Author & publish a policy

Policies move through a lifecycle — draft → validate → publish — so a change is reviewable and every later decision records the version that produced it. See Authorization & policy.

Requires policy.write / policy.publish

Authoring needs policy.write; publishing needs policy.publish in the target environment.

1. Create or edit a policy draft (Cedar).
2. Validate it — catch syntax and reference errors, and simulate key decisions.
3. Publish the version, which supersedes the previous one.

Create a draft

Create a policy draft

UIAPICLI

1. Open Access → Policies → New.
2. Write the Cedar policy in the editor; references resolve against the current environment.

POST/v1/policies

Copy

curl -X POST "$GATEWAY/v1/policies" \
-H "authorization: Bearer $TOKEN" \
-H "content-type: application/json" \
--data @policy.json

View createPolicy in the API reference →

Copy

gatewayctl policy review --policy-version cedar-policy-v4 --format json

Every gatewayctl verb accepts --format text|json.

Validate, then publish

Validate and publish a policy version

UIAPICLI

1. Click Validate and resolve any errors; run a few simulations to confirm intent.
2. Click Publish — the new version becomes active and supersedes the prior one.

POST/v1/policies/{policy_version}/publish

Copy

# 1) validate
curl -X POST "$GATEWAY/v1/policies/cedar-policy-v4/validate" \
-H "authorization: Bearer $TOKEN"
# 2) publish
curl -X POST "$GATEWAY/v1/policies/cedar-policy-v4/publish" \
-H "authorization: Bearer $TOKEN"

View publishPolicyVersion in the API reference →

Copy

gatewayctl policy publish --policy-version cedar-policy-v4

Every gatewayctl verb accepts --format text|json.

Tip

Simulate the change before publishing — confirm the decision flips the way you expect, then publish so the audit trail attributes future decisions to the new version. Roll back by publishing a superseding version; archive retired ones with POST /v1/policies/{version}/archive.