Access Requests
Create, approve, deny, and cancel time-bound access requests.
| Method | Path |
|---|
| CreateAccessRequest | POST /v1/governance/accessRequests |
| GetAccessRequest | GET /v1/governance/accessRequests/{id} |
| ListAccessRequests | GET /v1/governance/accessRequests |
| ApproveAccessRequest | POST /v1/governance/accessRequests/{id}:approve |
| DenyAccessRequest | POST /v1/governance/accessRequests/{id}:deny |
| CancelAccessRequest | POST /v1/governance/accessRequests/{id}:cancel |
Base URL: https://<Domain id="api"/>
Authentication: Bearer token. Requires governance.access_request:write to create, governance.access_request:approve to approve/deny.
{
"id": "acr_01H7X3K9Q1",
"status": "pending",
"requester_id": "usr_4f18acec",
"requested_permission": {
"namespace": "repositories",
"object": "backend-api",
"relation": "writer"
},
"justification": "Fix P0 incident #4827",
"expires_at"
POST /v1/governance/accessRequests/{id}:approve
POST /v1/governance/accessRequests/{id}:deny
Body: { "note": "Approved -- see incident #4827" }.
Approval writes the requested permission into Keto for the expiry window; the tuple is automatically removed at expires_at.
GET /v1/governance/accessRequests?filter=status="pending"&page_size=50