Skip to main content
The sentinel.v1.Policy message is the unit of middleware configuration. Each policy combines match expressions with exactly one policy configuration.

Fields

id
string
Stable identifier used in logs, metrics, and troubleshooting. Must be unique within a deployment’s policy list.
name
string
Human-readable label for display in the dashboard and logs.
enabled
bool
When false, sentinel skips this policy during evaluation. Defaults to true if not set. This lets you disable a misbehaving policy during an incident without removing it from the config.
match
MatchExpr[]
List of match expressions. All entries must match for the policy to execute (AND semantics). An empty list matches all requests. See match expressions.
config
oneof
Exactly one policy configuration. Options: keyauth, jwtauth, basicauth, ratelimit, ip_rules, openapi.

Example

A minimal policy that authenticates all requests: 
{
  "policies": [
    {
      "id": "api-auth",
      "name": "Authenticate all requests",
      "enabled": true,
      "match": [],
      "keyauth": {
        "key_space_ids": ["ks_abc123"],
        "locations": [{ "bearer": {} }]
      }
    }
  ]
}

Evaluation behavior

  • Policies are evaluated in declaration order.
  • If a policy rejects the request, evaluation stops immediately.
  • Unknown config types are skipped (forward compatibility).
  • Disabled policies are skipped without evaluating match expressions.