# Routing Rules API The Routing Rules API gives you fine-grained control over how just-in-time access requests are evaluated and approved. By defining workflow rules based on both the **requestor** (who is making the request) and the **resource** (what they’re trying to access), you can enforce consistent, auditable, and dynamic access controls across your infrastructure. **Request routing** allows you to direct access requests through different approval paths based on context. For example, you can require manual approval for sensitive production systems, while allowing auto-approved access to staging environments. You can also limit request scope using filters or directory-based rules, ensuring access is only available to the right people at the right time. ## Get Routing Configuration > Retrieve the routing configuration (WorkflowConfig) for the specified organization. ```json {"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"servers":[{"url":"https://api.p0.app"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT"}},"schemas":{"WorkflowConfig":{"type":"object","properties":{"id":{"type":"string"},"createdDate":{"type":"string","format":"date-time"},"rules":{"type":"array","items":{"$ref":"#/components/schemas/RoutingRule"}}}},"RoutingRule":{"type":"object","properties":{"name":{"type":"string","description":"A human readable name for this routing rule"},"disabled":{"type":"boolean","description":"Whether or not the routing rule should be evaluated; if false or undefined, the rule will be evaluated"},"requestor":{"$ref":"#/components/schemas/RequestorRule"},"resource":{"$ref":"#/components/schemas/ResourceRule"},"approval":{"type":"array","items":{"$ref":"#/components/schemas/ApprovalRule"}}}},"RequestorRule":{"type":"object","description":"Controls who has access. See [the Requestor docs](https://docs.p0.dev/just-in-time-access/request-routing#requestor).","properties":{"type":{"type":"string","description":"How P0 matches requestors:\n - 'any': Any requestor will match\n - 'group': Members of a directory group will match\n - 'user': Only match a single user\n"},"uid":{"type":"string","description":"May only be used if 'type' is 'user'. This is the user's email address."}}},"ResourceRule":{"type":"object","description":"Controls what is accessed. See [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource).","properties":{"type":{"type":"string","description":"How P0 matches resources:\n - 'any': Any resource\n - 'integration': Only resources within a specified integration\n"},"service":{"type":"string","description":"May only be used if 'type' is 'integration'.\nSee [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource) for a list of available services.\n"},"filters":{"type":"object","additionalProperties":{"type":"object","properties":{"effect":{"type":"string","description":"The filter effect. May be one of:\n - 'keep': Access rule only applies to items matching this filter\n - 'remove': Access rule only applies to items _not_ matching this filter\n - 'removeAll': Access rule does not apply to any item with this filter key\n"},"key":{"type":"string","description":"The value being filtered. Required if the filter effect is 'keep' or 'remove'."},"value":{"type":"boolean","description":"The value being filtered. Required if it's a boolean filter."},"pattern":{"type":"string","description":"Filter patterns. Patterns are unanchored."}}}}}},"ApprovalRule":{"type":"object","description":"Determines access requirements. See [the Approval docs](https://docs.p0.dev/just-in-time-access/request-routing#approval).","properties":{"type":{"type":"string","description":"Determines trust requirements for access. If empty, access is disallowed. Except for 'deny', meeting any requirement is sufficient to grant access. Possible values:\n - 'auto': Access is granted according to the requirements of the specified 'integration'\n - 'deny': Access is always denied\n - 'escalation': Access may be approved by on-call members of the specified services, who are paged when access is manually escalated by the requestor\n - 'group': Access may be granted by any member of the defined directory group\n - 'persistent': Access is always granted\n - 'requestor-profile': Allows approval by a user specified by a field in the requestor's IDP profile\n - 'p0': Access may be granted by any user with the P0 \"approver\" role (defined in the P0 app)\n"},"directory":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. One of \"azure-ad\", \"okta\", or \"workspace\"."},"integration":{"type":"string","description":"May only be used if 'type' is 'auto' or 'escalation'. Possible values:\n - 'pagerduty': Access is granted if the requestor is on-call.\n"},"profile_property":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. This is the profile attribute that contains the manager's email."},"services":{"type":"array","items":{"type":"string"},"description":"May only be used if 'type' is 'escalation'. Defines which services to page on escalation."},"options":{"type":"object","properties":{"allow_one_party":{"type":"boolean","description":"If true, allows requestors to approve their own requests."},"require_reason":{"type":"boolean","description":"If true, requires access requests to include a reason."},"cooldown":{"type":"integer","description":"Cooldown period in seconds before access can be re-requested."},"duration":{"type":"integer","description":"How long access is granted, in seconds."}}}}}}},"paths":{"/o/{orgId}/routing":{"get":{"summary":"Get Routing Configuration","description":"Retrieve the routing configuration (WorkflowConfig) for the specified organization.","parameters":[{"name":"orgId","in":"path","required":true,"schema":{"type":"string"},"description":"The ID of the organization."}],"responses":{"200":{"description":"Routing configuration returned successfully.