# Access policies API

The Access Policies API gives you fine-grained control over how just-in-time access requests are evaluated and approved. By defining workflow rules based on both the **requestor** (who is making the request) and the **resource** (what they’re trying to access), you can enforce consistent, auditable, and dynamic access controls across your infrastructure.

**Access policies** allow you to direct access requests through different approval paths based on context. For example, you can require manual approval for sensitive production systems, while allowing auto-approved access to staging environments. You can also limit request scope using filters or directory-based rules, ensuring access is only available to the right people at the right time.

## Get Routing Configuration

> Retrieve the routing configuration (WorkflowConfig) for the specified organization.

```json
{"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"servers":[{"url":"https://api.p0.app"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT"}},"schemas":{"WorkflowConfig":{"type":"object","properties":{"id":{"type":"string"},"createdDate":{"type":"string","format":"date-time"},"rules":{"type":"array","items":{"$ref":"#/components/schemas/RoutingRule"}}}},"RoutingRule":{"type":"object","properties":{"name":{"type":"string","description":"A human readable name for this routing rule"},"disabled":{"type":"boolean","description":"Whether or not the routing rule should be evaluated; if false or undefined, the rule will be evaluated"},"requestor":{"$ref":"#/components/schemas/RequestorRule"},"resource":{"$ref":"#/components/schemas/ResourceRule"},"approval":{"type":"array","items":{"$ref":"#/components/schemas/ApprovalRule"}}}},"RequestorRule":{"type":"object","description":"Controls who has access. See [the Requestor docs](https://docs.p0.dev/just-in-time-access/request-routing#requestor).","properties":{"type":{"type":"string","description":"How P0 matches requestors:\n  - 'any': Any requestor will match\n  - 'group': Members of a directory group will match\n  - 'user': Only match a single user\n"},"uid":{"type":"string","description":"May only be used if 'type' is 'user'. This is the user's email address."}}},"ResourceRule":{"type":"object","description":"Controls what is accessed. See [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource).","properties":{"type":{"type":"string","description":"How P0 matches resources:\n  - 'any': Any resource\n  - 'integration': Only resources within a specified integration\n"},"service":{"type":"string","description":"May only be used if 'type' is 'integration'.\nSee [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource) for a list of available services.\n"},"filters":{"type":"object","additionalProperties":{"type":"object","properties":{"effect":{"type":"string","description":"The filter effect. May be one of:\n  - 'keep': Access rule only applies to items matching this filter\n  - 'remove': Access rule only applies to items _not_ matching this filter\n  - 'removeAll': Access rule does not apply to any item with this filter key\n"},"key":{"type":"string","description":"The value being filtered. Required if the filter effect is 'keep' or 'remove'."},"value":{"type":"boolean","description":"The value being filtered. Required if it's a boolean filter."},"pattern":{"type":"string","description":"Filter patterns. Patterns are unanchored."}}}}}},"ApprovalRule":{"type":"object","description":"Determines access requirements. See [the Approval docs](https://docs.p0.dev/just-in-time-access/request-routing#approval).","properties":{"type":{"type":"string","description":"Determines trust requirements for access. If empty, access is disallowed. Except for 'deny', meeting any requirement is sufficient to grant access. Possible values:\n  - 'auto': Access is granted according to the requirements of the specified 'integration'\n  - 'deny': Access is always denied\n  - 'escalation': Access may be approved by on-call members of the specified services, who are paged when access is manually escalated by the requestor\n  - 'group': Access may be granted by any member of the defined directory group\n  - 'persistent': Access is always granted\n  - 'requestor-profile': Allows approval by a user specified by a field in the requestor's IDP profile\n  - 'p0': Access may be granted by any user with the P0 \"approver\" role (defined in the P0 app)\n"},"directory":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. One of \"azure-ad\", \"okta\", or \"workspace\"."},"integration":{"type":"string","description":"May only be used if 'type' is 'auto' or 'escalation'. Possible values:\n  - 'pagerduty': Access is granted if the requestor is on-call.\n"},"profile_property":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. This is the profile attribute that contains the manager's email."},"services":{"type":"array","items":{"type":"string"},"description":"May only be used if 'type' is 'escalation'. Defines which services to page on escalation."},"options":{"type":"object","properties":{"allow_one_party":{"type":"boolean","description":"If true, allows requestors to approve their own requests."},"require_reason":{"type":"boolean","description":"If true, requires access requests to include a reason."},"cooldown":{"type":"integer","description":"Cooldown period in seconds before access can be re-requested."},"duration":{"type":"integer","description":"How long access is granted, in seconds."}}}}}}},"paths":{"/o/{orgId}/routing":{"get":{"summary":"Get Routing Configuration","description":"Retrieve the routing configuration (WorkflowConfig) for the specified organization.","parameters":[{"name":"orgId","in":"path","required":true,"schema":{"type":"string"},"description":"The ID of the organization."}],"responses":{"200":{"description":"Routing configuration returned successfully.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/WorkflowConfig"}}}},"401":{"description":"Unauthorized"},"403":{"description":"Forbidden"}}}}}}
```

