Skip to main content

OJK Compliance API Reference

This reference documents the OJK endpoints registered in the current enterprise build. The module covers Indonesian regulatory frameworks: OJK AI Governance, UU PDP (Law 27/2022), and BI payment system (PBI 23/6 and 23/7).

caution

This reference is engineering documentation for teams building governed AI on AxonFlow. It is not legal advice. Validate the regulatory mapping with your legal and compliance teams before relying on it for OJK, BI, or UU PDP compliance.

Authentication

Tenant resolution works in this order:

  • Tenant context (derived from Basic auth credentials) preferred
  • X-Org-ID fallback

Use X-User-ID when you want explicit attribution on export flows, breach notifications, and kill-switch actions.

Route overview

RouteMethod
/api/v1/ojk/audit/exportPOST
/api/v1/ojk/audit/export/{id}GET
/api/v1/ojk/audit/retentionGET
/api/v1/ojk/audit/readinessGET
/api/v1/ojk/breach/notifyPOST
/api/v1/ojk/dashboardGET

Export API

Create export

POST /api/v1/ojk/audit/export

Supported request fields:

{
"start_date": "2026-01-01T00:00:00Z",
"end_date": "2026-03-31T23:59:59Z",
"data_types": ["policy_violations", "llm_calls", "decision_chain", "pii_redactions", "cross_border_transfers"],
"format": "json",
"framework": "OJK_AI_GOVERNANCE",
"include_archived": false,
"redact_pii": true,
"filters": {
"agent_ids": ["customer-copilot"],
"severity": "high",
"include_model_info": true
}
}

Request field details:

  • start_date and end_datetime.Time fields defining the export window
  • data_types — typed enum: policy_violations, llm_calls, decision_chain, hitl_oversight, pii_redactions, cross_border_transfers, or all
  • formatjson, csv, or xml
  • frameworkOJK_AI_GOVERNANCE, UU_PDP, BI_PJP, or OJK_BI_COMBINED
  • filters — supports agent IDs, user IDs, severity, policy types, violation types, and include_model_info

Get export status

GET /api/v1/ojk/audit/export/{id}

The response includes:

  • export_id
  • status
  • framework
  • summary
  • download_url
  • expires_at
  • metadata

Retention API

Get retention status

GET /api/v1/ojk/audit/retention

The retention response includes:

  • tenant identifier
  • framework
  • a status array with one entry per audit data type
  • overall compliance_status
  • optional next_cleanup

Each data-type entry includes:

  • data_type
  • retention_days
  • oldest_record
  • newest_record
  • total_records
  • archived_records
  • storage_bytes
  • compliance_status
  • last_cleanup

The OJK module enforces a 5-year minimum retention floor when AXONFLOW_COMPLIANCE_REGION includes ID.

Readiness API

Get readiness

GET /api/v1/ojk/audit/readiness

The readiness response shape:

{
"ready": true,
"score": 85,
"checks": [
{
"name": "audit_logging",
"description": "Audit capture is enabled and recording",
"status": "pass",
"details": "Recent logs show expected record classes for OJK frameworks"
},
{
"name": "pii_indonesia_active",
"description": "Indonesia PII detection patterns are active",
"status": "pass",
"details": "8 patterns active: NIK, NPWP (legacy + new), phone, BCA, Mandiri, BRI, BNI"
},
{
"name": "retention_floor",
"description": "Retention meets 5-year minimum for ID region",
"status": "pass",
"details": "Configured: 3650 days"
}
],
"recommendations": []
}

Each check contains:

  • name
  • description
  • statuspass, warn, or fail
  • optional details

Breach Notification API

Generate breach notification (UU PDP Art. 46)

POST /api/v1/ojk/breach/notify

Request fields:

{
"data_types_involved": ["nik", "npwp", "bank_account"],
"discovery_timestamp": "2026-03-15T14:30:00Z",
"estimated_subjects_affected": 1200,
"remediation_steps": [
"Revoked compromised API credentials",
"Enabled additional PII redaction policies",
"Initiated forensic audit of affected tenant"
]
}

Request field details:

  • data_types_involved — array of personal data types that were breached
  • discovery_timestamptime.Time when the breach was discovered (notification deadline is calculated as 72 hours from this)
  • estimated_subjects_affected — integer count of affected data subjects
  • remediation_steps — array of strings describing actions taken or planned

Response fields:

  • notification_id — unique tracking identifier
  • notification_deadline — 72 hours from discovery_timestamp
  • recipient"MOCDA" (current notification recipient, pending DPA constitution)
  • statusdraft, sent, or acknowledged
  • data_types_involved — echoed from request
  • estimated_subjects_affected — echoed from request
  • remediation_steps — echoed from request
  • created_at — server timestamp

Dashboard API

Get dashboard

GET /api/v1/ojk/dashboard

The dashboard provides a combined compliance view including:

  • readiness summary (score + top-level checks)
  • recent export history
  • active kill switches
  • breach-notification status (open notifications, time to deadline)
  • retention posture summary

Error responses

All endpoints return standard error format:

{
"error": "validation_error",
"message": "start_date must be before end_date",
"status": 400
}

Common error codes:

StatusErrorWhen
400validation_errorInvalid request parameters
401unauthorizedMissing or invalid authentication
403forbiddenTenant does not have Enterprise license
404not_foundExport ID does not exist
500internal_errorServer-side failure