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/WorkflowConfig"}}}},"401":{"description":"Unauthorized"},"403":{"description":"Forbidden"}}}}}} ``` ## Save Routing Configuration > Save a new version of the routing configuration. ```json {"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"servers":[{"url":"https://api.p0.app"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT"}},"schemas":{"WorkflowConfig":{"type":"object","properties":{"id":{"type":"string"},"createdDate":{"type":"string","format":"date-time"},"rules":{"type":"array","items":{"$ref":"#/components/schemas/RoutingRule"}}}},"RoutingRule":{"type":"object","properties":{"name":{"type":"string","description":"A human readable name for this routing rule"},"disabled":{"type":"boolean","description":"Whether or not the routing rule should be evaluated; if false or undefined, the rule will be evaluated"},"requestor":{"$ref":"#/components/schemas/RequestorRule"},"resource":{"$ref":"#/components/schemas/ResourceRule"},"approval":{"type":"array","items":{"$ref":"#/components/schemas/ApprovalRule"}}}},"RequestorRule":{"type":"object","description":"Controls who has access. See [the Requestor docs](https://docs.p0.dev/just-in-time-access/request-routing#requestor).","properties":{"type":{"type":"string","description":"How P0 matches requestors:\n - 'any': Any requestor will match\n - 'group': Members of a directory group will match\n - 'user': Only match a single user\n"},"uid":{"type":"string","description":"May only be used if 'type' is 'user'. This is the user's email address."}}},"ResourceRule":{"type":"object","description":"Controls what is accessed. See [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource).","properties":{"type":{"type":"string","description":"How P0 matches resources:\n - 'any': Any resource\n - 'integration': Only resources within a specified integration\n"},"service":{"type":"string","description":"May only be used if 'type' is 'integration'.\nSee [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource) for a list of available services.\n"},"filters":{"type":"object","additionalProperties":{"type":"object","properties":{"effect":{"type":"string","description":"The filter effect. May be one of:\n - 'keep': Access rule only applies to items matching this filter\n - 'remove': Access rule only applies to items _not_ matching this filter\n - 'removeAll': Access rule does not apply to any item with this filter key\n"},"key":{"type":"string","description":"The value being filtered. Required if the filter effect is 'keep' or 'remove'."},"value":{"type":"boolean","description":"The value being filtered. Required if it's a boolean filter."},"pattern":{"type":"string","description":"Filter patterns. Patterns are unanchored."}}}}}},"ApprovalRule":{"type":"object","description":"Determines access requirements. See [the Approval docs](https://docs.p0.dev/just-in-time-access/request-routing#approval).","properties":{"type":{"type":"string","description":"Determines trust requirements for access. If empty, access is disallowed. Except for 'deny', meeting any requirement is sufficient to grant access. Possible values:\n - 'auto': Access is granted according to the requirements of the specified 'integration'\n - 'deny': Access is always denied\n - 'escalation': Access may be approved by on-call members of the specified services, who are paged when access is manually escalated by the requestor\n - 'group': Access may be granted by any member of the defined directory group\n - 'persistent': Access is always granted\n - 'requestor-profile': Allows approval by a user specified by a field in the requestor's IDP profile\n - 'p0': Access may be granted by any user with the P0 \"approver\" role (defined in the P0 app)\n"},"directory":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. One of \"azure-ad\", \"okta\", or \"workspace\"."},"integration":{"type":"string","description":"May only be used if 'type' is 'auto' or 'escalation'. Possible values:\n - 'pagerduty': Access is granted if the requestor is on-call.\n"},"profile_property":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. This is the profile attribute that contains the manager's email."},"services":{"type":"array","items":{"type":"string"},"description":"May only be used if 'type' is 'escalation'. Defines which services to page on escalation."},"options":{"type":"object","properties":{"allow_one_party":{"type":"boolean","description":"If true, allows requestors to approve their own requests."},"require_reason":{"type":"boolean","description":"If true, requires access requests to include a reason."},"cooldown":{"type":"integer","description":"Cooldown period in seconds before access can be re-requested."},"duration":{"type":"integer","description":"How long access is granted, in seconds."}}}}}}},"paths":{"/o/{orgId}/routing":{"post":{"summary":"Save Routing Configuration","description":"Save a new version of the routing configuration.","parameters":[{"name":"orgId","in":"path","required":true,"schema":{"type":"string"},"description":"The ID of the organization."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","properties":{"currentVersion":{"type":"string"},"workflow":{"$ref":"#/components/schemas/WorkflowConfig"}}}}}},"responses":{"200":{"description":"Updated routing rules returned.","content":{"application/json":{"schema":{"type":"object","properties":{"rules":{"type":"array","items":{"$ref":"#/components/schemas/RoutingRule"}},"version":{"type":"string"}}}}}}}}}}} ``` ## Get a Routing Rule by Name > Retrieve a specific routing rule by its name. ```json {"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"servers":[{"url":"https://api.p0.app"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT"}},"schemas":{"RoutingRule":{"type":"object","properties":{"name":{"type":"string","description":"A human readable name for this routing rule"},"disabled":{"type":"boolean","description":"Whether or not the routing rule should be evaluated; if false or undefined, the rule will be evaluated"},"requestor":{"$ref":"#/components/schemas/RequestorRule"},"resource":{"$ref":"#/components/schemas/ResourceRule"},"approval":{"type":"array","items":{"$ref":"#/components/schemas/ApprovalRule"}}}},"RequestorRule":{"type":"object","description":"Controls who has access. See [the Requestor docs](https://docs.p0.dev/just-in-time-access/request-routing#requestor).","properties":{"type":{"type":"string","description":"How P0 matches requestors:\n - 'any': Any requestor will match\n - 'group': Members of a directory group will match\n - 'user': Only match a single user\n"},"uid":{"type":"string","description":"May only be used if 'type' is 'user'. This is the user's email address."