Skip to main content

Media Governance Configuration API

The Media Governance Configuration API allows you to check feature availability, retrieve the current media governance settings, and update per-tenant configuration. These endpoints are served by the Orchestrator on port 8081.

For background on media governance concepts (system policies, analyzers, policy conditions), see Media Governance.

Authentication

All endpoints require Basic authentication using your client ID and client secret:

curl http://localhost:8081/api/v1/media-governance/status \
  -H "Authorization: Basic $(echo -n 'your-client-id:your-client-secret' | base64)"

Header compatibility: These endpoints accept both X-Tenant-ID (preferred) and X-Org-ID (backward-compatible) for tenant identification.

Tier Restrictions

The level of control available depends on your AxonFlow tier:

CapabilityCommunityEvaluationEnterprise
Get feature statusYesYesYes
Get media governance configYesYesYes
Enable/disable media governanceEnv var onlyEnv var onlyAPI per-tenant
Set allowed analyzersNoNoYes

Community and Evaluation tiers can read configuration but cannot modify it through the API. Use the MEDIA_GOVERNANCE_ENABLED environment variable for platform-wide control on those tiers.

Endpoints

GET /api/v1/media-governance/status

Returns the media governance feature availability for the authenticated tenant's tier. Use this endpoint to determine what capabilities are available before attempting configuration changes.

Request:

curl http://localhost:8081/api/v1/media-governance/status \
  -H "Authorization: Basic $(echo -n 'my-app:my-secret' | base64)" \
  -H "X-Tenant-ID: my-tenant"

Response (200 OK):

{
  "available": true,
  "enabled_by_default": true,
  "per_tenant_control": false,
  "tier": "evaluation"
}

Response Fields:

FieldTypeDescription
availableboolWhether media governance is available on this tier
enabled_by_defaultboolWhether media governance is enabled without explicit configuration
per_tenant_controlboolWhether the tenant can manage its own configuration via the API
tierstringThe tier of the authenticated tenant (community, evaluation, or enterprise)

Tier-Specific Responses:

Tieravailableenabled_by_defaultper_tenant_control
Community (env var not set)falsefalsefalse
Community (env var set)truefalsefalse
Evaluationtruetruefalse
Enterprisetruetruetrue

GET /api/v1/media-governance/config

Returns the current media governance configuration for the authenticated tenant.

Request:

curl http://localhost:8081/api/v1/media-governance/config \
  -H "Authorization: Basic $(echo -n 'my-app:my-secret' | base64)" \
  -H "X-Tenant-ID: my-tenant"

Response (200 OK):

{
  "tenant_id": "my-tenant",
  "enabled": true,
  "allowed_analyzers": [],
  "updated_at": "2026-02-19T10:00:00Z",
  "updated_by": "admin"
}

Response Fields:

FieldTypeDescription
tenant_idstringThe tenant this configuration belongs to
enabledboolWhether media governance is currently active for this tenant
allowed_analyzers[]stringList of permitted analyzer names. Empty means all registered analyzers are allowed.
updated_atstringISO 8601 timestamp of the last configuration change
updated_bystringIdentifier of the user who last updated the configuration

Notes:

  • For Community and Evaluation tiers, enabled reflects the platform-wide setting (environment variable). The allowed_analyzers field will always be empty (all analyzers permitted).
  • For Enterprise tier, enabled and allowed_analyzers reflect per-tenant settings that can be modified via PUT.

PUT /api/v1/media-governance/config

Updates the media governance configuration for the authenticated tenant. Enterprise tier only.

Request:

curl -X PUT http://localhost:8081/api/v1/media-governance/config \
  -H "Content-Type: application/json" \
  -H "Authorization: Basic $(echo -n 'my-app:my-secret' | base64)" \
  -H "X-Tenant-ID: my-tenant" \
  -d '{
    "enabled": false,
    "allowed_analyzers": ["local-ocr", "aws-rekognition"]
  }'

Request Body:

FieldTypeRequiredDescription
enabledboolNoEnable or disable media governance for this tenant. If omitted, the current value is preserved.
allowed_analyzers[]stringNoRestrict which analyzers this tenant can use. An empty list allows all registered analyzers. If omitted, the current value is preserved.

Response (200 OK):

{
  "tenant_id": "my-tenant",
  "enabled": false,
  "allowed_analyzers": ["local-ocr", "aws-rekognition"],
  "updated_at": "2026-02-19T10:05:00Z",
  "updated_by": "admin"
}

The response format is identical to GET /api/v1/media-governance/config and reflects the updated configuration.

Error Responses:

HTTP StatusCodeDescription
400INVALID_REQUESTRequest body contains invalid fields or values
401UNAUTHORIZEDMissing or invalid authentication
403TIER_RESTRICTEDConfiguration updates are not available on your tier (Community/Evaluation)

Example (403 on non-Enterprise tier):

{
  "error": {
    "code": "TIER_RESTRICTED",
    "message": "Per-tenant media governance configuration requires an Enterprise license. Use the MEDIA_GOVERNANCE_ENABLED environment variable for platform-wide control."
  }
}

Usage Examples

Disable media governance for a tenant

curl -X PUT http://localhost:8081/api/v1/media-governance/config \
  -H "Content-Type: application/json" \
  -H "Authorization: Basic $(echo -n 'my-app:my-secret' | base64)" \
  -H "X-Tenant-ID: my-tenant" \
  -d '{"enabled": false}'

Restrict a tenant to local analyzers only

curl -X PUT http://localhost:8081/api/v1/media-governance/config \
  -H "Content-Type: application/json" \
  -H "Authorization: Basic $(echo -n 'my-app:my-secret' | base64)" \
  -H "X-Tenant-ID: my-tenant" \
  -d '{"allowed_analyzers": ["local-ocr"]}'

Reset a tenant to allow all analyzers

curl -X PUT http://localhost:8081/api/v1/media-governance/config \
  -H "Content-Type: application/json" \
  -H "Authorization: Basic $(echo -n 'my-app:my-secret' | base64)" \
  -H "X-Tenant-ID: my-tenant" \
  -d '{"allowed_analyzers": []}'

See Also

Last updated on