## Save Routing Configuration

> Save a new version of the routing configuration.

```json
{"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"servers":[{"url":"https://api.p0.app"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT"}},"schemas":{"WorkflowConfig":{"type":"object","properties":{"id":{"type":"string"},"createdDate":{"type":"string","format":"date-time"},"rules":{"type":"array","items":{"$ref":"#/components/schemas/RoutingRule"}}}},"RoutingRule":{"type":"object","properties":{"name":{"type":"string","description":"A human readable name for this routing rule"},"disabled":{"type":"boolean","description":"Whether or not the routing rule should be evaluated; if false or undefined, the rule will be evaluated"},"requestor":{"$ref":"#/components/schemas/RequestorRule"},"resource":{"$ref":"#/components/schemas/ResourceRule"},"approval":{"type":"array","items":{"$ref":"#/components/schemas/ApprovalRule"}}}},"RequestorRule":{"type":"object","description":"Controls who has access. See [the Requestor docs](https://docs.p0.dev/just-in-time-access/request-routing#requestor).","properties":{"type":{"type":"string","description":"How P0 matches requestors:\n  - 'any': Any requestor will match\n  - 'group': Members of a directory group will match\n  - 'user': Only match a single user\n"},"uid":{"type":"string","description":"May only be used if 'type' is 'user'. This is the user's email address."}}},"ResourceRule":{"type":"object","description":"Controls what is accessed. See [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource).","properties":{"type":{"type":"string","description":"How P0 matches resources:\n  - 'any': Any resource\n  - 'integration': Only resources within a specified integration\n"},"service":{"type":"string","description":"May only be used if 'type' is 'integration'.\nSee [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource) for a list of available services.\n"},"filters":{"type":"object","additionalProperties":{"type":"object","properties":{"effect":{"type":"string","description":"The filter effect. May be one of:\n  - 'keep': Access rule only applies to items matching this filter\n  - 'remove': Access rule only applies to items _not_ matching this filter\n  - 'removeAll': Access rule does not apply to any item with this filter key\n"},"key":{"type":"string","description":"The value being filtered. Required if the filter effect is 'keep' or 'remove'."},"value":{"type":"boolean","description":"The value being filtered. Required if it's a boolean filter."},"pattern":{"type":"string","description":"Filter patterns. Patterns are unanchored."}}}}}},"ApprovalRule":{"type":"object","description":"Determines access requirements. See [the Approval docs](https://docs.p0.dev/just-in-time-access/request-routing#approval).","properties":{"type":{"type":"string","description":"Determines trust requirements for access. If empty, access is disallowed. Except for 'deny', meeting any requirement is sufficient to grant access. Possible values:\n  - 'auto': Access is granted according to the requirements of the specified 'integration'\n  - 'deny': Access is always denied\n  - 'escalation': Access may be approved by on-call members of the specified services, who are paged when access is manually escalated by the requestor\n  - 'group': Access may be granted by any member of the defined directory group\n  - 'persistent': Access is always granted\n  - 'requestor-profile': Allows approval by a user specified by a field in the requestor's IDP profile\n  - 'p0': Access may be granted by any user with the P0 \"approver\" role (defined in the P0 app)\n"},"directory":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. One of \"azure-ad\", \"okta\", or \"workspace\"."},"integration":{"type":"string","description":"May only be used if 'type' is 'auto' or 'escalation'. Possible values:\n  - 'pagerduty': Access is granted if the requestor is on-call.\n"},"profile_property":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. This is the profile attribute that contains the manager's email."},"services":{"type":"array","items":{"type":"string"},"description":"May only be used if 'type' is 'escalation'. Defines which services to page on escalation."},"options":{"type":"object","properties":{"allow_one_party":{"type":"boolean","description":"If true, allows requestors to approve their own requests."},"require_reason":{"type":"boolean","description":"If true, requires access requests to include a reason."},"cooldown":{"type":"integer","description":"Cooldown period in seconds before access can be re-requested."},"duration":{"type":"integer","description":"How long access is granted, in seconds."}}}}}}},"paths":{"/o/{orgId}/routing":{"post":{"summary":"Save Routing Configuration","description":"Save a new version of the routing configuration.","parameters":[{"name":"orgId","in":"path","required":true,"schema":{"type":"string"},"description":"The ID of the organization."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","properties":{"currentVersion":{"type":"string"},"workflow":{"$ref":"#/components/schemas/WorkflowConfig"}}}}}},"responses":{"200":{"description":"Updated routing rules returned.","content":{"application/json":{"schema":{"type":"object","properties":{"rules":{"type":"array","items":{"$ref":"#/components/schemas/RoutingRule"}},"version":{"type":"string"}}}}}}}}}}}
```

