PAM API
This reference covers the Privileged Access Management (PAM) REST surface: the admin control plane under /api/v1/pam, the device actuation endpoint, and the agent-side ingest endpoint. For the administrative workflow these endpoints back, see Privileged Access Management; for the trust model, see the PAM Security Model.
All paths are relative to the API base URL and version prefix (/api/v1). See the API Overview for authentication, base URL, and common conventions.
Authentication and authorization
Section titled “Authentication and authorization”The /pam/* control-plane endpoints require a JWT bearer token (or API key) and run under organization, partner, or system scope. Authorization maps to the device permission set:
| Operation class | Permission | Extra gate |
|---|---|---|
| Read (list, active, rules) | devices:read |
– |
| Rule create / update / delete | devices:write |
MFA |
| Approve / deny / revoke | devices:execute |
MFA |
Tenant isolation is enforced by row-level security on every query. Site-restricted technicians are additionally narrowed to their allowed sites: requests outside those sites are filtered from reads and rejected on writes with 403.
Elevation requests
Section titled “Elevation requests”| Method | Path | Description |
|---|---|---|
GET |
/pam/elevation-requests |
List and filter elevation requests (Requests and Audit tabs). |
GET |
/pam/active |
List currently-active (unexpired, approved) elevations. |
POST |
/pam/elevation-requests/:id/respond |
Approve or deny a pending request. |
POST |
/pam/elevation-requests/:id/revoke |
Revoke an active elevation before it expires. |
List elevation requests
Section titled “List elevation requests”GET /pam/elevation-requests
Query parameters (all optional):
| Param | Type | Notes |
|---|---|---|
status |
enum | pending, approved, auto_approved, denied, expired, revoked, actuating |
flowType |
enum | uac_intercept, tech_jit_admin, ai_tool_action |
deviceId |
uuid | Filter to one device |
siteId |
uuid | Filter to one site (must be within the caller’s site scope) |
from / to |
ISO-8601 | Bound by request time |
page / limit |
int | limit max 100, default 50 |
Response:
{ "success": true, "requests": [ { "id": "…", "orgId": "…", "deviceId": "…", "deviceHostname": "WIN-ACCT-04", "siteName": "HQ", "flowType": "uac_intercept", "status": "pending", "subjectUsername": "acme\\sarah", "targetExecutablePath": "C:\\Users\\sarah\\Downloads\\FirefoxSetup.exe", "targetExecutableSigner": "Mozilla Corporation", "requestedAt": "2026-06-13T14:02:11Z", "approvedByName": null, "deniedByName": null, "revokedByName": null, "matchedPolicyName": null, "pamRuleId": null, "pamRuleName": null, "decisionSource": null } ], "pagination": { "page": 1, "limit": 50, "total": 1 }}decisionSource is derived: software_policy, pam_rule, human, or null (still pending). AI tool-action rows additionally carry toolName, riskTier, and actionDigest.
List active elevations
Section titled “List active elevations”GET /pam/active
Returns up to 500 elevations whose status is approved, auto_approved, or actuating and whose expiresAt is in the future. No query parameters. Used to render the live “active windows” view with expiry countdowns.
{ "success": true, "active": [ { "id": "…", "expiresAt": "2026-06-13T14:17:00Z", "…": "…" } ] }Respond (approve / deny)
Section titled “Respond (approve / deny)”POST /pam/elevation-requests/:id/respond — requires devices:execute + MFA.
Request body:
{ "decision": "approve", "reason": "Approved per change CHG-1042", "durationMinutes": 30}| Field | Type | Notes |
|---|---|---|
decision |
enum | approve or deny (required) |
reason |
string | Optional on approve, recommended on deny; max 2000 chars |
durationMinutes |
int | Approval window, 1–1440 (24h max). Defaults to 15 |
Only a pending request can be decided. The transition is an atomic compare-and-swap on pending, so concurrent decisions are safe.
| Status | Meaning |
|---|---|
200 |
{ "success": true, "id": "…", "status": "approved" | "denied" } |
400 |
Invalid id or body |
403 |
Site access denied, or MFA not satisfied |
404 |
Request not found (or outside the caller’s org) |
409 |
Request is no longer pending (lost the race), or a linked AI tool execution already timed out |
Revoke
Section titled “Revoke”POST /pam/elevation-requests/:id/revoke — requires devices:execute + MFA.
Ends an active elevation early.
{ "reason": "Maintenance window cancelled" }reason is required (1–2000 chars). Only an active elevation (approved, auto_approved, or actuating) can be revoked; a stale or already-finished row returns 409.
{ "success": true, "id": "…", "status": "revoked" }| Method | Path | Description |
|---|---|---|
GET |
/pam/rules |
List rules in priority order. |
POST |
/pam/rules |
Create a rule. |
POST |
/pam/rules/preview |
Dry-run draft criteria against request history. |
PATCH |
/pam/rules/:id |
Update a rule. |
DELETE |
/pam/rules/:id |
Delete a rule. |
Create / update a rule
Section titled “Create / update a rule”POST /pam/rules (create) and PATCH /pam/rules/:id (partial update) — require devices:write + MFA.
