Skip to main content
API Access Policies

Define how access to APIs is allowed or declined.

Ossi Galkin avatar
Written by Ossi Galkin
Updated over 6 months ago

When using OAuth for API Triggers, you need to assign an access policy to the API as well to grant access. If there are no API access policies set, no calls with OAuth bearer tokens will be granted access. 

Managing access policies

As an administrator, you can create new access policies and edit existing ones in the Administration > API Access Policies view. 

Create a new one by pressing the + Create new access policy button.

You need to give the policy a descriptive name and at least one rule. Rules are based on the claims of the OAuth token. The rule can match a claim by its type and possibly also value. The type of the claim is the name of the field in the token. If you only want to check that a claim exists (e.g. isAdmin: true), then you only need to give the claim name, and leave the value empty. But if you want to check that the claim has a specific value, e.g. "role": ["admin", "user"], you can give the value to match as well. Please note that all matches are exact, i.e. case-sensitive and wild cards are not supported.

Allow rules define the rules based on which a token will grant access. If you have multiple allow rules, they all will need to match for the token to grant access and the call to be allowed. Deny rules on the other hand will block access if any of the rules match. Deny rules can be used e.g. for maintaining token blacklists.

You can also set the policy to apply to only a specific issuer. E.g. you can give more stringent rules from public token providers, like Google, and allow all tokens from internal Active directory.

          

            

Did this answer your question?