}}},"ResourceRule":{"type":"object","description":"Controls what is accessed. See [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource).","properties":{"type":{"type":"string","description":"How P0 matches resources:\n - 'any': Any resource\n - 'integration': Only resources within a specified integration\n"},"service":{"type":"string","description":"May only be used if 'type' is 'integration'.\nSee [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource) for a list of available services.\n"},"filters":{"type":"object","additionalProperties":{"type":"object","properties":{"effect":{"type":"string","description":"The filter effect. May be one of:\n - 'keep': Access rule only applies to items matching this filter\n - 'remove': Access rule only applies to items _not_ matching this filter\n - 'removeAll': Access rule does not apply to any item with this filter key\n"},"key":{"type":"string","description":"The value being filtered. Required if the filter effect is 'keep' or 'remove'."},"value":{"type":"boolean","description":"The value being filtered. Required if it's a boolean filter."},"pattern":{"type":"string","description":"Filter patterns. Patterns are unanchored."}}}}}},"ApprovalRule":{"type":"object","description":"Determines access requirements. See [the Approval docs](https://docs.p0.dev/just-in-time-access/request-routing#approval).","properties":{"type":{"type":"string","description":"Determines trust requirements for access. If empty, access is disallowed. Except for 'deny', meeting any requirement is sufficient to grant access. Possible values:\n - 'auto': Access is granted according to the requirements of the specified 'integration'\n - 'deny': Access is always denied\n - 'escalation': Access may be approved by on-call members of the specified services, who are paged when access is manually escalated by the requestor\n - 'group': Access may be granted by any member of the defined directory group\n - 'persistent': Access is always granted\n - 'requestor-profile': Allows approval by a user specified by a field in the requestor's IDP profile\n - 'p0': Access may be granted by any user with the P0 \"approver\" role (defined in the P0 app)\n"},"directory":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. One of \"azure-ad\", \"okta\", or \"workspace\"."},"integration":{"type":"string","description":"May only be used if 'type' is 'auto' or 'escalation'. Possible values:\n - 'pagerduty': Access is granted if the requestor is on-call.\n"},"profile_property":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. This is the profile attribute that contains the manager's email."},"services":{"type":"array","items":{"type":"string"},"description":"May only be used if 'type' is 'escalation'. Defines which services to page on escalation."},"options":{"type":"object","properties":{"allow_one_party":{"type":"boolean","description":"If true, allows requestors to approve their own requests."},"require_reason":{"type":"boolean","description":"If true, requires access requests to include a reason."},"cooldown":{"type":"integer","description":"Cooldown period in seconds before access can be re-requested."},"duration":{"type":"integer","description":"How long access is granted, in seconds."}}}}}}},"paths":{"/o/{orgId}/routing/name/{name}":{"get":{"summary":"Get a Routing Rule by Name","description":"Retrieve a specific routing rule by its name.","parameters":[{"name":"orgId","in":"path","required":true,"schema":{"type":"string"}},{"name":"name","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Routing rule returned successfully.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RoutingRule"}}}},"404":{"description":"Routing rule not found"}}}}}} ``` ## Get Workflow Configuration by ID > Retrieve a specific routing configuration by workflow ID. ```json {"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"servers":[{"url":"https://api.p0.app"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT"}},"schemas":{"WorkflowConfigWithMeta":{"allOf":[{"$ref":"#/components/schemas/WorkflowConfig"},{"type":"object","properties":{"id":{"type":"string"},"createdDate":{"type":"string","format":"date-time"}}}]},"WorkflowConfig":{"type":"object","properties":{"id":{"type":"string"},"createdDate":{"type":"string","format":"date-time"},"rules":{"type":"array","items":{"$ref":"#/components/schemas/RoutingRule"}}}},"RoutingRule":{"type":"object","properties":{"name":{"type":"string","description":"A human readable name for this routing rule"},"disabled":{"type":"boolean","description":"Whether or not the routing rule should be evaluated; if false or undefined, the rule will be evaluated"},"requestor":{"$ref":"#/components/schemas/RequestorRule"},"resource":{"$ref":"#/components/schemas/ResourceRule"},"approval":{"type":"array","items":{"$ref":"#/components/schemas/ApprovalRule"}}}},"RequestorRule":{"type":"object","description":"Controls who has access. See [the Requestor docs](https://docs.p0.dev/just-in-time-access/request-routing#requestor).","properties":{"type":{"type":"string","description":"How P0 matches requestors:\n - 'any': Any requestor will match\n - 'group': Members of a directory group will match\n - 'user': Only match a single user\n"},"uid":{"type":"string","description":"May only be used if 'type' is 'user'. This is the user's email address."}}},"ResourceRule":{"type":"object","description":"Controls what is accessed. See [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource).","properties":{"type":{"type":"string","description":"How P0 matches resources:\n - 'any': Any resource\n - 'integration': Only resources within a specified integration\n"},"service":{"type":"string","description":"May only be used if 'type' is 'integration'.\nSee [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource) for a list of available services.\n"},"filters":{"type":"object","additionalProperties":{"type":"object","properties":{"effect":{"type":"string","description":"The filter effect. May be one of:\n - 'keep': Access rule only applies to items matching this filter\n - 'remove': Access rule only applies to items _not_ matching this filter\n - 'removeAll': Access rule does not apply to any item with this filter key\n"},"key":{"type":"string","description":"The value being filtered. Required if the filter effect is 'keep' or 'remove'."