Skip to content
jitsudo

REST API Reference

jitsudo exposes a dual API: a native gRPC API and an HTTP REST gateway generated by grpc-gateway. Both APIs are served from the same jitsudod process.

APIAddressPath prefix
REST (grpc-gateway)http_addr (default :8080)/api/v1alpha1/
gRPCgrpc_addr (default :8443)

Authentication

Section titled “Authentication”

All endpoints require a valid OIDC ID token in the Authorization header:

Authorization: Bearer <id-token>

Obtain a token via jitsudo login. The token is stored at ~/.jitsudo/credentials.

Elevation Requests

Section titled “Elevation Requests”

Create a Request

Section titled “Create a Request”
POST /api/v1alpha1/requests

Request body:

{
  "provider": "aws",
  "role": "prod-infra-admin",
  "resource_scope": "123456789012",
  "duration_seconds": 7200,
  "reason": "Investigating P1 ECS crash",
  "break_glass": false,
  "metadata": {}
}

Response:

{
  "request": {
    "id": "req_01J8KZ4F2EMNQZ3V7XKQYBD4W",
    "state": "REQUEST_STATE_PENDING",
    "requester_identity": "alice@example.com",
    "provider": "aws",
    "role": "prod-infra-admin",
    "resource_scope": "123456789012",
    "duration_seconds": 7200,
    "reason": "Investigating P1 ECS crash",
    "break_glass": false,
    "created_at": "2026-03-20T16:00:00Z",
    "updated_at": "2026-03-20T16:00:00Z"
  }
}

curl example:

Terminal window
curl -X POST https://jitsudo.example.com/api/v1alpha1/requests \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "aws",
    "role": "prod-infra-admin",
    "resource_scope": "123456789012",
    "duration_seconds": 7200,
    "reason": "Investigating P1 ECS crash"
  }'

List Requests

Section titled “List Requests”
GET /api/v1alpha1/requests

Query parameters:

ParameterDescription
mineFilter to caller’s own requests (true/false)
pendingFilter to pending requests (true/false)
requester_identityFilter by requester email
stateFilter by state (enum value)

curl example:

Terminal window
# List your own requests
curl "https://jitsudo.example.com/api/v1alpha1/requests?mine=true" \
  -H "Authorization: Bearer $TOKEN"


# List all pending requests
curl "https://jitsudo.example.com/api/v1alpha1/requests?pending=true" \
  -H "Authorization: Bearer $TOKEN"

Get a Request

Section titled “Get a Request”
GET /api/v1alpha1/requests/{id}
Terminal window
curl "https://jitsudo.example.com/api/v1alpha1/requests/req_01J8KZ4F2EMNQZ3V7XKQYBD4W" \
  -H "Authorization: Bearer $TOKEN"

Approve a Request

Section titled “Approve a Request”
POST /api/v1alpha1/requests/{request_id}/approve

Request body:

{
  "comment": "Approved for INC-4421 response"
}
Terminal window
curl -X POST "https://jitsudo.example.com/api/v1alpha1/requests/req_01J8KZ.../approve" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"comment": "Approved"}'

Deny a Request

Section titled “Deny a Request”
POST /api/v1alpha1/requests/{request_id}/deny

Request body:

{
  "reason": "Not authorized for production access"
}

Revoke a Request

Section titled “Revoke a Request”
POST /api/v1alpha1/requests/{request_id}/revoke

Request body:

{
  "reason": "Incident resolved"
}

Get Credentials

Section titled “Get Credentials”

Retrieve the active credentials for an approved/active request. Only the requester can call this endpoint.

