Skip to content
StraventaDocs

Create or replace this tenant's policy/toggle settings

Upserts the tenant's policy override, persisting the REQUESTED scalars verbatim (the compliance floor clamp is applied at consume, never on write — so a below-floor request is stored as-is and clamped only when resolved) and a FULL-REPLACE feature-flag bag. Enforces optimistic concurrency on `config_version` — a stale or missing version against an existing row is rejected with `409` and no write. This is a NON-secret write: there is NO credential, no envelope, no overwrite gate. Caller must hold `tenant.settings.write` (NOT `tenant.settings.secrets.write`). Plan 2026-06-16-per-tenant-settings §2.3 / §2.7 / T301.

PUT
/v1/admin/settings/policy

Upserts the tenant's policy override, persisting the REQUESTED scalars verbatim (the compliance floor clamp is applied at consume, never on write — so a below-floor request is stored as-is and clamped only when resolved) and a FULL-REPLACE feature-flag bag. Enforces optimistic concurrency on config_version — a stale or missing version against an existing row is rejected with 409 and no write. This is a NON-secret write: there is NO credential, no envelope, no overwrite gate. Caller must hold tenant.settings.write (NOT tenant.settings.secrets.write). Plan 2026-06-16-per-tenant-settings §2.3 / §2.7 / T301.

Authorization

bearerAuth
AuthorizationBearer <token>

JWT Bearer access token. Clock skew tolerance is ±60 seconds.

In: header

Request Body

application/json

TypeScript Definitions

Use the request body type in TypeScript.

Response Body

application/json

application/json

application/json

application/json

application/json

curl -X PUT "https://example.com/v1/admin/settings/policy" \  -H "Content-Type: application/json" \  -d '{    "rate_limit_per_min": 120,    "session_ttl_seconds": 7200,    "feature_flags": {      "public_signup": true    },    "signup_enabled": true,    "config_version": 3  }'
{
  "status": "active",
  "config_version": 4,
  "source": "tenant"
}
{
  "error": "validation_failed",
  "message": "request body is invalid",
  "request_id": "req_01abc126"
}
{
  "error": "unauthenticated",
  "message": "missing or invalid bearer token",
  "request_id": "req_01abc123"
}
{
  "error": "permission_denied",
  "message": "caller does not hold the required permission",
  "request_id": "req_01abc124"
}
{
  "error": "conflict",
  "message": "resource already exists",
  "request_id": "req_01abc129"
}

Was this page helpful?