Create or replace this tenant's policy/toggle settings
Upserts the tenant's policy override, persisting the REQUESTED scalars verbatim (the compliance floor clamp is applied at consume, never on write — so a below-floor request is stored as-is and clamped only when resolved) and a FULL-REPLACE feature-flag bag. Enforces optimistic concurrency on `config_version` — a stale or missing version against an existing row is rejected with `409` and no write. This is a NON-secret write: there is NO credential, no envelope, no overwrite gate. Caller must hold `tenant.settings.write` (NOT `tenant.settings.secrets.write`). Plan 2026-06-16-per-tenant-settings §2.3 / §2.7 / T301.
Upserts the tenant's policy override, persisting the REQUESTED scalars
verbatim (the compliance floor clamp is applied at consume, never on
write — so a below-floor request is stored as-is and clamped only when
resolved) and a FULL-REPLACE feature-flag bag. Enforces optimistic
concurrency on config_version — a stale or missing version against an
existing row is rejected with 409 and no write. This is a NON-secret
write: there is NO credential, no envelope, no overwrite gate. Caller
must hold tenant.settings.write (NOT tenant.settings.secrets.write).
Plan 2026-06-16-per-tenant-settings §2.3 / §2.7 / T301.
Authorization
bearerAuth JWT Bearer access token. Clock skew tolerance is ±60 seconds.
In: header
Request Body
application/json
TypeScript Definitions
Use the request body type in TypeScript.
Response Body
application/json
application/json
application/json
application/json
application/json
curl -X PUT "https://example.com/v1/admin/settings/policy" \ -H "Content-Type: application/json" \ -d '{ "rate_limit_per_min": 120, "session_ttl_seconds": 7200, "feature_flags": { "public_signup": true }, "signup_enabled": true, "config_version": 3 }'{
"status": "active",
"config_version": 4,
"source": "tenant"
}{
"error": "validation_failed",
"message": "request body is invalid",
"request_id": "req_01abc126"
}{
"error": "unauthenticated",
"message": "missing or invalid bearer token",
"request_id": "req_01abc123"
}{
"error": "permission_denied",
"message": "caller does not hold the required permission",
"request_id": "req_01abc124"
}{
"error": "conflict",
"message": "resource already exists",
"request_id": "req_01abc129"
}Was this page helpful?