search
Ctrlk

API Reference

REST API reference for the Approval Workflow Engine — rendered directly from the live OpenAPI 3.1 spec committed to the repo.

Base path: /v1/awe/. The spec below is rendered from the live docs/openapi.jsonarrow-up-right. CI regenerates it from the FastAPI app on every src/-touching push, so endpoint signatures, response shapes, status-code descriptions, and the error-code catalog stay in lockstep with the code. This page does not duplicate any of that in prose.

A running instance also exposes the live spec at /v1/awe/openapi.json and interactive UIs at /v1/awe/docs (Swagger) and /v1/awe/redoc.

hashtag
Health / readiness probe

get
Responses
chevron-right
200

Service is ready.

application/json
idstringOptionalDefault: openg2p.aweExample: openg2p.awe
versionstringOptionalDefault: 1.0Example: 1.0
responsetimestringRequiredExample: 2026-04-23T10:00:00.000Z
get
/v1/awe/health

hashtag
Service version + build metadata

get
Responses
chevron-right
200

Successful Response

application/json
idstringOptionalDefault: openg2p.aweExample: openg2p.awe
versionstringOptionalDefault: 1.0Example: 1.0
responsetimestringRequiredExample: 2026-04-23T10:00:00.000Z
get
/v1/awe/version
200

Successful Response

hashtag
Effective non-sensitive configuration

get
Responses
chevron-right
200

Successful Response

application/json
anyOptional
get
/v1/awe/config
200

Successful Response

No content

hashtag
Create the first draft of a new policy

post
Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Body
policy_keystringRequiredExample: registry.change_request.v1
namestringRequiredExample: Registry CR approval
descriptionany ofOptional
stringOptional
or
nullOptional
artifact_typestringRequiredExample: registry.change_request
forbid_self_approvalbooleanOptional

Filter the request's requester out of every stage's approver list.

Default: false
forbid_repeat_approversbooleanOptional

Filter users who approved an earlier stage out of later stages.

Default: false
Responses
post
/v1/awe/policies

hashtag
List policies (newest version of each policy_key)

get
Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Responses
chevron-right
200

Successful Response

application/json
idstringRequired
policy_keystringRequired
versionintegerRequired
namestringRequired
descriptionany ofOptional
stringOptional
or
nullOptional
statusstringRequired
artifact_typestringRequired
forbid_self_approvalbooleanOptionalDefault: false
forbid_repeat_approversbooleanOptionalDefault: false
created_byany ofOptional
stringOptional
or
nullOptional
created_atstring · date-timeRequired
updated_atstring · date-timeRequired
get
/v1/awe/policies
200

Successful Response

hashtag
List all versions of a policy_key

get
Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
policy_keystringRequired
Responses
chevron-right
200

Successful Response

application/json
idstringRequired
policy_keystringRequired
versionintegerRequired
statusstringRequired
created_atstring · date-timeRequired
get
/v1/awe/policies/{policy_key}/versions

hashtag
Fetch a specific policy version with stages and rules

get
Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
policy_keystringRequired
versionintegerRequired
Responses
chevron-right
200

Successful Response

application/json
idstringRequired
policy_keystringRequired
versionintegerRequired
namestringRequired
descriptionany ofOptional
stringOptional
or
nullOptional
statusstringRequired
artifact_typestringRequired
forbid_self_approvalbooleanOptionalDefault: false
forbid_repeat_approversbooleanOptionalDefault: false
created_byany ofOptional
stringOptional
or
nullOptional
created_atstring · date-timeRequired
updated_atstring · date-timeRequired
get
/v1/awe/policies/{policy_key}/versions/{version}

hashtag
Edit a draft version in place (drafts only)

patch
Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
policy_keystringRequired
versionintegerRequired
Body
policy_keystringRequiredExample: registry.change_request.v1
namestringRequiredExample: Registry CR approval
descriptionany ofOptional
stringOptional
or
nullOptional
artifact_typestringRequiredExample: registry.change_request
forbid_self_approvalbooleanOptional

Filter the request's requester out of every stage's approver list.

Default: false
forbid_repeat_approversbooleanOptional

Filter users who approved an earlier stage out of later stages.

