OJK Compliance API Reference
This reference documents the OJK endpoints registered in the current enterprise build. The module covers Indonesian regulatory frameworks: OJK AI Governance, UU PDP (Law 27/2022), and BI payment system (PBI 23/6 and 23/7).
This reference is engineering documentation for teams building governed AI on AxonFlow. It is not legal advice. Validate the regulatory mapping with your legal and compliance teams before relying on it for OJK, BI, or UU PDP compliance.
Authentication
Tenant resolution works in this order:
- Tenant context (derived from Basic auth credentials) preferred
X-Org-IDfallback
Use X-User-ID when you want explicit attribution on export flows, breach notifications, and kill-switch actions.
Route overview
| Route | Method |
|---|---|
/api/v1/ojk/audit/export | POST |
/api/v1/ojk/audit/export/{id} | GET |
/api/v1/ojk/audit/retention | GET |
/api/v1/ojk/audit/readiness | GET |
/api/v1/ojk/breach/notify | POST |
/api/v1/ojk/dashboard | GET |
Export API
Create export
POST /api/v1/ojk/audit/export
Supported request fields:
{
"start_date": "2026-01-01T00:00:00Z",
"end_date": "2026-03-31T23:59:59Z",
"data_types": ["policy_violations", "llm_calls", "decision_chain", "pii_redactions", "cross_border_transfers"],
"format": "json",
"framework": "OJK_AI_GOVERNANCE",
"include_archived": false,
"redact_pii": true,
"filters": {
"agent_ids": ["customer-copilot"],
"severity": "high",
"include_model_info": true
}
}
Request field details:
start_dateandend_date—time.Timefields defining the export windowdata_types— typed enum:policy_violations,llm_calls,decision_chain,hitl_oversight,pii_redactions,cross_border_transfers, orallformat—json,csv, orxmlframework—OJK_AI_GOVERNANCE,UU_PDP,BI_PJP, orOJK_BI_COMBINEDfilters— supports agent IDs, user IDs, severity, policy types, violation types, andinclude_model_info
Get export status
GET /api/v1/ojk/audit/export/{id}
The response includes:
export_idstatusframeworksummarydownload_urlexpires_atmetadata
Retention API
Get retention status
GET /api/v1/ojk/audit/retention
The retention response includes:
- tenant identifier
- framework
- a
statusarray with one entry per audit data type - overall
compliance_status - optional
next_cleanup
Each data-type entry includes:
data_typeretention_daysoldest_recordnewest_recordtotal_recordsarchived_recordsstorage_bytescompliance_statuslast_cleanup
The OJK module enforces a 5-year minimum retention floor when AXONFLOW_COMPLIANCE_REGION includes ID.
Readiness API
Get readiness
GET /api/v1/ojk/audit/readiness
The readiness response shape:
{
"ready": true,
"score": 85,
"checks": [
{
"name": "audit_logging",
"description": "Audit capture is enabled and recording",
"status": "pass",
"details": "Recent logs show expected record classes for OJK frameworks"
},
{
"name": "pii_indonesia_active",
"description": "Indonesia PII detection patterns are active",
"status": "pass",
"details": "8 patterns active: NIK, NPWP (legacy + new), phone, BCA, Mandiri, BRI, BNI"
},
{
"name": "retention_floor",
"description": "Retention meets 5-year minimum for ID region",
"status": "pass",
"details": "Configured: 3650 days"
}
],
"recommendations": []
}
Each check contains:
namedescriptionstatus—pass,warn, orfail- optional
details
Breach Notification API
Generate breach notification (UU PDP Art. 46)
POST /api/v1/ojk/breach/notify
Request fields:
{
"data_types_involved": ["nik", "npwp", "bank_account"],
"discovery_timestamp": "2026-03-15T14:30:00Z",
"estimated_subjects_affected": 1200,
"remediation_steps": [
"Revoked compromised API credentials",
"Enabled additional PII redaction policies",
"Initiated forensic audit of affected tenant"
]
}
Request field details:
data_types_involved— array of personal data types that were breacheddiscovery_timestamp—time.Timewhen the breach was discovered (notification deadline is calculated as 72 hours from this)estimated_subjects_affected— integer count of affected data subjectsremediation_steps— array of strings describing actions taken or planned
Response fields:
notification_id— unique tracking identifiernotification_deadline— 72 hours fromdiscovery_timestamprecipient—"MOCDA"(current notification recipient, pending DPA constitution)status—draft,sent, oracknowledgeddata_types_involved— echoed from requestestimated_subjects_affected— echoed from requestremediation_steps— echoed from requestcreated_at— server timestamp
Dashboard API
Get dashboard
GET /api/v1/ojk/dashboard
The dashboard provides a combined compliance view including:
- readiness summary (score + top-level checks)
- recent export history
- active kill switches
- breach-notification status (open notifications, time to deadline)
- retention posture summary
Error responses
All endpoints return standard error format:
{
"error": "validation_error",
"message": "start_date must be before end_date",
"status": 400
}
Common error codes:
| Status | Error | When |
|---|---|---|
| 400 | validation_error | Invalid request parameters |
| 401 | unauthorized | Missing or invalid authentication |
| 403 | forbidden | Tenant does not have Enterprise license |
| 404 | not_found | Export ID does not exist |
| 500 | internal_error | Server-side failure |