## Get a Routing Rule by Name

> Retrieve a specific routing rule by its name.

```json
{"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"servers":[{"url":"https://api.p0.app"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT"}},"schemas":{"RoutingRule":{"type":"object","properties":{"name":{"type":"string","description":"A human readable name for this routing rule"},"disabled":{"type":"boolean","description":"Whether or not the routing rule should be evaluated; if false or undefined, the rule will be evaluated"},"requestor":{"$ref":"#/components/schemas/RequestorRule"},"resource":{"$ref":"#/components/schemas/ResourceRule"},"approval":{"type":"array","items":{"$ref":"#/components/schemas/ApprovalRule"}}}},"RequestorRule":{"type":"object","description":"Controls who has access. See [the Requestor docs](https://docs.p0.dev/just-in-time-access/request-routing#requestor).","properties":{"type":{"type":"string","description":"How P0 matches requestors:\n  - 'any': Any requestor will match\n  - 'group': Members of a directory group will match\n  - 'user': Only match a single user\n"},"uid":{"type":"string","description":"May only be used if 'type' is 'user'. This is the user's email address."}}},"ResourceRule":{"type":"object","description":"Controls what is accessed. See [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource).","properties":{"type":{"type":"string","description":"How P0 matches resources:\n  - 'any': Any resource\n  - 'integration': Only resources within a specified integration\n"},"service":{"type":"string","description":"May only be used if 'type' is 'integration'.\nSee [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource) for a list of available services.\n"},"filters":{"type":"object","additionalProperties":{"type":"object","properties":{"effect":{"type":"string","description":"The filter effect. May be one of:\n  - 'keep': Access rule only applies to items matching this filter\n  - 'remove': Access rule only applies to items _not_ matching this filter\n  - 'removeAll': Access rule does not apply to any item with this filter key\n"},"key":{"type":"string","description":"The value being filtered. Required if the filter effect is 'keep' or 'remove'."},"value":{"type":"boolean","description":"The value being filtered. Required if it's a boolean filter."},"pattern":{"type":"string","description":"Filter patterns. Patterns are unanchored."}}}}}},"ApprovalRule":{"type":"object","description":"Determines access requirements. See [the Approval docs](https://docs.p0.dev/just-in-time-access/request-routing#approval).","properties":{"type":{"type":"string","description":"Determines trust requirements for access. If empty, access is disallowed. Except for 'deny', meeting any requirement is sufficient to grant access. Possible values:\n  - 'auto': Access is granted according to the requirements of the specified 'integration'\n  - 'deny': Access is always denied\n  - 'escalation': Access may be approved by on-call members of the specified services, who are paged when access is manually escalated by the requestor\n  - 'group': Access may be granted by any member of the defined directory group\n  - 'persistent': Access is always granted\n  - 'requestor-profile': Allows approval by a user specified by a field in the requestor's IDP profile\n  - 'p0': Access may be granted by any user with the P0 \"approver\" role (defined in the P0 app)\n"},"directory":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. One of \"azure-ad\", \"okta\", or \"workspace\"."},"integration":{"type":"string","description":"May only be used if 'type' is 'auto' or 'escalation'. Possible values:\n  - 'pagerduty': Access is granted if the requestor is on-call.\n"},"profile_property":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. This is the profile attribute that contains the manager's email."},"services":{"type":"array","items":{"type":"string"},"description":"May only be used if 'type' is 'escalation'. Defines which services to page on escalation."},"options":{"type":"object","properties":{"allow_one_party":{"type":"boolean","description":"If true, allows requestors to approve their own requests."},"require_reason":{"type":"boolean","description":"If true, requires access requests to include a reason."},"cooldown":{"type":"integer","description":"Cooldown period in seconds before access can be re-requested."},"duration":{"type":"integer","description":"How long access is granted, in seconds."}}}}}}},"paths":{"/o/{orgId}/routing/name/{name}":{"get":{"summary":"Get a Routing Rule by Name","description":"Retrieve a specific routing rule by its name.","parameters":[{"name":"orgId","in":"path","required":true,"schema":{"type":"string"}},{"name":"name","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Routing rule returned successfully.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RoutingRule"}}}},"404":{"description":"Routing rule not found"}}}}}}
```