Default: false
Responses
chevron-right
200

Successful Response

application/json
idstringRequired
policy_keystringRequired
versionintegerRequired
namestringRequired
descriptionany ofOptional
stringOptional
or
nullOptional
statusstringRequired
artifact_typestringRequired
forbid_self_approvalbooleanOptionalDefault: false
forbid_repeat_approversbooleanOptionalDefault: false
created_byany ofOptional
stringOptional
or
nullOptional
created_atstring · date-timeRequired
updated_atstring · date-timeRequired
patch
/v1/awe/policies/{policy_key}/versions/{version}

hashtag
Activate a specific version (archives the previously active one)

post
Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
policy_keystringRequired
versionintegerRequired
Responses
chevron-right
200

Successful Response

application/json
idstringRequired
policy_keystringRequired
versionintegerRequired
namestringRequired
descriptionany ofOptional
stringOptional
or
nullOptional
statusstringRequired
artifact_typestringRequired
forbid_self_approvalbooleanOptionalDefault: false
forbid_repeat_approversbooleanOptionalDefault: false
created_byany ofOptional
stringOptional
or
nullOptional
created_atstring · date-timeRequired
updated_atstring · date-timeRequired
post
/v1/awe/policies/{policy_key}/versions/{version}/activate

hashtag
Add a new draft version under an existing policy_key

put
Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
policy_keystringRequired
Body
policy_keystringRequiredExample: registry.change_request.v1
namestringRequiredExample: Registry CR approval
descriptionany ofOptional
stringOptional
or
nullOptional
artifact_typestringRequiredExample: registry.change_request
forbid_self_approvalbooleanOptional

Filter the request's requester out of every stage's approver list.

Default: false
forbid_repeat_approversbooleanOptional

Filter users who approved an earlier stage out of later stages.

Default: false
Responses
put
/v1/awe/policies/{policy_key}

hashtag
Search requests by artifact reference and/or status

get
Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Query parameters
artifact_typeany ofOptional
stringOptional
or
nullOptional
artifact_idany ofOptional
stringOptional
or
nullOptional
statusany ofOptional
stringOptional
or
nullOptional
limitinteger · min: 1 · max: 500OptionalDefault: 50
Responses
chevron-right
200

Successful Response

application/json
idstringRequired
policy_idstringRequired
policy_keystringRequired
policy_versionintegerRequired
artifact_typestringRequired
artifact_idstringRequired
source_servicestringRequired
requesterany ofOptional
stringOptional
or
nullOptional
statusstringRequired
current_stage_orderintegerRequired
callback_urlany ofOptional
stringOptional
or
nullOptional
completed_atany ofOptional
string · date-timeOptional
or
nullOptional
created_atstring · date-timeRequired
updated_atstring · date-timeRequired
get
/v1/awe/requests

hashtag
Resolve approvers for a sample context — no DB writes

post
Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
policy_keystringRequired
versionintegerRequired
Body
Responses
chevron-right
200

Successful Response

application/json
policy_idstringRequired
policy_versionintegerRequired
post
/v1/awe/policies/{policy_key}/versions/{version}/simulate

hashtag
Create an approval request for a caller-owned artifact

post
Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Header parameters
Idempotency-Keyany ofOptional
stringOptional
or
nullOptional
Body
policy_keystringRequiredExample: registry.change_request.v1
artifact_typestringRequiredExample: registry.change_request
artifact_idstringRequiredExample: cr-42
callback_urlany ofOptionalExample: https://registry/internal/approval-callbacks
stringOptional
or
nullOptional
callback_secret_idany ofOptional
stringOptional
or
nullOptional
requesterany ofOptionalExample: u-alice
stringOptional
or
nullOptional
Responses
post
/v1/awe/requests

hashtag
Fetch an approval request by id

get
Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
request_idstringRequired
Responses
chevron-right
200

Successful Response

application/json
idstringRequired
policy_idstringRequired
policy_keystringRequired
policy_versionintegerRequired
artifact_typestringRequired
artifact_idstringRequired
source_servicestringRequired
requesterany ofOptional
stringOptional
or
nullOptional
statusstringRequired
current_stage_orderintegerRequired
callback_urlany ofOptional
stringOptional
or
nullOptional
completed_atany ofOptional
string · date-timeOptional
or
nullOptional
created_atstring · date-timeRequired
updated_atstring · date-timeRequired
get
/v1/awe/requests/{request_id}

hashtag
Cancel an in-flight approval request (admin only)

post
Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
request_idstringRequired
Body
reasonany ofOptional
stringOptional
or
nullOptional
actorany ofOptional
stringOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
idstringRequired
policy_idstringRequired
policy_keystringRequired
policy_versionintegerRequired
artifact_typestringRequired
artifact_idstringRequired
source_servicestringRequired
requesterany ofOptional
stringOptional
or
nullOptional
statusstringRequired
current_stage_orderintegerRequired
callback_urlany ofOptional
stringOptional
or
nullOptional
completed_atany ofOptional
string · date-timeOptional
or
nullOptional
created_atstring · date-timeRequired
updated_atstring · date-timeRequired
post
/v1/awe/requests/{request_id}/cancel

hashtag
Timeline of every event for a request (audit log)

get
Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
request_idstringRequired
Responses
chevron-right
200

Successful Response

application/json
idstringRequired
request_idstringRequired
event_typestringRequired
created_atstring · date-timeRequired
get
/v1/awe/requests/{request_id}/events

hashtag
List tasks — by assignee (default = me) and/or by request_id

get
Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Query parameters
assigneeany ofOptional

Filter by assignee. Default me resolves to the token's sub. Pass * (or any non-me value) plus request_id to enumerate all tasks for a given request — used by the admin Request Detail page.

