API ReferenceCore API
Rules API
Configure authorization rules programmatically
Rules API
Configure authorization rules to control access to your proxies, credentials, and targets.
Endpoints
Rules can be attached to credentials, proxies, or targets:
Credential Rules
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/clients/{clientId}/credentials/{credentialId}/rules | List credential rules |
| POST | /api/clients/{clientId}/credentials/{credentialId}/rules | Create credential rule |
| DELETE | /api/clients/{clientId}/credentials/{credentialId}/rules/{ruleId} | Delete credential rule |
Proxy Rules
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/clients/{clientId}/proxies/{proxyId}/rules | List proxy rules |
| POST | /api/clients/{clientId}/proxies/{proxyId}/rules | Create proxy rule |
| DELETE | /api/clients/{clientId}/proxies/{proxyId}/rules/{ruleId} | Delete proxy rule |
Target Rules
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/clients/{clientId}/targets/{targetId}/rules | List target rules |
| POST | /api/clients/{clientId}/targets/{targetId}/rules | Create target rule |
| DELETE | /api/clients/{clientId}/targets/{targetId}/rules/{ruleId} | Delete target rule |
Create Rule
Create a new authorization rule.
Request
POST /api/clients/{clientId}/proxies/{proxyId}/rules HTTP/1.1
Host: api.requestrocket.com
Authorization: {user_token}
Content-Type: application/json
{
"effect": "deny",
"priority": 900,
"methods": ["DELETE"],
"path": {
"pattern": "^/api/users/",
"presence": "present"
},
"notes": "Prevent user deletion via API"
}Request Body
| Field | Type | Required | Description |
|---|---|---|---|
effect | string | Yes | allow or deny |
priority | number | Yes | 0-1000 (higher = evaluated first) |
methods | array | No | HTTP methods to match |
pathPattern | string | No | Regex pattern for path matching |
pathPresence | string | No | present or absent |
headerChecks | array | No | Header validation rules |
queryChecks | array | No | Query parameter validation rules |
regexFlags | string | No | Regex flags (i, g, m, etc.) |
notes | string | No | Description of the rule |
Response
{
"rules": [
{
"userId": "user_123",
"clientId": "client_456",
"parentId": "proxy_789",
"effect": "deny",
"priority": 900,
"methods": ["DELETE"],
"path": {
"pattern": "^/api/users/",
"presence": "present"
},
"notes": "Prevent user deletion via API",
"createdAt": "2024-01-22T14:00:00.000Z",
"updatedAt": "2024-01-22T14:00:00.000Z"
}
],
"message": "Success"
}Rules take effect immediately after creation. No proxy, credential, or target update is required.
Example
const response = await fetch(
`https://api.requestrocket.com/api/clients/${clientId}/targets/${targetId}/rules`,
{
method: 'POST',
headers: {
'Authorization': process.env.USER_TOKEN,
'Content-Type': 'application/json'
},
body: JSON.stringify({
effect: 'deny',
priority: 900,
methods: ['DELETE'],
path: {
pattern: '^/api/users/',
presence: 'present'
},
notes: 'Prevent user deletion via API'
})
}
);
const data = await response.json();
console.log('Rule created:', data.rules[0]);import requests
import os
client_id = "your-client-id"
target_id = "your-target-id"
response = requests.post(
f'https://api.requestrocket.com/api/clients/{client_id}/targets/{target_id}/rules',
headers={'Authorization': os.getenv('USER_TOKEN')},
json={
'effect': 'deny',
'priority': 900,
'methods': ['DELETE'],
'path': {
'pattern': '^/api/users/',
'presence': 'present'
},
'notes': 'Prevent user deletion via API'
}
)
data = response.json()
print(f"Rule created: {data['rules'][0]['notes']}")package main
import (
"bytes"
"encoding/json"
"fmt"
"io"
"net/http"
"os"
)
type PathCheck struct {
Pattern string `json:"pattern"`
Presence string `json:"presence"`
}
type RuleRequest struct {
Effect string `json:"effect"`
Priority int `json:"priority"`
Methods []string `json:"methods"`
Path PathCheck `json:"path"`
Notes string `json:"notes"`
}
func main() {
clientId := "your-client-id"
targetId := "your-target-id"
requestBody, _ := json.Marshal(RuleRequest{
Effect: "deny",
Priority: 900,
Methods: []string{"DELETE"},
Path: PathCheck{