## Get Workflow Configuration by ID

> Retrieve a specific routing configuration by workflow ID.

```json
{"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"servers":[{"url":"https://api.p0.app"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT"}},"schemas":{"WorkflowConfigWithMeta":{"allOf":[{"$ref":"#/components/schemas/WorkflowConfig"},{"type":"object","properties":{"id":{"type":"string"},"createdDate":{"type":"string","format":"date-time"}}}]},"WorkflowConfig":{"type":"object","properties":{"id":{"type":"string"},"createdDate":{"type":"string","format":"date-time"},"rules":{"type":"array","items":{"$ref":"#/components/schemas/RoutingRule"}}}},"RoutingRule":{"type":"object","properties":{"name":{"type":"string","description":"A human readable name for this routing rule"},"disabled":{"type":"boolean","description":"Whether or not the routing rule should be evaluated; if false or undefined, the rule will be evaluated"},"requestor":{"$ref":"#/components/schemas/RequestorRule"},"resource":{"$ref":"#/components/schemas/ResourceRule"},"approval":{"type":"array","items":{"$ref":"#/components/schemas/ApprovalRule"}}}},"RequestorRule":{"type":"object","description":"Controls who has access. See [the Requestor docs](https://docs.p0.dev/just-in-time-access/request-routing#requestor).","properties":{"type":{"type":"string","description":"How P0 matches requestors:\n  - 'any': Any requestor will match\n  - 'group': Members of a directory group will match\n  - 'user': Only match a single user\n"},"uid":{"type":"string","description":"May only be used if 'type' is 'user'. This is the user's email address."}}},"ResourceRule":{"type":"object","description":"Controls what is accessed. See [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource).","properties":{"type":{"type":"string","description":"How P0 matches resources:\n  - 'any': Any resource\n  - 'integration': Only resources within a specified integration\n"},"service":{"type":"string","description":"May only be used if 'type' is 'integration'.\nSee [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource) for a list of available services.\n"},"filters":{"type":"object","additionalProperties":{"type":"object","properties":{"effect":{"type":"string","description":"The filter effect. May be one of:\n  - 'keep': Access rule only applies to items matching this filter\n  - 'remove': Access rule only applies to items _not_ matching this filter\n  - 'removeAll': Access rule does not apply to any item with this filter key\n"},"key":{"type":"string","description":"The value being filtered. Required if the filter effect is 'keep' or 'remove'."},"value":{"type":"boolean","description":"The value being filtered. Required if it's a boolean filter."},"pattern":{"type":"string","description":"Filter patterns. Patterns are unanchored."}}}}}},"ApprovalRule":{"type":"object","description":"Determines access requirements. See [the Approval docs](https://docs.p0.dev/just-in-time-access/request-routing#approval).","properties":{"type":{"type":"string","description":"Determines trust requirements for access. If empty, access is disallowed. Except for 'deny', meeting any requirement is sufficient to grant access. Possible values:\n  - 'auto': Access is granted according to the requirements of the specified 'integration'\n  - 'deny': Access is always denied\n  - 'escalation': Access may be approved by on-call members of the specified services, who are paged when access is manually escalated by the requestor\n  - 'group': Access may be granted by any member of the defined directory group\n  - 'persistent': Access is always granted\n  - 'requestor-profile': Allows approval by a user specified by a field in the requestor's IDP profile\n  - 'p0': Access may be granted by any user with the P0 \"approver\" role (defined in the P0 app)\n"},"directory":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. One of \"azure-ad\", \"okta\", or \"workspace\"."},"integration":{"type":"string","description":"May only be used if 'type' is 'auto' or 'escalation'. Possible values:\n  - 'pagerduty': Access is granted if the requestor is on-call.\n"},"profile_property":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. This is the profile attribute that contains the manager's email."},"services":{"type":"array","items":{"type":"string"},"description":"May only be used if 'type' is 'escalation'. Defines which services to page on escalation."},"options":{"type":"object","properties":{"allow_one_party":{"type":"boolean","description":"If true, allows requestors to approve their own requests."},"require_reason":{"type":"boolean","description":"If true, requires access requests to include a reason."},"cooldown":{"type":"integer","description":"Cooldown period in seconds before access can be re-requested."},"duration":{"type":"integer","description":"How long access is granted, in seconds."}}}}}}},"paths":{"/o/{orgId}/routing/{workflowId}":{"get":{"summary":"Get Workflow Configuration by ID","description":"Retrieve a specific routing configuration by workflow ID.","parameters":[{"name":"orgId","in":"path","required":true,"schema":{"type":"string"}},{"name":"workflowId","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Workflow configuration returned successfully.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/WorkflowConfigWithMeta"}}}},"404":{"description":"Workflow not found"}}}}}}
```

## Create a Routing Rule by Name

> Create a new routing rule with the specified name.

```json
{"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"servers":[{"url":"https://api.p0.app"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT"}},"schemas":{"RoutingRule":{"type":"object","properties":{"name":{"type":"string","description":"A human readable name for this routing rule"},"disabled":{"type":"boolean","description":"Whether or not the routing rule should be evaluated; if false or undefined, the rule will be evaluated"},"requestor":{"$ref":"#/components/schemas/RequestorRule"},"resource":{"$ref":"#/components/schemas/ResourceRule"},"approval":{"type":"array","items":{"$ref":"#/components/schemas/ApprovalRule"}}}},"RequestorRule":{"type":"object","description":"Controls who has access. See [the Requestor docs](https://docs.p0.dev/just-in-time-access/request-routing#requestor).","properties":{"type":{"type":"string","description":"How P0 matches requestors:\n  - 'any': Any requestor will match\n  - 'group': Members of a directory group will match\n  - 'user': Only match a single user\n"},"uid":{"type":"string","description":"May only be used if 'type' is 'user'. This is the user's email address."}}},"ResourceRule":{"type":"object","description":"Controls what is accessed. See [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource).","properties":{"type":{"type":"string","description":"How P0 matches resources:\n  - 'any': Any resource\n  - 'integration': Only resources within a specified integration\n"},"service":{"type":"string","description":"May only be used if 'type' is 'integration'.\nSee [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource) for a list of available services.\n"},"filters":{"type":"object","additionalProperties":{"type":"object","properties":{"effect":{"type":"string","description":"The filter effect. May be one of:\n  - 'keep': Access rule only applies to items matching this filter\n  - 'remove': Access rule only applies to items _not_ matching this filter\n  - 'removeAll': Access rule does not apply to any item with this filter key\n"},"key":{"type":"string","description":"The value being filtered. Required if the filter effect is 'keep' or 'remove'."},"value":{"type":"boolean","description":"The value being filtered. Required if it's a boolean filter."},"pattern":{"type":"string","description":"Filter patterns. Patterns are unanchored."}}}}}},"ApprovalRule":{"type":"object","description":"Determines access requirements. See [the Approval docs](https://docs.p0.dev/just-in-time-access/request-routing#approval).","properties":{"type":{"type":"string","description":"Determines trust requirements for access. If empty, access is disallowed. Except for 'deny', meeting any requirement is sufficient to grant access. Possible values:\n  - 'auto': Access is granted according to the requirements of the specified 'integration'\n  - 'deny': Access is always denied\n  - 'escalation': Access may be approved by on-call members of the specified services, who are paged when access is manually escalated by the requestor\n  - 'group': Access may be granted by any member of the defined directory group\n  - 'persistent': Access is always granted\n  - 'requestor-profile': Allows approval by a user specified by a field in the requestor's IDP profile\n  - 'p0': Access may be granted by any user with the P0 \"approver\" role (defined in the P0 app)\n"},"directory":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. One of \"azure-ad\", \"okta\", or \"workspace\"."},"integration":{"type":"string","description":"May only be used if 'type' is 'auto' or 'escalation'. Possible values:\n  - 'pagerduty': Access is granted if the requestor is on-call.\n"},"profile_property":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. This is the profile attribute that contains the manager's email."},"services":{"type":"array","items":{"type":"string"},"description":"May only be used if 'type' is 'escalation'. Defines which services to page on escalation."},"options":{"type":"object","properties":{"allow_one_party":{"type":"boolean","description":"If true, allows requestors to approve their own requests."},"require_reason":{"type":"boolean","description":"If true, requires access requests to include a reason."},"cooldown":{"type":"integer","description":"Cooldown period in seconds before access can be re-requested."},"duration":{"type":"integer","description":"How long access is granted, in seconds."}}}}}}},"paths":{"/o/{orgId}/routing/name/{name}":{"post":{"summary":"Create a Routing Rule by Name","description":"Create a new routing rule with the specified name.","parameters":[{"name":"orgId","in":"path","required":true,"schema":{"type":"string"}},{"name":"name","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/RoutingRule"}}}},"responses":{"200":{"description":"Routing rule created successfully.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RoutingRule"}}}}}}}}}
```