},"value":{"type":"boolean","description":"The value being filtered. Required if it's a boolean filter."},"pattern":{"type":"string","description":"Filter patterns. Patterns are unanchored."}}}}}},"ApprovalRule":{"type":"object","description":"Determines access requirements. See [the Approval docs](https://docs.p0.dev/just-in-time-access/request-routing#approval).","properties":{"type":{"type":"string","description":"Determines trust requirements for access. If empty, access is disallowed. Except for 'deny', meeting any requirement is sufficient to grant access. Possible values:\n - 'auto': Access is granted according to the requirements of the specified 'integration'\n - 'deny': Access is always denied\n - 'escalation': Access may be approved by on-call members of the specified services, who are paged when access is manually escalated by the requestor\n - 'group': Access may be granted by any member of the defined directory group\n - 'persistent': Access is always granted\n - 'requestor-profile': Allows approval by a user specified by a field in the requestor's IDP profile\n - 'p0': Access may be granted by any user with the P0 \"approver\" role (defined in the P0 app)\n"},"directory":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. One of \"azure-ad\", \"okta\", or \"workspace\"."},"integration":{"type":"string","description":"May only be used if 'type' is 'auto' or 'escalation'. Possible values:\n - 'pagerduty': Access is granted if the requestor is on-call.\n"},"profile_property":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. This is the profile attribute that contains the manager's email."},"services":{"type":"array","items":{"type":"string"},"description":"May only be used if 'type' is 'escalation'. Defines which services to page on escalation."},"options":{"type":"object","properties":{"allow_one_party":{"type":"boolean","description":"If true, allows requestors to approve their own requests."},"require_reason":{"type":"boolean","description":"If true, requires access requests to include a reason."},"cooldown":{"type":"integer","description":"Cooldown period in seconds before access can be re-requested."},"duration":{"type":"integer","description":"How long access is granted, in seconds."}}}}}}},"paths":{"/o/{orgId}/routing/{workflowId}":{"get":{"summary":"Get Workflow Configuration by ID","description":"Retrieve a specific routing configuration by workflow ID.","parameters":[{"name":"orgId","in":"path","required":true,"schema":{"type":"string"}},{"name":"workflowId","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Workflow configuration returned successfully.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/WorkflowConfigWithMeta"}}}},"404":{"description":"Workflow not found"}}}}}} ``` ## Create a Routing Rule by Name > Create a new routing rule with the specified name. ```json {"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"servers":[{"url":"https://api.p0.app"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT"}},"schemas":{"RoutingRule":{"type":"object","properties":{"name":{"type":"string","description":"A human readable name for this routing rule"},"disabled":{"type":"boolean","description":"Whether or not the routing rule should be evaluated; if false or undefined, the rule will be evaluated"},"requestor":{"$ref":"#/components/schemas/RequestorRule"},"resource":{"$ref":"#/components/schemas/ResourceRule"},"approval":{"type":"array","items":{"$ref":"#/components/schemas/ApprovalRule"}}}},"RequestorRule":{"type":"object","description":"Controls who has access. See [the Requestor docs](https://docs.p0.dev/just-in-time-access/request-routing#requestor).","properties":{"type":{"type":"string","description":"How P0 matches requestors:\n - 'any': Any requestor will match\n - 'group': Members of a directory group will match\n - 'user': Only match a single user\n"},"uid":{"type":"string","description":"May only be used if 'type' is 'user'. This is the user's email address."}}},"ResourceRule":{"type":"object","description":"Controls what is accessed. See [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource).","properties":{"type":{"type":"string","description":"How P0 matches resources:\n - 'any': Any resource\n - 'integration': Only resources within a specified integration\n"},"service":{"type":"string","description":"May only be used if 'type' is 'integration'.\nSee [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource) for a list of available services.\n"},"filters":{"type":"object","additionalProperties":{"type":"object","properties":{"effect":{"type":"string","description":"The filter effect. May be one of:\n - 'keep': Access rule only applies to items matching this filter\n - 'remove': Access rule only applies to items _not_ matching this filter\n - 'removeAll': Access rule does not apply to any item with this filter key\n"},"key":{"type":"string","description":"The value being filtered. Required if the filter effect is 'keep' or 'remove'."},"value":{"type":"boolean","description":"The value being filtered. Required if it's a boolean filter."},"pattern":{"type":"string","description":"Filter patterns. Patterns are unanchored."}}}}}},"ApprovalRule":{"type":"object","description":"Determines access requirements. See [the Approval docs](https://docs.p0.dev/just-in-time-access/request-routing#approval).","properties":{"type":{"type":"string","description":"Determines trust requirements for access. If empty, access is disallowed. Except for 'deny', meeting any requirement is sufficient to grant access. Possible values:\n - 'auto': Access is granted according to the requirements of the specified 'integration'\n - 'deny': Access is always denied\n - 'escalation': Access may be approved by on-call members of the specified services, who are paged when access is manually escalated by the requestor\n - 'group': Access may be granted by any member of the defined directory group\n - 'persistent': Access is always granted\n - 'requestor-profile': Allows approval by a user specified by a field in the requestor's IDP profile\n - 'p0': Access may be granted by any user with the P0 \"approver\" role (defined in the P0 app)\n"},"directory":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. One of \"azure-ad\", \"okta\", or \"workspace\"."