Default: me
stringOptional
or
nullOptional
request_idany ofOptional
stringOptional
or
nullOptional
statusany ofOptional
stringOptional
or
nullOptional
limitinteger · min: 1 · max: 500OptionalDefault: 100
Responses
chevron-right
200

Successful Response

application/json
idstringRequired
request_idstringRequired
stage_idstringRequired
stage_orderintegerRequired
assigneestringRequired
kindstringOptionalDefault: approver
delegated_fromany ofOptional
stringOptional
or
nullOptional
reassigned_fromany ofOptional
stringOptional
or
nullOptional
statusstringRequired
claimed_atany ofOptional
string · date-timeOptional
or
nullOptional
completed_atany ofOptional
string · date-timeOptional
or
nullOptional
due_atany ofOptional
string · date-timeOptional
or
nullOptional
decision_idany ofOptional
stringOptional
or
nullOptional
created_atstring · date-timeRequired
get
/v1/awe/tasks

hashtag
Claim a task (intent-to-act marker; not required for decision)

post
Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
task_idstringRequired
Responses
chevron-right
200

Successful Response

application/json
idstringRequired
request_idstringRequired
stage_idstringRequired
stage_orderintegerRequired
assigneestringRequired
kindstringOptionalDefault: approver
delegated_fromany ofOptional
stringOptional
or
nullOptional
reassigned_fromany ofOptional
stringOptional
or
nullOptional
statusstringRequired
claimed_atany ofOptional
string · date-timeOptional
or
nullOptional
completed_atany ofOptional
string · date-timeOptional
or
nullOptional
due_atany ofOptional
string · date-timeOptional
or
nullOptional
decision_idany ofOptional
stringOptional
or
nullOptional
created_atstring · date-timeRequired
post
/v1/awe/tasks/{task_id}/claim

hashtag
Record a decision (approve / reject / abstain) on a task

post
Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
task_idstringRequired
Body
actionstringRequiredExample: approve
commentany ofOptional
stringOptional
or
nullOptional
attachments_refany ofOptional
stringOptional
or
nullOptional
Responses
post
/v1/awe/tasks/{task_id}/decision

hashtag
Webhook (outbound from AWE → Caller)

AWE POSTs to whatever callback_url was set on the request whenever a status-changing event occurs. The contract — body schema and the three signed headers — is declared in the OpenAPI spec under the top-level webhooks: field (OpenAPI 3.1 feature) so it's discoverable from the same artifact as the rest of the API.

hashtag
Approval workflow state change

Sent by AWE to the caller's callback_url whenever a status-changing event occurs on an approval request — request_created, stage_started, stage_completed, request_approved, request_rejected, request_cancelled, or task_expired.

Signature scheme: X-Approval-Signature is sha256= + HMAC-SHA256 over <X-Approval-Timestamp>.<raw body> using the per-caller shared secret. The caller must verify the signature, dedup on X-Approval-Event-Id, and return any 2xx within the configured timeout (default 10s). Non-2xx triggers retries on the schedule documented in functional-specifications (1m → 5m → 15m → 1h → 6h, ~27h total).

Header parameters
X-Approval-Event-IdstringRequired
X-Approval-TimestampstringRequired
X-Approval-SignaturestringRequired
Payload

The body POSTed to the caller's callback_url.

Headers (set by the dispatcher, not part of this body): X-Approval-Event-Id — same as event_id below X-Approval-Signature — sha256=<hex>, HMAC over the raw body X-Approval-Timestamp — Unix seconds, included in the signed payload

event_idstringRequiredExample: 7f3e...
event_typestringRequired

request_created | stage_started | stage_completed | request_approved | request_rejected | request_cancelled

Example: request_approved
request_idstringRequired
artifact_typestringRequired
artifact_idstringRequired
statusstringRequired
stage_orderany ofOptional
integerOptional
or
nullOptional
actorany ofOptional
stringOptional
or
nullOptional
occurred_atstring · date-timeRequired
Responses
chevron-right
200

Successful Response

application/json
anyOptional

Payload

PreviousFunctional SpecificationsNextTechnical Architecture

Last updated

Was this helpful?