Replace the tenant policy card
PUT/v1/admin/clients/:slug/policies
Primary admin write for tenant policies. Body is a
policiesByCapability map matching the shape returned by the
sibling GET — round-trip symmetric.
For every capability key present in the body, the entire policy
set for (client, capability) is replaced atomically — the
platform never routes using a partially applied policy. Gate-2
validation runs per pair before any rows are written; any single
pair's validation failure rolls back the whole transaction.
Capabilities not in the body are left untouched. This matches
the GET-card / PUT-card mental model and keeps a partial card
upload from accidentally closing capabilities the caller did not
intend to manage. To clear a capability use the per-capability
DELETE.
Use the per-capability PUT
(PUT /admin/clients/{slug}/policies/{capabilityKey}) for
granular ad-hoc edits to one capability.
Request
Responses
- 200
- 400
- 401
- 404
- 422
- 500
- 503
Policy card replaced successfully — full updated card returned.
Schema validation failed (GEN000000) or unknown capability key (CRT000002)
Missing or invalid authentication token (GEN001002) or Role unauthorized (GEN001006)
Slug does not resolve to a known client (CRT004004).
Gate-2 validation failure on at least one (capability, policies) pair — whole batch rolled back.
Internal server error (GEN100000)
Connector-routing datastore temporarily unavailable (CRT103002)