Skip to main content

Policy Templates API

Use policy templates to bootstrap common governance rules instead of hand-authoring every tenant policy from scratch. This is especially useful when teams want to roll out repeatable controls for PII detection, SQL injection prevention, regional compliance, or industry-specific AI safety requirements.

Overview

Verified routes:

MethodPathPurpose
GET/api/v1/templatesList templates
GET/api/v1/templates/categoriesList categories
GET/api/v1/templates/statsTemplate usage statistics
GET/api/v1/templates/{id}Get one template
POST/api/v1/templates/{id}/applyCreate a policy from a template

Base URL:

http://localhost:8081

The template routes are served by the Orchestrator directly (port 8081). Unlike /api/v1/dynamic-policies, they are not proxied through the Agent's single-entry-point router — call the Orchestrator (or whatever ingress fronts it in your deployment).

Authentication

The Orchestrator reads identity from headers set by the caller (or by an upstream gateway):

  • X-Tenant-ID — required for GET /api/v1/templates/stats and POST /api/v1/templates/{id}/apply; missing tenant context returns 401 with code UNAUTHORIZED. List, get, and categories do not require tenant context.
  • X-User-ID — recommended for apply requests; recorded as the created policy's created_by (defaults to system).

Errors use the shape {"error": {"code": "<STRING_CODE>", "message": "...", "details": [...]}} where details carries {field, message} entries on validation failures. If the Orchestrator has no database connection, all template endpoints return 503.

Listing Templates

Verified list query parameters:

Query paramPurpose
categoryFilter by category
searchSearch template names and descriptions
tagsComma-separated tags
activeFilter active templates
builtinFilter built-in templates
pagePage number
page_sizePage size, max 100

Verified response wrapper:

{
"templates": [],
"pagination": {
"page": 1,
"page_size": 20,
"total_items": 0,
"total_pages": 0
}
}

Single Template and Categories

GET /api/v1/templates/{id} returns a template wrapper around the full template object:

{
"template": {
"id": "tpl_general_rate_limiting",
"name": "general_rate_limiting",
"display_name": "Rate Limiting",
"description": "Enforces rate limits per user/tenant to prevent abuse",
"category": "general",
"subcategory": "security",
"template": {
"name": "Rate Limiting",
"type": "user",
"conditions": [
{
"field": "user.request_count_1h",
"operator": "greater_than",
"value": "{{max_requests_per_hour}}"
}
],
"actions": [
{
"type": "block",
"config": {
"message": "Rate limit exceeded. Please try again later."
}
}
],
"priority": 95
},
"variables": [
{
"name": "max_requests_per_hour",
"default": 1000,
"description": "Maximum requests per user per hour"
}
],
"is_builtin": true,
"is_active": true,
"version": "1.0",
"tags": ["security", "rate_limiting", "abuse_prevention"],
"created_at": "2025-01-01T00:00:00Z",
"updated_at": "2025-01-01T00:00:00Z"
}
}

Template variables support name, type, default, description, required, and validation (a regex the supplied value must match). {{variable}} placeholders in the template body are substituted at apply time.

Unknown template IDs return 404 with code NOT_FOUND.

GET /api/v1/templates/categories returns the distinct categories present in the deployment's template catalog:

{
"categories": [
"general",
"compliance"
]
}

Usage Statistics

GET /api/v1/templates/stats returns per-template usage counts for the calling tenant (requires tenant context):

{
"stats": [
{
"template_id": "tpl_general_rate_limiting",
"template_name": "general_rate_limiting",
"usage_count": 3,
"last_used_at": "2026-07-01T09:00:00Z"
}
]
}

Apply a Template

POST /api/v1/templates/{id}/apply is the fastest way to turn a reusable governance pattern into a tenant-owned policy.

Verified request fields:

FieldNotes
variablesVariable substitutions for the template. Variables marked required must be present; variables with a validation regex must match it
policy_nameRequired — 3 to 100 characters
descriptionOptional — at most 500 characters
enabledBoolean; defaults to false when omitted
priorityOptional; overrides the priority baked into the template

Example:

curl -X POST http://localhost:8081/api/v1/templates/tpl_general_rate_limiting/apply \
-H "Content-Type: application/json" \
-H "X-Tenant-ID: my-tenant" \
-H "X-User-ID: [email protected]" \
-d '{
"variables": {
"max_requests_per_hour": 500
},
"policy_name": "tenant-rate-limit",
"enabled": true
}'

Successful applies return 201 Created with success, the created policy (a dynamic policy resource owned by the calling tenant), usage_id, and message:

{
"success": true,
"policy": {
"id": "550e8400-e29b-41d4-a716-446655440002",
"name": "tenant-rate-limit",
"type": "user",
"conditions": [],
"actions": [],
"priority": 95,
"enabled": true,
"version": 1,
"tenant_id": "my-tenant",
"created_by": "[email protected]",
"created_at": "2026-07-01T09:00:00Z",
"updated_at": "2026-07-01T09:00:00Z"
},
"usage_id": "b2e5c1aa-2222-4333-8444-955556666777",
"message": "Successfully created policy 'tenant-rate-limit' from template 'general_rate_limiting'"
}

Error cases: 400 VALIDATION_ERROR (policy name length, description length, missing required variables, variable pattern mismatch — with per-field details), 400 INVALID_JSON, 401 UNAUTHORIZED (no tenant context), 404 NOT_FOUND (unknown template), 500 INTERNAL_ERROR.

Why Teams Use This API

  • Security teams use templates to standardize AI guardrails across multiple tenants or applications.
  • Platform teams use templates to shorten onboarding for regulated use cases such as finance, healthcare, and regional deployments.
  • Engineers assessing AxonFlow get a practical bridge between community experimentation and more repeatable evaluation or enterprise rollout patterns.

Operational Readiness Checklist

Before relying on this page in a production rollout, pair it with the core operations docs: