Create or Update Policy

curl --request POST \
  --url https://{organization_id}.platform.barndoor.ai/api/policy \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "policies": [
    {
      "apiVersion": "api.cerbos.dev/v1",
      "resourcePolicy": {
        "resource": "123e4567-e89b-12d3-a456-426614174000",
        "version": "default",
        "scope": "987fcdeb-51a2-43d1-9f12-123456789abc",
        "rules": [
          {
            "name": "allow_all",
            "actions": [
              "*"
            ],
            "effect": "EFFECT_ALLOW",
            "roles": [
              "*"
            ]
          }
        ]
      }
    }
  ]
}
'

{
  "success": {}
}

POST

api

policy

curl --request POST \
  --url https://{organization_id}.platform.barndoor.ai/api/policy \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "policies": [
    {
      "apiVersion": "api.cerbos.dev/v1",
      "resourcePolicy": {
        "resource": "123e4567-e89b-12d3-a456-426614174000",
        "version": "default",
        "scope": "987fcdeb-51a2-43d1-9f12-123456789abc",
        "rules": [
          {
            "name": "allow_all",
            "actions": [
              "*"
            ],
            "effect": "EFFECT_ALLOW",
            "roles": [
              "*"
            ]
          }
        ]
      }
    }
  ]
}
'

{
  "success": {}
}

This endpoint creates or updates access control policies. Policies are automatically created/updated based on the resource (server ID) and scope (agent ID) in the request.

Key Concepts

Action Format

Actions follow the MCP convention. Use tools/call:{tool_name} for tool permissions:

Action	Description
`*`	All actions (wildcard)
`tools/call:chat_postMessage`	Specific tool
`tools/call:get_*`	Pattern matching (if supported)

Common Patterns

Main Toggle ON - Use allow_all with EFFECT_ALLOW:

{
  "name": "allow_all",
  "effect": "EFFECT_ALLOW", 
  "actions": ["*"],
  "roles": ["*"]
}

Deny Specific Tool - Add a deny rule after allow_all:

{
  "name": "chat_postMessage",
  "effect": "EFFECT_DENY",
  "actions": ["tools/call:chat_postMessage"],
  "roles": ["*"]
}

Toggle Restriction - Change effect between EFFECT_DENY (active) and EFFECT_ALLOW (inactive).

For a comprehensive guide, see Manage Access Policies.

Authorizations

Authorization

string

header

required

JWT token obtained through Auth0 OAuth 2.0 flow with PKCE.

The token should be included in the Authorization header: Authorization: Bearer <your-jwt-token>

Use the Barndoor SDK's loginInteractive() function to obtain tokens automatically.

Body

application/json

policies

object[]

required

Array of policies to create or update

Show child attributes

Response

Policies created/updated successfully

success

object

List Barndoor Policies Get a Policy by Id

⌘I

API Documentation

Servers

Connections

MCP

SSE

Policies

Agents

Policy Structure

Key Concepts

Action Format

Common Patterns

Authorizations

Body

Response

API Documentation

Servers

Connections

MCP

SSE

Policies

Agents

​Key Concepts

​Action Format

​Common Patterns

Authorizations

Body

Response

Key Concepts

Action Format

Common Patterns