## Update a Routing Rule by Name

> Update an existing routing rule with the specified name.

```json
{"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"servers":[{"url":"https://api.p0.app"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT"}},"schemas":{"RoutingRule":{"type":"object","properties":{"name":{"type":"string","description":"A human readable name for this routing rule"},"disabled":{"type":"boolean","description":"Whether or not the routing rule should be evaluated; if false or undefined, the rule will be evaluated"},"requestor":{"$ref":"#/components/schemas/RequestorRule"},"resource":{"$ref":"#/components/schemas/ResourceRule"},"approval":{"type":"array","items":{"$ref":"#/components/schemas/ApprovalRule"}}}},"RequestorRule":{"type":"object","description":"Controls who has access. See [the Requestor docs](https://docs.p0.dev/just-in-time-access/request-routing#requestor).","properties":{"type":{"type":"string","description":"How P0 matches requestors:\n  - 'any': Any requestor will match\n  - 'group': Members of a directory group will match\n  - 'user': Only match a single user\n"},"uid":{"type":"string","description":"May only be used if 'type' is 'user'. This is the user's email address."}}},"ResourceRule":{"type":"object","description":"Controls what is accessed. See [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource).","properties":{"type":{"type":"string","description":"How P0 matches resources:\n  - 'any': Any resource\n  - 'integration': Only resources within a specified integration\n"},"service":{"type":"string","description":"May only be used if 'type' is 'integration'.\nSee [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource) for a list of available services.\n"},"filters":{"type":"object","additionalProperties":{"type":"object","properties":{"effect":{"type":"string","description":"The filter effect. May be one of:\n  - 'keep': Access rule only applies to items matching this filter\n  - 'remove': Access rule only applies to items _not_ matching this filter\n  - 'removeAll': Access rule does not apply to any item with this filter key\n"},"key":{"type":"string","description":"The value being filtered. Required if the filter effect is 'keep' or 'remove'."},"value":{"type":"boolean","description":"The value being filtered. Required if it's a boolean filter."},"pattern":{"type":"string","description":"Filter patterns. Patterns are unanchored."}}}}}},"ApprovalRule":{"type":"object","description":"Determines access requirements. See [the Approval docs](https://docs.p0.dev/just-in-time-access/request-routing#approval).","properties":{"type":{"type":"string","description":"Determines trust requirements for access. If empty, access is disallowed. Except for 'deny', meeting any requirement is sufficient to grant access. Possible values:\n  - 'auto': Access is granted according to the requirements of the specified 'integration'\n  - 'deny': Access is always denied\n  - 'escalation': Access may be approved by on-call members of the specified services, who are paged when access is manually escalated by the requestor\n  - 'group': Access may be granted by any member of the defined directory group\n  - 'persistent': Access is always granted\n  - 'requestor-profile': Allows approval by a user specified by a field in the requestor's IDP profile\n  - 'p0': Access may be granted by any user with the P0 \"approver\" role (defined in the P0 app)\n"},"directory":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. One of \"azure-ad\", \"okta\", or \"workspace\"."},"integration":{"type":"string","description":"May only be used if 'type' is 'auto' or 'escalation'. Possible values:\n  - 'pagerduty': Access is granted if the requestor is on-call.\n"},"profile_property":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. This is the profile attribute that contains the manager's email."},"services":{"type":"array","items":{"type":"string"},"description":"May only be used if 'type' is 'escalation'. Defines which services to page on escalation."},"options":{"type":"object","properties":{"allow_one_party":{"type":"boolean","description":"If true, allows requestors to approve their own requests."},"require_reason":{"type":"boolean","description":"If true, requires access requests to include a reason."},"cooldown":{"type":"integer","description":"Cooldown period in seconds before access can be re-requested."},"duration":{"type":"integer","description":"How long access is granted, in seconds."}}}}}}},"paths":{"/o/{orgId}/routing/name/{name}":{"put":{"summary":"Update a Routing Rule by Name","description":"Update an existing routing rule with the specified name.","parameters":[{"name":"orgId","in":"path","required":true,"schema":{"type":"string"}},{"name":"name","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/RoutingRule"}}}},"responses":{"200":{"description":"Routing rule updated successfully.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RoutingRule"}}}}}}}}}
```

