A policy is a rule that decides whether a credential access is allowed. EveryDocumentation Index
Fetch the complete documentation index at: https://docs.alterauth.com/llms.txt
Use this file to discover all available pages before exploring further.
app.request() is evaluated against the relevant policies before the token is injected; if the policy denies, the call raises PolicyViolationError and the provider is never reached.
Policies sit between who can call (the principal on the grant) and what they’re allowed to call right now. The principal binding answers “is Alice’s grant?”; the policy answers “is now a valid time, from a valid place, within rate?”
Where a policy lives
| Layer | Set by | Example |
|---|---|---|
| Grant policy | The operator or end user, at grant creation | TTL: this grant expires in 1 hour |
| App policy | The operator, in the developer portal | IP allowlist: only requests from 203.0.113.0/24 |
| Provider policy | The operator | Time-of-day: only between 09:00–18:00 UTC |
| Agent policy | The operator, when provisioning a managed agent | Rate limit: 60 requests per minute |
What policies can express
- Time-of-day windows — business-hours-only access.
- IP allowlists — call only from named CIDRs.
- Group membership — restrict to members of an IDP group.
- Rate limits — cap per-grant or per-agent calls per minute.
- TTL — hard expiry on a grant.
- Approval requirements — route to a human-in-the-loop decision before executing.
Fail-closed
If a policy cannot be evaluated (the policy engine is unreachable, the inputs are malformed, the policy version drifted), the request is denied. No call is made; no token leaves the vault. The error surfaces asPolicyViolationError with the failure reason on policy_error.
This is the opposite of fail-open systems where a missing policy is treated as “no rule, allow.” Alter treats a missing policy evaluator as “no decision, deny.”
Audit
Every policy decision (allow or deny) is recorded in the audit log with the policy name, the inputs evaluated, and the outcome. Denied calls never reach the provider but always appear in the audit trail — they are first-class evidence for compliance reviews.What’s next
- Audit logs — where policy decisions are recorded.
- Add human-in-the-loop approvals — policy-driven approval flow.
- Security architecture — the policy engine in the larger picture.