Skip to main content
Policies enforce constraints on transactions before they leave Qustody. Each policy is attached to a vault and consists of one or more rules. See Policies concepts for the full rule reference. All endpoints require an authenticated principal with the policies:create, policies:read, policies:update, or policies:delete permission as appropriate.

Create policy

POST /v1/policies

curl -X POST https://api.qustody.io/v1/policies \
  -H "Authorization: Bearer $QUSTODY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "vault_id": "vault_01HXYZ...",
    "name": "treasury-default",
    "rules": [
      {"type": "MAX_AMOUNT", "value": "100000000000000000000"},
      {"type": "REQUIRE_APPROVAL", "value": "2"},
      {"type": "WHITELIST_ADDRESS", "addresses": ["0xabc..."]}
    ]
  }'
Response 201 
{
  "id": "pol_01HXYZ...",
  "vault_id": "vault_01HXYZ...",
  "name": "treasury-default",
  "rules": [...],
  "created_at": "2026-04-27T10:15:00Z"
}

List policies

GET /v1/policies?vault_id={id}&page=1&per_page=50
Returns the policies visible to the caller’s tenant. Filterable by vault_id.

Get policy

GET /v1/policies/{id}

Update policy

PUT /v1/policies/{id}
Replaces the rule set in full. Existing transactions in flight are not re-evaluated; future submissions use the new policy.

Delete policy

DELETE /v1/policies/{id}
A vault without a policy accepts any transaction subject to RBAC. Production deployments should keep at least one policy attached.

Errors

CodeTypeWhen
1100VALIDATIONInvalid rule shape or unknown type
1200POLICY_DENIEDReturned by the transaction endpoint, not here
1400VAULT_NOT_FOUNDvault_id does not exist in tenant
See the full error catalog.