Pattern: "^/api/users/",
Presence: "present",
},
Notes: "Prevent user deletion via API",
})
url := fmt.Sprintf("https://api.requestrocket.com/api/clients/%s/targets/%s/rules", clientId, targetId)
req, _ := http.NewRequest("POST", url, bytes.NewBuffer(requestBody))
req.Header.Set("Authorization", os.Getenv("USER_TOKEN"))
req.Header.Set("Content-Type", "application/json")
client := &http.Client{}
resp, _ := client.Do(req)
defer resp.Body.Close()
body, _ := io.ReadAll(resp.Body)
fmt.Println(string(body))
}import java.net.http.*;
import java.net.URI;
import com.google.gson.*;
public class CreateRule {
public static void main(String[] args) throws Exception {
String clientId = "your-client-id";
String targetId = "your-target-id";
String json = "{"
+ "\"effect\": \"deny\","
+ "\"priority\": 900,"
+ "\"methods\": [\"DELETE\"],"
+ "\"path\": {"
+ "\"pattern\": \"^/api/users/\","
+ "\"presence\": \"present\""
+ "},"
+ "\"notes\": \"Prevent user deletion via API\""
+ "}";
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create("https://api.requestrocket.com/api/clients/" + clientId + "/targets/" + targetId + "/rules"))
.header("Authorization", System.getenv("USER_TOKEN"))
.header("Content-Type", "application/json")
.POST(HttpRequest.BodyPublishers.ofString(json))
.build();
HttpResponse<String> response = client.send(request,
HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
}
}curl -X POST "https://api.requestrocket.com/api/clients/${CLIENT_ID}/targets/${TARGET_ID}/rules" \
-H "Authorization: ${USER_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"effect": "deny",
"priority": 900,
"methods": ["DELETE"],
"path": {
"pattern": "^/api/users/",
"presence": "present"
},
"notes": "Prevent user deletion via API"
}'Create Proxy Rule Example
Create a rule to control traffic through a specific proxy.
const response = await fetch(
`https://api.requestrocket.com/api/clients/${clientId}/proxies/${proxyId}/rules`,
{
method: 'POST',
headers: {
'Authorization': process.env.USER_TOKEN,
'Content-Type': 'application/json'
},
body: JSON.stringify({
effect: 'deny',
priority: 900,
pathPattern: '/admin',
pathPresence: 'present',
notes: 'Block all admin access through this proxy'
})
}
);
const data = await response.json();
console.log('Proxy rule created:', data.rules[0]);import requests
import os
client_id = "your-client-id"
proxy_id = "your-proxy-id"
response = requests.post(
f'https://api.requestrocket.com/api/clients/{client_id}/proxies/{proxy_id}/rules',
headers={'Authorization': os.getenv('USER_TOKEN')},
json={
'effect': 'deny',
'priority': 900,
'pathPattern': '/admin',
'pathPresence': 'present',
'notes': 'Block all admin access through this proxy'
}
)
data = response.json()
print(f"Proxy rule created: {data['rules'][0]['notes']}")package main
import (
"bytes"
"encoding/json"
"fmt"
"io"
"net/http"
"os"
)
type RuleRequest struct {
Effect string `json:"effect"`
Priority int `json:"priority"`
PathPattern string `json:"pathPattern"`
PathPresence string `json:"pathPresence"`
Notes string `json:"notes"`
}
func main() {
clientId := "your-client-id"
proxyId := "your-proxy-id"
requestBody, _ := json.Marshal(RuleRequest{
Effect: "deny",
Priority: 900,
PathPattern: "/admin",
PathPresence: "present",
Notes: "Block all admin access through this proxy",
})
url := fmt.Sprintf("https://api.requestrocket.com/api/clients/%s/proxies/%s/rules", clientId, proxyId)
req, _ := http.NewRequest("POST", url, bytes.NewBuffer(requestBody))
req.Header.Set("Authorization", os.Getenv("USER_TOKEN"))
req.Header.Set("Content-Type", "application/json")
client := &http.Client{}
resp, _ := client.Do(req)
defer resp.Body.Close()
body, _ := io.ReadAll(resp.Body)
fmt.Println(string(body))
}import java.net.http.*;
import java.net.URI;
import com.google.gson.*;
public class CreateProxyRule {
public static void main(String[] args) throws Exception {
String clientId = "your-client-id";
String proxyId = "your-proxy-id";
String json = "{"
+ "\"effect\": \"deny\","
+ "\"priority\": 900,"
+ "\"pathPattern\": \"/admin\","
+ "\"pathPresence\": \"present\","
+ "\"notes\": \"Block all admin access through this proxy\""
