A policy is a set of rules that determines what tools an agent can call and under what conditions. When you call POST /v1/authorize, Veto evaluates all enabled policies for the agent in priority order (highest first) and returns the first matching decision.
The policy object UUID of the agent this policy governs.
Display name of the policy.
Ordered list of rules. See Policy rules below. Show PolicyRule properties
Rule type. One of:
"tool_allowlist" — only the listed tools are permitted"tool_denylist" — the listed tools are explicitly blocked"parameter_constraint" — tool calls must satisfy parameter constraints"rate_limit" — limits how often a tool can be called in a time window"time_based" — restricts tool calls to specific hours or days Tool names this rule applies to. Supports glob patterns: "file.*" matches all tools in the file namespace, "*" matches all tools.
Parameter constraints keyed by parameter name. Each value is a ParameterConstraint. Required when type is "parameter_constraint". Show ParameterConstraint properties
The parameter value must match this regular expression.
The parameter value must be one of these strings.
The parameter value must be greater than or equal to this number.
The parameter value must be less than or equal to this number.
Rate limit configuration. Required when type is "rate_limit". Show RateLimitConfig properties
Maximum number of calls allowed in the time window. Maximum value: 1000000.
Length of the time window in seconds. Maximum value: 86400 (24 hours).
Time-based access window. Required when type is "time_based". Show TimeWindowConfig properties
Hours of the day (0–23) when the tool is permitted. For example, [9, 10, 11, 12, 13, 14, 15, 16, 17] for 9 AM–5 PM.
Days of the week (0=Sunday, 6=Saturday) when the tool is permitted. For example, [1, 2, 3, 4, 5] for weekdays.
IANA timezone string used to interpret allowedHours and allowedDays. Defaults to UTC. Example: "America/Chicago".
Evaluation order. Higher values are evaluated first. Defaults to 0. Range: 0–1000.
Whether the policy is active. Disabled policies are skipped during authorization.
ISO 8601 timestamp of when the policy was created.
ISO 8601 timestamp of when the policy was last updated.
POST /v1/policies Create a new policy for an agent.
Requires an API key with the admin scope.
Request body UUID of the agent to attach this policy to. Must belong to your workspace.
Display name for the policy. Between 1 and 255 characters.
List of rules. Must contain between 1 and 50 rules. See Policy rules above for the rule schema. Evaluation priority. Higher values run first. Range: 0–1000.
Whether the policy is active immediately on creation.
Returns 201 with the created Policy object.
GET /v1/policies List all policies in your workspace. Optionally filter by agent.
Query parameters Filter results to policies attached to this agent UUID.
Returns an array of Policy objects.
GET /v1/policies/:id Retrieve a single policy by its UUID.
Returns the Policy object, or 404 with POLICY_NOT_FOUND.
PATCH /v1/policies/:id Update a policy’s name, rules, priority, or enabled state.
Requires an API key with the admin scope.
Request body All fields are optional. Supply only the fields you want to change.
New display name. Between 1 and 255 characters.
Replacement rule set. Replaces all existing rules. Must contain between 1 and 50 rules.
New evaluation priority. Range: 0–1000.
Enable or disable the policy.
Returns the updated Policy object, or 404 with POLICY_NOT_FOUND.
DELETE /v1/policies/:id Delete a policy.
Requires an API key with the admin scope.
Returns 204 No Content on success, or 404 with POLICY_NOT_FOUND.
Create policy with multiple rule types
List policies for an agent
Disable a policy
curl --request POST \ --url https://api.veto.tools/v1/policies \ --header 'Authorization: Bearer veto_your_api_key' \ --header 'Content-Type: application/json' \ --data '{ "agent_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Production safeguards", "priority": 10, "enabled": true, "rules": [ { "type": "tool_denylist", "tools": ["db.drop", "db.truncate", "fs.delete"] }, { "type": "parameter_constraint", "tools": ["file.write"], "parameters": { "path": { "regex": "^/home/user/" } } }, { "type": "rate_limit", "tools": ["web.search"], "rateLimit": { "maxCalls": 50, "windowSeconds": 3600 } }, { "type": "time_based", "tools": ["*"], "timeWindow": { "allowedHours": [9, 10, 11, 12, 13, 14, 15, 16, 17], "allowedDays": [1, 2, 3, 4, 5], "timezone": "America/New_York" } } ] }'
{ "id" : "p9f1a2b3-c4d5-6789-efab-012345678901" , "agentId" : "a1b2c3d4-e5f6-7890-abcd-ef1234567890" , "name" : "Production safeguards" , "priority" : 10 , "enabled" : true , "rules" : [ { "type" : "tool_denylist" , "tools" : [ "db.drop" , "db.truncate" , "fs.delete" ] }, { "type" : "parameter_constraint" , "tools" : [ "file.write" ], "parameters" : { "path" : { "regex" : "^/home/user/" } } }, { "type" : "rate_limit" , "tools" : [ "web.search" ], "rateLimit" : { "maxCalls" : 50 , "windowSeconds" : 3600 } }, { "type" : "time_based" , "tools" : [ "*" ], "timeWindow" : { "allowedHours" : [ 9 , 10 , 11 , 12 , 13 , 14 , 15 , 16 , 17 ], "allowedDays" : [ 1 , 2 , 3 , 4 , 5 ], "timezone" : "America/New_York" } } ], "createdAt" : "2024-11-15T10:00:00.000Z" , "updatedAt" : "2024-11-15T10:00:00.000Z" }