## Delete a Routing Rule by Name

> Delete the routing rule with the specified name.

```json
{"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"servers":[{"url":"https://api.p0.app"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT"}}},"paths":{"/o/{orgId}/routing/name/{name}":{"delete":{"summary":"Delete a Routing Rule by Name","description":"Delete the routing rule with the specified name.","parameters":[{"name":"orgId","in":"path","required":true,"schema":{"type":"string"}},{"name":"name","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Routing rule deleted successfully. No content returned."}}}}}}
```

## The WorkflowConfig object

```json
{"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"components":{"schemas":{"WorkflowConfig":{"type":"object","properties":{"id":{"type":"string"},"createdDate":{"type":"string","format":"date-time"},"rules":{"type":"array","items":{"$ref":"#/components/schemas/RoutingRule"}}}},"RoutingRule":{"type":"object","properties":{"name":{"type":"string","description":"A human readable name for this routing rule"},"disabled":{"type":"boolean","description":"Whether or not the routing rule should be evaluated; if false or undefined, the rule will be evaluated"},"requestor":{"$ref":"#/components/schemas/RequestorRule"},"resource":{"$ref":"#/components/schemas/ResourceRule"},"approval":{"type":"array","items":{"$ref":"#/components/schemas/ApprovalRule"}}}},"RequestorRule":{"type":"object","description":"Controls who has access. See [the Requestor docs](https://docs.p0.dev/just-in-time-access/request-routing#requestor).","properties":{"type":{"type":"string","description":"How P0 matches requestors:\n  - 'any': Any requestor will match\n  - 'group': Members of a directory group will match\n  - 'user': Only match a single user\n"},"uid":{"type":"string","description":"May only be used if 'type' is 'user'. This is the user's email address."}}},"ResourceRule":{"type":"object","description":"Controls what is accessed. See [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource).","properties":{"type":{"type":"string","description":"How P0 matches resources:\n  - 'any': Any resource\n  - 'integration': Only resources within a specified integration\n"},"service":{"type":"string","description":"May only be used if 'type' is 'integration'.\nSee [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource) for a list of available services.\n"},"filters":{"type":"object","additionalProperties":{"type":"object","properties":{"effect":{"type":"string","description":"The filter effect. May be one of:\n  - 'keep': Access rule only applies to items matching this filter\n  - 'remove': Access rule only applies to items _not_ matching this filter\n  - 'removeAll': Access rule does not apply to any item with this filter key\n"},"key":{"type":"string","description":"The value being filtered. Required if the filter effect is 'keep' or 'remove'."},"value":{"type":"boolean","description":"The value being filtered. Required if it's a boolean filter."},"pattern":{"type":"string","description":"Filter patterns. Patterns are unanchored."}}}}}},"ApprovalRule":{"type":"object","description":"Determines access requirements. See [the Approval docs](https://docs.p0.dev/just-in-time-access/request-routing#approval).","properties":{"type":{"type":"string","description":"Determines trust requirements for access. If empty, access is disallowed. Except for 'deny', meeting any requirement is sufficient to grant access. Possible values:\n  - 'auto': Access is granted according to the requirements of the specified 'integration'\n  - 'deny': Access is always denied\n  - 'escalation': Access may be approved by on-call members of the specified services, who are paged when access is manually escalated by the requestor\n  - 'group': Access may be granted by any member of the defined directory group\n  - 'persistent': Access is always granted\n  - 'requestor-profile': Allows approval by a user specified by a field in the requestor's IDP profile\n  - 'p0': Access may be granted by any user with the P0 \"approver\" role (defined in the P0 app)\n"},"directory":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. One of \"azure-ad\", \"okta\", or \"workspace\"."},"integration":{"type":"string","description":"May only be used if 'type' is 'auto' or 'escalation'. Possible values:\n  - 'pagerduty': Access is granted if the requestor is on-call.\n"},"profile_property":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. This is the profile attribute that contains the manager's email."},"services":{"type":"array","items":{"type":"string"},"description":"May only be used if 'type' is 'escalation'. Defines which services to page on escalation."},"options":{"type":"object","properties":{"allow_one_party":{"type":"boolean","description":"If true, allows requestors to approve their own requests."},"require_reason":{"type":"boolean","description":"If true, requires access requests to include a reason."},"cooldown":{"type":"integer","description":"Cooldown period in seconds before access can be re-requested."},"duration":{"type":"integer","description":"How long access is granted, in seconds."}}}}}}}}
```