GET /api/v1alpha1/requests/{request_id}/credentials

Response:

{
  "grant": {
    "request_id": "req_01J8KZ4F2EMNQZ3V7XKQYBD4W",
    "credentials": [
      {"name": "AWS_ACCESS_KEY_ID", "value": "ASIA..."},
      {"name": "AWS_SECRET_ACCESS_KEY", "value": "..."},
      {"name": "AWS_SESSION_TOKEN", "value": "..."},
      {"name": "AWS_DEFAULT_REGION", "value": "us-east-1"}
    ],
    "issued_at": "2026-03-20T16:01:00Z",
    "expires_at": "2026-03-20T18:01:00Z"
  }
}

Policies

Section titled “Policies”

List Policies

Section titled “List Policies”
GET /api/v1alpha1/policies

Get a Policy

Section titled “Get a Policy”
GET /api/v1alpha1/policies/{id}

Apply a Policy

Section titled “Apply a Policy”

Create or update a policy (upsert by name).

POST /api/v1alpha1/policies

Request body:

{
  "name": "sre-eligibility",
  "type": "POLICY_TYPE_ELIGIBILITY",
  "rego": "package jitsudo.eligibility\n\ndefault allow = false\n\nallow {\n    input.user.groups[_] == \"sre\"\n}\n",
  "description": "SRE team eligibility",
  "enabled": true
}

Delete a Policy

Section titled “Delete a Policy”
DELETE /api/v1alpha1/policies/{id}

Evaluate a Policy (Dry-Run)

Section titled “Evaluate a Policy (Dry-Run)”
POST /api/v1alpha1/policies:eval

Request body:

{
  "input_json": "{\"user\":{\"email\":\"alice@example.com\",\"groups\":[\"sre\"]},\"request\":{\"provider\":\"aws\",\"role\":\"prod-admin\",\"resource_scope\":\"123456789012\",\"duration_seconds\":3600}}",
  "type": "POLICY_TYPE_ELIGIBILITY"
}

Response:

{
  "allowed": true,
  "reason": "",
  "result_json": "{...}"
}

Audit Log

Section titled “Audit Log”

Query Audit Events

Section titled “Query Audit Events”
GET /api/v1alpha1/audit

Query parameters:

ParameterDescription
actor_identityFilter by actor email
providerFilter by provider
request_idFilter by request ID
sinceRFC3339 timestamp (events after this time)
untilRFC3339 timestamp (events before this time)
page_sizeMaximum events to return (default 100, max 1000)
page_tokenPagination token from previous response
Terminal window
curl "https://jitsudo.example.com/api/v1alpha1/audit?actor_identity=alice@example.com&since=2026-03-01T00:00:00Z" \
  -H "Authorization: Bearer $TOKEN"

Admin

Section titled “Admin”

Reload Policies

Section titled “Reload Policies”

Trigger the OPA engine to reload all enabled policies from the database.

POST /api/v1alpha1/admin/reload-policies

Response:

{
  "policies_loaded": 3
}

Health Endpoints

Section titled “Health Endpoints”

These endpoints do not require authentication:

EndpointDescription
GET /healthzLiveness check — returns ok
GET /readyzReadiness check — verifies database connection
GET /versionReturns {"version":"0.1.0","api_versions":["v1alpha1"]}

Request State Enum

Section titled “Request State Enum”
Proto valueJSON stringDescription
REQUEST_STATE_PENDINGPENDINGAwaiting approver action
REQUEST_STATE_APPROVEDAPPROVEDApproved, credentials not yet fetched
REQUEST_STATE_REJECTEDREJECTEDDenied
REQUEST_STATE_ACTIVEACTIVECredentials issued and active
REQUEST_STATE_EXPIREDEXPIREDElevation window elapsed
REQUEST_STATE_REVOKEDREVOKEDManually revoked

Policy Type Enum

Section titled “Policy Type Enum”
Proto valueJSON stringDescription
POLICY_TYPE_ELIGIBILITYELIGIBILITYEligibility policy
POLICY_TYPE_APPROVALAPPROVALApproval policy

gRPC

Section titled “gRPC”

The gRPC service definition is available at api/proto/jitsudo/v1alpha1/service.proto in the GitHub repository. The protobuf definitions are managed via buf.build.

Connect to the gRPC endpoint at grpc_addr (default :8443). Use the pkg/client Go package for programmatic access.