+ "}";
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create("https://api.requestrocket.com/api/clients/" + clientId + "/proxies/" + proxyId + "/rules"))
.header("Authorization", System.getenv("USER_TOKEN"))
.header("Content-Type", "application/json")
.POST(HttpRequest.BodyPublishers.ofString(json))
.build();
HttpResponse<String> response = client.send(request,
HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
}
}curl -X POST "https://api.requestrocket.com/api/clients/${CLIENT_ID}/proxies/${PROXY_ID}/rules" \
-H "Authorization: ${USER_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"effect": "deny",
"priority": 900,
"pathPattern": "/admin",
"pathPresence": "present",
"notes": "Block all admin access through this proxy"
}'Create Credential Rule Example
Create a rule to control usage of a specific credential.
const response = await fetch(
`https://api.requestrocket.com/api/clients/${clientId}/credentials/${credentialId}/rules`,
{
method: 'POST',
headers: {
'Authorization': process.env.USER_TOKEN,
'Content-Type': 'application/json'
},
body: JSON.stringify({
effect: 'allow',
priority: 100,
methods: ['GET', 'POST'],
notes: 'Production credential only for read and create operations'
})
}
);
const data = await response.json();
console.log('Credential rule created:', data.rules[0]);import requests
import os
client_id = "your-client-id"
credential_id = "your-credential-id"
response = requests.post(
f'https://api.requestrocket.com/api/clients/{client_id}/credentials/{credential_id}/rules',
headers={'Authorization': os.getenv('USER_TOKEN')},
json={
'effect': 'allow',
'priority': 100,
'methods': ['GET', 'POST'],
'notes': 'Production credential only for read and create operations'
}
)
data = response.json()
print(f"Credential rule created: {data['rules'][0]['notes']}")package main
import (
"bytes"
"encoding/json"
"fmt"
"io"
"net/http"
"os"
)
type CredentialRuleRequest struct {
Effect string `json:"effect"`
Priority int `json:"priority"`
Methods []string `json:"methods"`
Notes string `json:"notes"`
}
func main() {
clientId := "your-client-id"
credentialId := "your-credential-id"
requestBody, _ := json.Marshal(CredentialRuleRequest{
Effect: "allow",
Priority: 100,
Methods: []string{"GET", "POST"},
Notes: "Production credential only for read and create operations",
})
url := fmt.Sprintf("https://api.requestrocket.com/api/clients/%s/credentials/%s/rules", clientId, credentialId)
req, _ := http.NewRequest("POST", url, bytes.NewBuffer(requestBody))
req.Header.Set("Authorization", os.Getenv("USER_TOKEN"))
req.Header.Set("Content-Type", "application/json")
client := &http.Client{}
resp, _ := client.Do(req)
defer resp.Body.Close()
body, _ := io.ReadAll(resp.Body)
fmt.Println(string(body))
}import java.net.http.*;
import java.net.URI;
import com.google.gson.*;
public class CreateCredentialRule {
public static void main(String[] args) throws Exception {
String clientId = "your-client-id";
String credentialId = "your-credential-id";
String json = "{"
+ "\"effect\": \"allow\","
+ "\"priority\": 100,"
+ "\"methods\": [\"GET\", \"POST\"],"
+ "\"notes\": \"Production credential only for read and create operations\""
+ "}";
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create("https://api.requestrocket.com/api/clients/" + clientId + "/credentials/" + credentialId + "/rules"))
.header("Authorization", System.getenv("USER_TOKEN"))
.header("Content-Type", "application/json")
.POST(HttpRequest.BodyPublishers.ofString(json))
.build();
HttpResponse<String> response = client.send(request,
HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
}
}curl -X POST "https://api.requestrocket.com/api/clients/${CLIENT_ID}/credentials/${CREDENTIAL_ID}/rules" \
-H "Authorization: ${USER_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"effect": "allow",
"priority": 100,
"methods": ["GET", "POST"],
"notes": "Production credential only for read and create operations"
}'Use Cases
Credential Rules
Apply rules to control which requests can use specific credentials. Useful for limiting credential usage to specific endpoints or methods.