## The WorkflowConfigWithMeta object

```json
{"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"components":{"schemas":{"WorkflowConfigWithMeta":{"allOf":[{"$ref":"#/components/schemas/WorkflowConfig"},{"type":"object","properties":{"id":{"type":"string"},"createdDate":{"type":"string","format":"date-time"}}}]},"WorkflowConfig":{"type":"object","properties":{"id":{"type":"string"},"createdDate":{"type":"string","format":"date-time"},"rules":{"type":"array","items":{"$ref":"#/components/schemas/RoutingRule"}}}},"RoutingRule":{"type":"object","properties":{"name":{"type":"string","description":"A human readable name for this routing rule"},"disabled":{"type":"boolean","description":"Whether or not the routing rule should be evaluated; if false or undefined, the rule will be evaluated"},"requestor":{"$ref":"#/components/schemas/RequestorRule"},"resource":{"$ref":"#/components/schemas/ResourceRule"},"approval":{"type":"array","items":{"$ref":"#/components/schemas/ApprovalRule"}}}},"RequestorRule":{"type":"object","description":"Controls who has access. See [the Requestor docs](https://docs.p0.dev/just-in-time-access/request-routing#requestor).","properties":{"type":{"type":"string","description":"How P0 matches requestors:\n  - 'any': Any requestor will match\n  - 'group': Members of a directory group will match\n  - 'user': Only match a single user\n"},"uid":{"type":"string","description":"May only be used if 'type' is 'user'. This is the user's email address."}}},"ResourceRule":{"type":"object","description":"Controls what is accessed. See [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource).","properties":{"type":{"type":"string","description":"How P0 matches resources:\n  - 'any': Any resource\n  - 'integration': Only resources within a specified integration\n"},"service":{"type":"string","description":"May only be used if 'type' is 'integration'.\nSee [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource) for a list of available services.\n"},"filters":{"type":"object","additionalProperties":{"type":"object","properties":{"effect":{"type":"string","description":"The filter effect. May be one of:\n  - 'keep': Access rule only applies to items matching this filter\n  - 'remove': Access rule only applies to items _not_ matching this filter\n  - 'removeAll': Access rule does not apply to any item with this filter key\n"},"key":{"type":"string","description":"The value being filtered. Required if the filter effect is 'keep' or 'remove'."},"value":{"type":"boolean","description":"The value being filtered. Required if it's a boolean filter."},"pattern":{"type":"string","description":"Filter patterns. Patterns are unanchored."}}}}}},"ApprovalRule":{"type":"object","description":"Determines access requirements. See [the Approval docs](https://docs.p0.dev/just-in-time-access/request-routing#approval).","properties":{"type":{"type":"string","description":"Determines trust requirements for access. If empty, access is disallowed. Except for 'deny', meeting any requirement is sufficient to grant access. Possible values:\n  - 'auto': Access is granted according to the requirements of the specified 'integration'\n  - 'deny': Access is always denied\n  - 'escalation': Access may be approved by on-call members of the specified services, who are paged when access is manually escalated by the requestor\n  - 'group': Access may be granted by any member of the defined directory group\n  - 'persistent': Access is always granted\n  - 'requestor-profile': Allows approval by a user specified by a field in the requestor's IDP profile\n  - 'p0': Access may be granted by any user with the P0 \"approver\" role (defined in the P0 app)\n"},"directory":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. One of \"azure-ad\", \"okta\", or \"workspace\"."},"integration":{"type":"string","description":"May only be used if 'type' is 'auto' or 'escalation'. Possible values:\n  - 'pagerduty': Access is granted if the requestor is on-call.\n"},"profile_property":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. This is the profile attribute that contains the manager's email."},"services":{"type":"array","items":{"type":"string"},"description":"May only be used if 'type' is 'escalation'. Defines which services to page on escalation."},"options":{"type":"object","properties":{"allow_one_party":{"type":"boolean","description":"If true, allows requestors to approve their own requests."},"require_reason":{"type":"boolean","description":"If true, requires access requests to include a reason."},"cooldown":{"type":"integer","description":"Cooldown period in seconds before access can be re-requested."},"duration":{"type":"integer","description":"How long access is granted, in seconds."}}}}}}}}
```

