> ## Documentation Index
> Fetch the complete documentation index at: https://engineering.unkey.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Policy schema

> The sentinel.v1.Policy message structure

The `sentinel.v1.Policy` message is the unit of middleware configuration. Each policy combines match expressions with exactly one policy configuration.

## Fields

<ResponseField name="id" type="string">
  Stable identifier used in logs, metrics, and troubleshooting. Must be unique within a deployment's policy list.
</ResponseField>

<ResponseField name="name" type="string">
  Human-readable label for display in the dashboard and logs.
</ResponseField>

<ResponseField name="enabled" type="bool">
  When false, sentinel skips this policy during evaluation. Defaults to true if not set. This lets you disable a misbehaving policy during an incident without removing it from the config.
</ResponseField>

<ResponseField name="match" type="MatchExpr[]">
  List of match expressions. All entries must match for the policy to execute (AND semantics). An empty list matches all requests. See [match expressions](/architecture/services/sentinel/policies/match-expressions).
</ResponseField>

<ResponseField name="config" type="oneof">
  Exactly one policy configuration. Options: `keyauth`, `jwtauth`, `ratelimit`, `firewall`, `openapi`.
</ResponseField>

## Example

A minimal policy that authenticates all requests:

```json theme={"theme":"kanagawa-wave"}
{
  "policies": [
    {
      "id": "api-auth",
      "name": "Authenticate all requests",
      "enabled": true,
      "match": [],
      "keyauth": {
        "key_space_ids": ["ks_abc123"],
        "locations": [{ "bearer": {} }]
      }
    }
  ]
}
```

## Evaluation behavior

* Policies are evaluated in declaration order.
* If a policy rejects the request, evaluation stops immediately.
* Unknown `config` types are skipped (forward compatibility).
* Disabled policies are skipped without evaluating match expressions.