},"integration":{"type":"string","description":"May only be used if 'type' is 'auto' or 'escalation'. Possible values:\n - 'pagerduty': Access is granted if the requestor is on-call.\n"},"profile_property":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. This is the profile attribute that contains the manager's email."},"services":{"type":"array","items":{"type":"string"},"description":"May only be used if 'type' is 'escalation'. Defines which services to page on escalation."},"options":{"type":"object","properties":{"allow_one_party":{"type":"boolean","description":"If true, allows requestors to approve their own requests."},"require_reason":{"type":"boolean","description":"If true, requires access requests to include a reason."},"cooldown":{"type":"integer","description":"Cooldown period in seconds before access can be re-requested."},"duration":{"type":"integer","description":"How long access is granted, in seconds."}}}}}}},"paths":{"/o/{orgId}/routing/name/{name}":{"post":{"summary":"Create a Routing Rule by Name","description":"Create a new routing rule with the specified name.","parameters":[{"name":"orgId","in":"path","required":true,"schema":{"type":"string"}},{"name":"name","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/RoutingRule"}}}},"responses":{"200":{"description":"Routing rule created successfully.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RoutingRule"}}}}}}}}} ``` ## Update a Routing Rule by Name > Update an existing routing rule with the specified name. ```json {"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"servers":[{"url":"https://api.p0.app"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT"}},"schemas":{"RoutingRule":{"type":"object","properties":{"name":{"type":"string","description":"A human readable name for this routing rule"},"disabled":{"type":"boolean","description":"Whether or not the routing rule should be evaluated; if false or undefined, the rule will be evaluated"},"requestor":{"$ref":"#/components/schemas/RequestorRule"},"resource":{"$ref":"#/components/schemas/ResourceRule"},"approval":{"type":"array","items":{"$ref":"#/components/schemas/ApprovalRule"}}}},"RequestorRule":{"type":"object","description":"Controls who has access. See [the Requestor docs](https://docs.p0.dev/just-in-time-access/request-routing#requestor).","properties":{"type":{"type":"string","description":"How P0 matches requestors:\n - 'any': Any requestor will match\n - 'group': Members of a directory group will match\n - 'user': Only match a single user\n"},"uid":{"type":"string","description":"May only be used if 'type' is 'user'. This is the user's email address."}}},"ResourceRule":{"type":"object","description":"Controls what is accessed. See [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource).","properties":{"type":{"type":"string","description":"How P0 matches resources:\n - 'any': Any resource\n - 'integration': Only resources within a specified integration\n"},"service":{"type":"string","description":"May only be used if 'type' is 'integration'.\nSee [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource) for a list of available services.\n"},"filters":{"type":"object","additionalProperties":{"type":"object","properties":{"effect":{"type":"string","description":"The filter effect. May be one of:\n - 'keep': Access rule only applies to items matching this filter\n - 'remove': Access rule only applies to items _not_ matching this filter\n - 'removeAll': Access rule does not apply to any item with this filter key\n"},"key":{"type":"string","description":"The value being filtered. Required if the filter effect is 'keep' or 'remove'."},"value":{"type":"boolean","description":"The value being filtered. Required if it's a boolean filter."},"pattern":{"type":"string","description":"Filter patterns. Patterns are unanchored."}}}}}},"ApprovalRule":{"type":"object","description":"Determines access requirements. See [the Approval docs](https://docs.p0.dev/just-in-time-access/request-routing#approval).","properties":{"type":{"type":"string","description":"Determines trust requirements for access. If empty, access is disallowed. Except for 'deny', meeting any requirement is sufficient to grant access. Possible values:\n - 'auto': Access is granted according to the requirements of the specified 'integration'\n - 'deny': Access is always denied\n - 'escalation': Access may be approved by on-call members of the specified services, who are paged when access is manually escalated by the requestor\n - 'group': Access may be granted by any member of the defined directory group\n - 'persistent': Access is always granted\n - 'requestor-profile': Allows approval by a user specified by a field in the requestor's IDP profile\n - 'p0': Access may be granted by any user with the P0 \"approver\" role (defined in the P0 app)\n"},"directory":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. One of \"azure-ad\", \"okta\", or \"workspace\"."},"integration":{"type":"string","description":"May only be used if 'type' is 'auto' or 'escalation'. Possible values:\n - 'pagerduty': Access is granted if the requestor is on-call.\n"},"profile_property":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. This is the profile attribute that contains the manager's email."},"services":{"type":"array","items":{"type":"string"},"description":"May only be used if 'type' is 'escalation'. Defines which services to page on escalation."},"options":{"type":"object","properties":{"allow_one_party":{"type":"boolean","description":"If true, allows requestors to approve their own requests."},"require_reason":{"type":"boolean","description":"If true, requires access requests to include a reason."},"cooldown":{"type":"integer","description":"Cooldown period in seconds before access can be re-requested."},"duration":{"type":"integer","description":"How long access is granted, in seconds."