Example: Prevent a production credential from being used for DELETE operations:
{
"effect": "deny",
"priority": 900,
"methods": ["DELETE"],
"notes": "Production credentials cannot be used for DELETE requests"
}Proxy Rules
Apply rules to control all requests passing through a proxy, regardless of which credential is used.
Example: Block all admin access through a specific proxy:
{
"effect": "deny",
"priority": 900,
"pathPattern": "/admin",
"pathPresence": "present",
"notes": "Block all admin access"
}Target Rules
Apply rules to control all requests destined for a specific target API, providing an additional layer of security at the target level.
Example: Require API version header for all requests to a target:
{
"effect": "deny",
"priority": 800,
"headerChecks": [
{
"name": "X-API-Version",
"pattern": "^2\\.",
"presence": "absent"
}
],
"notes": "Require API version 2.x for this target"
}Example Rules
Block Admin Paths
{
"effect": "deny",
"priority": 900,
"pathPattern": "/admin",
"pathPresence": "present",
"notes": "Block all admin access"
}Require API Version Header
{
"effect": "deny",
"priority": 800,
"headerChecks": [
{
"name": "X-API-Version",
"pattern": "^2\\.",
"presence": "absent"
}
],
"notes": "Require API version 2.x"
}Allow Only GET and POST
{
"effect": "allow",
"priority": 100,
"methods": ["GET", "POST"],
"notes": "Read and create operations only"
}Prevent Access to Sensitive Paths
{
"effect": "deny",
"priority": 950,
"pathPattern": "/(users|accounts|billing)",
"pathPresence": "present",
"notes": "Block access to sensitive endpoints"
}List Rules
Get all rules for a specific resource (credential, proxy, or target).
Request
GET /api/clients/{clientId}/targets/{targetId}/rules HTTP/1.1
Host: api.requestrocket.com
Authorization: {user_token}Response
{
"rules": [
{
"ruleId": "rule_123",
"userId": "user_123",
"clientId": "client_456",
"parentId": "target_789",
"effect": "deny",
"priority": 900,
"methods": ["DELETE"],
"path": {
"pattern": "^/api/users/",
"presence": "present"
},
"notes": "Prevent user deletion via API",
"pKey": "RULE",
"sKey": "rule_123",
"createdAt": "2024-01-22T14:00:00.000Z",
"updatedAt": "2024-01-22T14:00:00.000Z"
}
],
"message": "Success"
}Example
const response = await fetch(
`https://api.requestrocket.com/api/clients/${clientId}/targets/${targetId}/rules`,
{
headers: {
'Authorization': process.env.USER_TOKEN
}
}
);
const data = await response.json();
console.log('Rules:', data.rules);import requests
import os
client_id = "your-client-id"
target_id = "your-target-id"
response = requests.get(
f'https://api.requestrocket.com/api/clients/{client_id}/targets/{target_id}/rules',
headers={'Authorization': os.getenv('USER_TOKEN')}
)
data = response.json()
print(f"Found {len(data['rules'])} rules")package main
import (
"encoding/json"
"fmt"
"io"
"net/http"
"os"
)
type Response struct {
Rules []map[string]interface{} `json:"rules"`
Message string `json:"message"`
}
func main() {
clientId := "your-client-id"
targetId := "your-target-id"
url := fmt.Sprintf("https://api.requestrocket.com/api/clients/%s/targets/%s/rules", clientId, targetId)
req, _ := http.NewRequest("GET", url, nil)
req.Header.Set("Authorization", os.Getenv("USER_TOKEN"))
client := &http.Client{}
resp, _ := client.Do(req)
defer resp.Body.Close()
body, _ := io.ReadAll(resp.Body)
var result Response
json.Unmarshal(body, &result)
fmt.Printf("Found %d rules\n", len(result.Rules))
}import java.net.http.*;
import java.net.URI;
import com.google.gson.*;
public class ListRules {
public static void main(String[] args) throws Exception {
String clientId = "your-client-id";
String targetId = "your-target-id";
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create("https://api.requestrocket.com/api/clients/" + clientId + "/targets/" + targetId + "/rules"))
.header("Authorization", System.getenv("USER_TOKEN"))
.GET()
.build();
HttpResponse<String> response = client.send(request,
HttpResponse.BodyHandlers.ofString());
JsonObject json = JsonParser.parseString(response.body()).getAsJsonObject();
JsonArray rules = json.getAsJsonArray("rules");
System.out.println("Found " + rules.size() + " rules");
}
}curl -X GET "https://api.requestrocket.com/api/clients/${CLIENT_ID}/targets/${TARGET_ID}/rules" \
-H "Authorization: ${USER_TOKEN}"Delete Rule
Remove a specific rule.
