:manage scope |