}}}}}}},"paths":{"/o/{orgId}/routing/name/{name}":{"put":{"summary":"Update a Routing Rule by Name","description":"Update an existing routing rule with the specified name.","parameters":[{"name":"orgId","in":"path","required":true,"schema":{"type":"string"}},{"name":"name","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/RoutingRule"}}}},"responses":{"200":{"description":"Routing rule updated successfully.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RoutingRule"}}}}}}}}} ``` ## Delete a Routing Rule by Name > Delete the routing rule with the specified name. ```json {"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"servers":[{"url":"https://api.p0.app"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT"}}},"paths":{"/o/{orgId}/routing/name/{name}":{"delete":{"summary":"Delete a Routing Rule by Name","description":"Delete the routing rule with the specified name.","parameters":[{"name":"orgId","in":"path","required":true,"schema":{"type":"string"}},{"name":"name","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Routing rule deleted successfully. No content returned."}}}}}} ``` ## The WorkflowConfig object ```json {"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"components":{"schemas":{"WorkflowConfig":{"type":"object","properties":{"id":{"type":"string"},"createdDate":{"type":"string","format":"date-time"},"rules":{"type":"array","items":{"$ref":"#/components/schemas/RoutingRule"}}}},"RoutingRule":{"type":"object","properties":{"name":{"type":"string","description":"A human readable name for this routing rule"},"disabled":{"type":"boolean","description":"Whether or not the routing rule should be evaluated; if false or undefined, the rule will be evaluated"},"requestor":{"$ref":"#/components/schemas/RequestorRule"},"resource":{"$ref":"#/components/schemas/ResourceRule"},"approval":{"type":"array","items":{"$ref":"#/components/schemas/ApprovalRule"}}}},"RequestorRule":{"type":"object","description":"Controls who has access. See [the Requestor docs](https://docs.p0.dev/just-in-time-access/request-routing#requestor).","properties":{"type":{"type":"string","description":"How P0 matches requestors:\n - 'any': Any requestor will match\n - 'group': Members of a directory group will match\n - 'user': Only match a single user\n"},"uid":{"type":"string","description":"May only be used if 'type' is 'user'. This is the user's email address."}}},"ResourceRule":{"type":"object","description":"Controls what is accessed. See [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource).","properties":{"type":{"type":"string","description":"How P0 matches resources:\n - 'any': Any resource\n - 'integration': Only resources within a specified integration\n"},"service":{"type":"string","description":"May only be used if 'type' is 'integration'.\nSee [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource) for a list of available services.\n"},"filters":{"type":"object","additionalProperties":{"type":"object","properties":{"effect":{"type":"string","description":"The filter effect. May be one of:\n - 'keep': Access rule only applies to items matching this filter\n - 'remove': Access rule only applies to items _not_ matching this filter\n - 'removeAll': Access rule does not apply to any item with this filter key\n"},"key":{"type":"string","description":"The value being filtered. Required if the filter effect is 'keep' or 'remove'."},"value":{"type":"boolean","description":"The value being filtered. Required if it's a boolean filter."},"pattern":{"type":"string","description":"Filter patterns. Patterns are unanchored."}}}}}},"ApprovalRule":{"type":"object","description":"Determines access requirements. See [the Approval docs](https://docs.p0.dev/just-in-time-access/request-routing#approval).","properties":{"type":{"type":"string","description":"Determines trust requirements for access. If empty, access is disallowed. Except for 'deny', meeting any requirement is sufficient to grant access. Possible values:\n - 'auto': Access is granted according to the requirements of the specified 'integration'\n - 'deny': Access is always denied\n - 'escalation': Access may be approved by on-call members of the specified services, who are paged when access is manually escalated by the requestor\n - 'group': Access may be granted by any member of the defined directory group\n - 'persistent': Access is always granted\n - 'requestor-profile': Allows approval by a user specified by a field in the requestor's IDP profile\n - 'p0': Access may be granted by any user with the P0 \"approver\" role (defined in the P0 app)\n"},"directory":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. One of \"azure-ad\", \"okta\", or \"workspace\"."},"integration":{"type":"string","description":"May only be used if 'type' is 'auto' or 'escalation'. Possible values:\n - 'pagerduty': Access is granted if the requestor is on-call.\n"},"profile_property":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. This is the profile attribute that contains the manager's email."},"services":{"type":"array","items":{"type":"string"},"description":"May only be used if 'type' is 'escalation'. Defines which services to page on escalation."},"options":{"type":"object","properties":{"allow_one_party":{"type":"boolean","description":"If true, allows requestors to approve their own requests."},"require_reason":{"type":"boolean","description":"If true, requires access requests to include a reason."},"cooldown":{"type":"integer","description":"Cooldown period in seconds before access can be re-requested."},"duration":{"type":"integer","description":"How long access is granted, in seconds."}}}}}}}} ``` ## The WorkflowConfigWithMeta object ```json {"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"components":{"schemas":{"WorkflowConfigWithMeta":{"allOf":[{"$ref":"#/components/schemas/WorkflowConfig"},{"type":"object","properties":{"id":{"type":"string"},"createdDate":{"type":"string","format":"date-time"}}}]},"WorkflowConfig":{"type":"object","properties":{"id":{"type":"string"},"createdDate":{"type":"string","format":"date-time"},"rules":{"type":"array","items":{"$ref":"#/components/schemas/RoutingRule"}}}},"RoutingRule":{"type":"object","properties":{"name":{"type":"string","description":"A human readable name for this routing rule"},"disabled":{"type":"boolean","description":"Whether or not the routing rule should be evaluated; if false or undefined, the rule will be evaluated"},"requestor":{"$ref":"#/components/schemas/RequestorRule"},"resource":{"$ref":"#/components/schemas/ResourceRule"},"approval":{"type":"array","items":{"$ref":"#/components/schemas/ApprovalRule"}}}},"RequestorRule":{"type":"object","description":"Controls who has access. See [the Requestor docs](https://docs.p0.dev/just-in-time-access/request-routing#requestor).","properties":{"type":{"type":"string","description":"How P0 matches requestors:\n - 'any': Any requestor will match\n - 'group': Members of a directory group will match\n - 'user': Only match a single user\n"},"uid":{"type":"string","description":"May only be used if 'type' is 'user'. This is the user's email address."