Request
DELETE /api/clients/{clientId}/targets/{targetId}/rules/{ruleId} HTTP/1.1
Host: api.requestrocket.com
Authorization: {user_token}Response
{
"message": "Rule deleted successfully"
}Example
const response = await fetch(
`https://api.requestrocket.com/api/clients/${clientId}/targets/${targetId}/rules/${ruleId}`,
{
method: 'DELETE',
headers: {
'Authorization': process.env.USER_TOKEN
}
}
);
const data = await response.json();
console.log(data.message);import requests
import os
client_id = "your-client-id"
target_id = "your-target-id"
rule_id = "rule-id"
response = requests.delete(
f'https://api.requestrocket.com/api/clients/{client_id}/targets/{target_id}/rules/{rule_id}',
headers={'Authorization': os.getenv('USER_TOKEN')}
)
data = response.json()
print(data['message'])package main
import (
"encoding/json"
"fmt"
"io"
"net/http"
"os"
)
type Response struct {
Message string `json:"message"`
}
func main() {
clientId := "your-client-id"
targetId := "your-target-id"
ruleId := "rule-id"
url := fmt.Sprintf("https://api.requestrocket.com/api/clients/%s/targets/%s/rules/%s", clientId, targetId, ruleId)
req, _ := http.NewRequest("DELETE", url, nil)
req.Header.Set("Authorization", os.Getenv("USER_TOKEN"))
client := &http.Client{}
resp, _ := client.Do(req)
defer resp.Body.Close()
body, _ := io.ReadAll(resp.Body)
var result Response
json.Unmarshal(body, &result)
fmt.Println(result.Message)
}import java.net.http.*;
import java.net.URI;
import com.google.gson.*;
public class DeleteRule {
public static void main(String[] args) throws Exception {
String clientId = "your-client-id";
String targetId = "your-target-id";
String ruleId = "rule-id";
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create("https://api.requestrocket.com/api/clients/" + clientId + "/targets/" + targetId + "/rules/" + ruleId))
.header("Authorization", System.getenv("USER_TOKEN"))
.DELETE()
.build();
HttpResponse<String> response = client.send(request,
HttpResponse.BodyHandlers.ofString());
JsonObject json = JsonParser.parseString(response.body()).getAsJsonObject();
System.out.println(json.get("message").getAsString());
}
}curl -X DELETE "https://api.requestrocket.com/api/clients/${CLIENT_ID}/targets/${TARGET_ID}/rules/${RULE_ID}" \
-H "Authorization: ${USER_TOKEN}"Rule Evaluation Order
Rules are evaluated in the following order:
- Target Rules - Applied first, control all traffic to a specific target
- Proxy Rules - Applied second, control all traffic through a specific proxy
- Credential Rules - Applied last, control usage of specific credentials
Within each level, rules are evaluated by priority (highest first). The first matching rule with an explicit allow or deny effect determines the outcome.
A request must pass all three levels of rules to be allowed. A deny at any level will block the request.