## The RoutingRule object

```json
{"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"components":{"schemas":{"RoutingRule":{"type":"object","properties":{"name":{"type":"string","description":"A human readable name for this routing rule"},"disabled":{"type":"boolean","description":"Whether or not the routing rule should be evaluated; if false or undefined, the rule will be evaluated"},"requestor":{"$ref":"#/components/schemas/RequestorRule"},"resource":{"$ref":"#/components/schemas/ResourceRule"},"approval":{"type":"array","items":{"$ref":"#/components/schemas/ApprovalRule"}}}},"RequestorRule":{"type":"object","description":"Controls who has access. See [the Requestor docs](https://docs.p0.dev/just-in-time-access/request-routing#requestor).","properties":{"type":{"type":"string","description":"How P0 matches requestors:\n  - 'any': Any requestor will match\n  - 'group': Members of a directory group will match\n  - 'user': Only match a single user\n"},"uid":{"type":"string","description":"May only be used if 'type' is 'user'. This is the user's email address."}}},"ResourceRule":{"type":"object","description":"Controls what is accessed. See [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource).","properties":{"type":{"type":"string","description":"How P0 matches resources:\n  - 'any': Any resource\n  - 'integration': Only resources within a specified integration\n"},"service":{"type":"string","description":"May only be used if 'type' is 'integration'.\nSee [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource) for a list of available services.\n"},"filters":{"type":"object","additionalProperties":{"type":"object","properties":{"effect":{"type":"string","description":"The filter effect. May be one of:\n  - 'keep': Access rule only applies to items matching this filter\n  - 'remove': Access rule only applies to items _not_ matching this filter\n  - 'removeAll': Access rule does not apply to any item with this filter key\n"},"key":{"type":"string","description":"The value being filtered. Required if the filter effect is 'keep' or 'remove'."},"value":{"type":"boolean","description":"The value being filtered. Required if it's a boolean filter."},"pattern":{"type":"string","description":"Filter patterns. Patterns are unanchored."}}}}}},"ApprovalRule":{"type":"object","description":"Determines access requirements. See [the Approval docs](https://docs.p0.dev/just-in-time-access/request-routing#approval).","properties":{"type":{"type":"string","description":"Determines trust requirements for access. If empty, access is disallowed. Except for 'deny', meeting any requirement is sufficient to grant access. Possible values:\n  - 'auto': Access is granted according to the requirements of the specified 'integration'\n  - 'deny': Access is always denied\n  - 'escalation': Access may be approved by on-call members of the specified services, who are paged when access is manually escalated by the requestor\n  - 'group': Access may be granted by any member of the defined directory group\n  - 'persistent': Access is always granted\n  - 'requestor-profile': Allows approval by a user specified by a field in the requestor's IDP profile\n  - 'p0': Access may be granted by any user with the P0 \"approver\" role (defined in the P0 app)\n"},"directory":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. One of \"azure-ad\", \"okta\", or \"workspace\"."},"integration":{"type":"string","description":"May only be used if 'type' is 'auto' or 'escalation'. Possible values:\n  - 'pagerduty': Access is granted if the requestor is on-call.\n"},"profile_property":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. This is the profile attribute that contains the manager's email."},"services":{"type":"array","items":{"type":"string"},"description":"May only be used if 'type' is 'escalation'. Defines which services to page on escalation."},"options":{"type":"object","properties":{"allow_one_party":{"type":"boolean","description":"If true, allows requestors to approve their own requests."},"require_reason":{"type":"boolean","description":"If true, requires access requests to include a reason."},"cooldown":{"type":"integer","description":"Cooldown period in seconds before access can be re-requested."},"duration":{"type":"integer","description":"How long access is granted, in seconds."}}}}}}}}
```

## The RequestorRule object

```json
{"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"components":{"schemas":{"RequestorRule":{"type":"object","description":"Controls who has access. See [the Requestor docs](https://docs.p0.dev/just-in-time-access/request-routing#requestor).","properties":{"type":{"type":"string","description":"How P0 matches requestors:\n  - 'any': Any requestor will match\n  - 'group': Members of a directory group will match\n  - 'user': Only match a single user\n"},"uid":{"type":"string","description":"May only be used if 'type' is 'user'. This is the user's email address."}}}}}}
```

## The ResourceRule object

```json
{"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"components":{"schemas":{"ResourceRule":{"type":"object","description":"Controls what is accessed. See [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource).","properties":{"type":{"type":"string","description":"How P0 matches resources:\n  - 'any': Any resource\n  - 'integration': Only resources within a specified integration\n"},"service":{"type":"string","description":"May only be used if 'type' is 'integration'.\nSee [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource) for a list of available services.\n"},"filters":{"type":"object","additionalProperties":{"type":"object","properties":{"effect":{"type":"string","description":"The filter effect. May be one of:\n  - 'keep': Access rule only applies to items matching this filter\n  - 'remove': Access rule only applies to items _not_ matching this filter\n  - 'removeAll': Access rule does not apply to any item with this filter key\n"},"key":{"type":"string","description":"The value being filtered. Required if the filter effect is 'keep' or 'remove'."},"value":{"type":"boolean","description":"The value being filtered. Required if it's a boolean filter."},"pattern":{"type":"string","description":"Filter patterns. Patterns are unanchored."}}}}}}}}}
```

## The ApprovalRule object

```json
{"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"components":{"schemas":{"ApprovalRule":{"type":"object","description":"Determines access requirements. See [the Approval docs](https://docs.p0.dev/just-in-time-access/request-routing#approval).","properties":{"type":{"type":"string","description":"Determines trust requirements for access. If empty, access is disallowed. Except for 'deny', meeting any requirement is sufficient to grant access. Possible values:\n  - 'auto': Access is granted according to the requirements of the specified 'integration'\n  - 'deny': Access is always denied\n  - 'escalation': Access may be approved by on-call members of the specified services, who are paged when access is manually escalated by the requestor\n  - 'group': Access may be granted by any member of the defined directory group\n  - 'persistent': Access is always granted\n  - 'requestor-profile': Allows approval by a user specified by a field in the requestor's IDP profile\n  - 'p0': Access may be granted by any user with the P0 \"approver\" role (defined in the P0 app)\n"},"directory":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. One of \"azure-ad\", \"okta\", or \"workspace\"."},"integration":{"type":"string","description":"May only be used if 'type' is 'auto' or 'escalation'. Possible values:\n  - 'pagerduty': Access is granted if the requestor is on-call.\n"},"profile_property":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. This is the profile attribute that contains the manager's email."},"services":{"type":"array","items":{"type":"string"},"description":"May only be used if 'type' is 'escalation'. Defines which services to page on escalation."},"options":{"type":"object","properties":{"allow_one_party":{"type":"boolean","description":"If true, allows requestors to approve their own requests."},"require_reason":{"type":"boolean","description":"If true, requires access requests to include a reason."},"cooldown":{"type":"integer","description":"Cooldown period in seconds before access can be re-requested."},"duration":{"type":"integer","description":"How long access is granted, in seconds."}}}}}}}}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.p0.dev/access-management/just-in-time-access/just-in-time-api/routing-rules-api.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.