}}},"ResourceRule":{"type":"object","description":"Controls what is accessed. See [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource).","properties":{"type":{"type":"string","description":"How P0 matches resources:\n - 'any': Any resource\n - 'integration': Only resources within a specified integration\n"},"service":{"type":"string","description":"May only be used if 'type' is 'integration'.\nSee [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource) for a list of available services.\n"},"filters":{"type":"object","additionalProperties":{"type":"object","properties":{"effect":{"type":"string","description":"The filter effect. May be one of:\n - 'keep': Access rule only applies to items matching this filter\n - 'remove': Access rule only applies to items _not_ matching this filter\n - 'removeAll': Access rule does not apply to any item with this filter key\n"},"key":{"type":"string","description":"The value being filtered. Required if the filter effect is 'keep' or 'remove'."},"value":{"type":"boolean","description":"The value being filtered. Required if it's a boolean filter."},"pattern":{"type":"string","description":"Filter patterns. Patterns are unanchored."}}}}}},"ApprovalRule":{"type":"object","description":"Determines access requirements. See [the Approval docs](https://docs.p0.dev/just-in-time-access/request-routing#approval).","properties":{"type":{"type":"string","description":"Determines trust requirements for access. If empty, access is disallowed. Except for 'deny', meeting any requirement is sufficient to grant access. Possible values:\n - 'auto': Access is granted according to the requirements of the specified 'integration'\n - 'deny': Access is always denied\n - 'escalation': Access may be approved by on-call members of the specified services, who are paged when access is manually escalated by the requestor\n - 'group': Access may be granted by any member of the defined directory group\n - 'persistent': Access is always granted\n - 'requestor-profile': Allows approval by a user specified by a field in the requestor's IDP profile\n - 'p0': Access may be granted by any user with the P0 \"approver\" role (defined in the P0 app)\n"},"directory":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. One of \"azure-ad\", \"okta\", or \"workspace\"."},"integration":{"type":"string","description":"May only be used if 'type' is 'auto' or 'escalation'. Possible values:\n - 'pagerduty': Access is granted if the requestor is on-call.\n"},"profile_property":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. This is the profile attribute that contains the manager's email."},"services":{"type":"array","items":{"type":"string"},"description":"May only be used if 'type' is 'escalation'. Defines which services to page on escalation."},"options":{"type":"object","properties":{"allow_one_party":{"type":"boolean","description":"If true, allows requestors to approve their own requests."},"require_reason":{"type":"boolean","description":"If true, requires access requests to include a reason."},"cooldown":{"type":"integer","description":"Cooldown period in seconds before access can be re-requested."},"duration":{"type":"integer","description":"How long access is granted, in seconds."}}}}}}}} ``` ## The RoutingRule object ```json {"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"components":{"schemas":{"RoutingRule":{"type":"object","properties":{"name":{"type":"string","description":"A human readable name for this routing rule"},"disabled":{"type":"boolean","description":"Whether or not the routing rule should be evaluated; if false or undefined, the rule will be evaluated"},"requestor":{"$ref":"#/components/schemas/RequestorRule"},"resource":{"$ref":"#/components/schemas/ResourceRule"},"approval":{"type":"array","items":{"$ref":"#/components/schemas/ApprovalRule"}}}},"RequestorRule":{"type":"object","description":"Controls who has access. See [the Requestor docs](https://docs.p0.dev/just-in-time-access/request-routing#requestor).","properties":{"type":{"type":"string","description":"How P0 matches requestors:\n - 'any': Any requestor will match\n - 'group': Members of a directory group will match\n - 'user': Only match a single user\n"},"uid":{"type":"string","description":"May only be used if 'type' is 'user'. This is the user's email address."}}},"ResourceRule":{"type":"object","description":"Controls what is accessed. See [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource).","properties":{"type":{"type":"string","description":"How P0 matches resources:\n - 'any': Any resource\n - 'integration': Only resources within a specified integration\n"},"service":{"type":"string","description":"May only be used if 'type' is 'integration'.\nSee [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource) for a list of available services.\n"},"filters":{"type":"object","additionalProperties":{"type":"object","properties":{"effect":{"type":"string","description":"The filter effect. May be one of:\n - 'keep': Access rule only applies to items matching this filter\n - 'remove': Access rule only applies to items _not_ matching this filter\n - 'removeAll': Access rule does not apply to any item with this filter key\n"},"key":{"type":"string","description":"The value being filtered. Required if the filter effect is 'keep' or 'remove'."},"value":{"type":"boolean","description":"The value being filtered. Required if it's a boolean filter."},"pattern":{"type":"string","description":"Filter patterns. Patterns are unanchored."