Skip to main content
POST
/
policies
/
validate
curl --request POST \
  --url http://localhost:3000/policies/validate \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "policyId": "vendor-payment",
  "policyVersion": "2.0.0"
}
'
{
  "valid": true,
  "errors": []
}
{
"valid": false,
"errors": [
"policyVersion is required."
]
}
{
"error": "authentication required"
}
{
"valid": false,
"errors": [
"Policy 'does-not-exist' version '9.9.9' was not found."
]
}

Authorizations

Authorization
string
header
required

Caller API key issued by scripts/generate-api-key.ts. Sent as Authorization: Bearer . Verified against a stored SHA-256 hash in constant time by packages/api/src/auth/StaticKeyAuthenticator.ts. Required on every route except GET /health. See /api-reference/authentication.

Body

application/json

Request payload for POST /policies/validate. policyId and policyVersion are each required non-empty strings, checked in that order; each missing/empty field is rejected with its own 400 and a distinct message.

policyId
string
required

Policy name, matching the directory name under the configured policy directory.

Minimum string length: 1
policyVersion
string
required

Policy version, matching the version subdirectory.

Minimum string length: 1

Response

Policy exists and is readable.

Response returned by POST /policies/validate on every status code (200, 400, and 404 all use this exact shape). This endpoint does NOT use the shared Error envelope (../common/error.schema.json) for its failure responses.

valid
boolean
required

Whether the referenced policy exists and is readable.

errors
string[]
required

Empty when valid is true; otherwise exactly one human-readable message.