}}}}}},"ApprovalRule":{"type":"object","description":"Determines access requirements. See [the Approval docs](https://docs.p0.dev/just-in-time-access/request-routing#approval).","properties":{"type":{"type":"string","description":"Determines trust requirements for access. If empty, access is disallowed. Except for 'deny', meeting any requirement is sufficient to grant access. Possible values:\n - 'auto': Access is granted according to the requirements of the specified 'integration'\n - 'deny': Access is always denied\n - 'escalation': Access may be approved by on-call members of the specified services, who are paged when access is manually escalated by the requestor\n - 'group': Access may be granted by any member of the defined directory group\n - 'persistent': Access is always granted\n - 'requestor-profile': Allows approval by a user specified by a field in the requestor's IDP profile\n - 'p0': Access may be granted by any user with the P0 \"approver\" role (defined in the P0 app)\n"},"directory":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. One of \"azure-ad\", \"okta\", or \"workspace\"."},"integration":{"type":"string","description":"May only be used if 'type' is 'auto' or 'escalation'. Possible values:\n - 'pagerduty': Access is granted if the requestor is on-call.\n"},"profile_property":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. This is the profile attribute that contains the manager's email."},"services":{"type":"array","items":{"type":"string"},"description":"May only be used if 'type' is 'escalation'. Defines which services to page on escalation."},"options":{"type":"object","properties":{"allow_one_party":{"type":"boolean","description":"If true, allows requestors to approve their own requests."},"require_reason":{"type":"boolean","description":"If true, requires access requests to include a reason."},"cooldown":{"type":"integer","description":"Cooldown period in seconds before access can be re-requested."},"duration":{"type":"integer","description":"How long access is granted, in seconds."}}}}}}}} ``` ## The RequestorRule object ```json {"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"components":{"schemas":{"RequestorRule":{"type":"object","description":"Controls who has access. See [the Requestor docs](https://docs.p0.dev/just-in-time-access/request-routing#requestor).","properties":{"type":{"type":"string","description":"How P0 matches requestors:\n - 'any': Any requestor will match\n - 'group': Members of a directory group will match\n - 'user': Only match a single user\n"},"uid":{"type":"string","description":"May only be used if 'type' is 'user'. This is the user's email address."}}}}}} ``` ## The ResourceRule object ```json {"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"components":{"schemas":{"ResourceRule":{"type":"object","description":"Controls what is accessed. See [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource).","properties":{"type":{"type":"string","description":"How P0 matches resources:\n - 'any': Any resource\n - 'integration': Only resources within a specified integration\n"},"service":{"type":"string","description":"May only be used if 'type' is 'integration'.\nSee [the Resource docs](https://docs.p0.dev/just-in-time-access/request-routing#resource) for a list of available services.\n"},"filters":{"type":"object","additionalProperties":{"type":"object","properties":{"effect":{"type":"string","description":"The filter effect. May be one of:\n - 'keep': Access rule only applies to items matching this filter\n - 'remove': Access rule only applies to items _not_ matching this filter\n - 'removeAll': Access rule does not apply to any item with this filter key\n"},"key":{"type":"string","description":"The value being filtered. Required if the filter effect is 'keep' or 'remove'."},"value":{"type":"boolean","description":"The value being filtered. Required if it's a boolean filter."},"pattern":{"type":"string","description":"Filter patterns. Patterns are unanchored."}}}}}}}}} ``` ## The ApprovalRule object ```json {"openapi":"3.0.4","info":{"title":"P0 Routing API","version":"1.0.0"},"components":{"schemas":{"ApprovalRule":{"type":"object","description":"Determines access requirements. See [the Approval docs](https://docs.p0.dev/just-in-time-access/request-routing#approval).","properties":{"type":{"type":"string","description":"Determines trust requirements for access. If empty, access is disallowed. Except for 'deny', meeting any requirement is sufficient to grant access. Possible values:\n - 'auto': Access is granted according to the requirements of the specified 'integration'\n - 'deny': Access is always denied\n - 'escalation': Access may be approved by on-call members of the specified services, who are paged when access is manually escalated by the requestor\n - 'group': Access may be granted by any member of the defined directory group\n - 'persistent': Access is always granted\n - 'requestor-profile': Allows approval by a user specified by a field in the requestor's IDP profile\n - 'p0': Access may be granted by any user with the P0 \"approver\" role (defined in the P0 app)\n"},"directory":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. One of \"azure-ad\", \"okta\", or \"workspace\"."},"integration":{"type":"string","description":"May only be used if 'type' is 'auto' or 'escalation'. Possible values:\n - 'pagerduty': Access is granted if the requestor is on-call.\n"},"profile_property":{"type":"string","description":"May only be used if 'type' is 'requestor-profile'. This is the profile attribute that contains the manager's email."},"services":{"type":"array","items":{"type":"string"},"description":"May only be used if 'type' is 'escalation'. Defines which services to page on escalation."},"options":{"type":"object","properties":{"allow_one_party":{"type":"boolean","description":"If true, allows requestors to approve their own requests."},"require_reason":{"type":"boolean","description":"If true, requires access requests to include a reason."},"cooldown":{"type":"integer","description":"Cooldown period in seconds before access can be re-requested."},"duration":{"type":"integer","description":"How long access is granted, in seconds."}}}}}}}} ```