{ "name": "Auto-approve signed Mozilla installers", "verdict": "auto_approve", "priority": 50, "enabled": true, "matchSigner": "Mozilla Corporation", "approvalDurationMinutes": 30, "siteId": null}| Field | Type | Notes |
|---|---|---|
name |
string | Required, 1–255 chars |
verdict |
enum | auto_approve, auto_deny, require_approval, ignore |
priority |
int | Lower runs first; default 100 |
enabled |
bool | Default true |
siteId |
uuid | null | Narrow to one site; null = org-wide |
matchSigner |
string | Code-signer (executable rule). Mutually exclusive with matchSignerGroupId |
matchSignerGroupId |
uuid | null | Reference a reusable signer group instead of a single matchSigner (executable rule) |
matchHash |
string | SHA-256 hex digest (executable rule) |
matchPathGlob |
string | File-path glob (executable rule) |
matchParentImage |
string | Parent process (executable rule) |
matchCommandLine |
string | Case-insensitive substring of the launched process command line (executable rule) |
matchUser |
string | Narrow by requesting user |
matchAdGroup |
string | Narrow by AD group |
matchToolName |
string | AI tool name (tool-action rule) |
matchRiskTier |
int | Risk tier 0–4 (tool-action rule) |
matchNegate |
string[] | null | Criterion keys the engine inverts (“does not match”). Valid keys: signer, signerGroup, hash, pathGlob, parentImage, commandLine, user, adGroup, toolName, riskTier |
timeWindow |
object | { start, end, days?, timezone? }, HH:MM 24h, days 0–6 (Sun–Sat) |
approvalDurationMinutes |
int | 1–1440; null falls back to the org default |
Rule-shape validation (enforced on create and on the merged result of an update):
- A rule must carry at least one identifying criterion (signer / signer group / hash / path / parent / command line / user / group / tool / tier). A rule scoped only by time window – or nothing – is rejected with
400. - A rule is either executable-shaped (signer / signer group / hash / path / parent / command line) or tool-action-shaped (tool name / risk tier). Mixing the two is rejected, because no single observation carries both.
matchSignerandmatchSignerGroupIdare mutually exclusive – a rule references a single signer or a signer group, not both.- A negated criterion never turns missing data into a match: if the observation didn’t report the value a negated criterion checks, the rule does not match.
verdict: "ignore"is not valid for tool-action rules – a tool action must be decided.
Create returns 201 with the full rule; update returns 200.
Preview a rule
Section titled “Preview a rule”POST /pam/rules/preview — requires devices:write.
Dry-runs draft criteria against historical requests so you can see what a rule would have matched before saving it. Accepts the same criteria fields as a rule, plus windowDays (1–90, default 30) and an optional flowType.
{ "success": true, "totalMatched": 12, "totalScanned": 480, "windowDays": 30, "truncated": false, "statusBreakdown": { "pending": 2, "approved": 7, "auto_approved": 3, "denied": 0, "expired": 0, "revoked": 0, "actuating": 0 }, "sample": [ { "id": "…", "requestedAt": "…", "flowType": "uac_intercept", "status": "approved" } ]}The preview is a pure per-rule match – it does not replay priority shadowing or the software-policy bridge. Historical rows do not store AD groups, so any draft containing matchAdGroup reports zero matches.
Signer groups
Section titled “Signer groups”A signer group is a named, reusable set of trusted code-signer (subject) patterns that executable rules can reference via matchSignerGroupId instead of repeating the same publisher across rules.
| Method | Path | Description |
|---|---|---|
GET |
/pam/signer-groups |
List the org’s signer groups. |
POST |
/pam/signer-groups |
Create a signer group. |
PATCH |
/pam/signer-groups/:id |
Partial update (name, description, signers). |
DELETE |
/pam/signer-groups/:id |
Delete a group; 409 if it is still referenced by a rule. |
Reads require devices:read; writes require devices:write + MFA.
{ "name": "Trusted browser vendors", "description": "Publishers whose installers we auto-approve", "signers": ["Mozilla Corporation", "Google LLC"]}| Field | Type | Notes |
|---|---|---|
name |
string | Required, 1–255 chars |
description |
string | null | Optional, max 2000 chars |
signers |
string[] | Up to 500 trimmed entries, each max 255 chars; de-duplicated case-insensitively |
GET and create/update return the full group(s):
{ "success": true, "signerGroups": [ { "id": "…", "orgId": "…", "name": "Trusted browser vendors", "description": "Publishers whose installers we auto-approve", "signers": ["Mozilla Corporation", "Google LLC"], "createdAt": "…", "updatedAt": "…" } ]}Create returns 201. DELETE returns 409 (with a message naming the referencing-rule count) when the group is still used by a rule – detach those rules first.
Org default verdict
Section titled “Org default verdict”The default verdict decides an elevation that matches no software policy and no PAM rule.
| Method | Path | Description |
|---|---|---|
GET |
/pam/config |
Get the org’s PAM config (devices:read). |
PUT |
/pam/config |
Set the default unmatched verdict (devices:write + MFA). |
{ "success": true, "config": { "orgId": "…", "defaultUnmatchedVerdict": "require_approval" } }defaultUnmatchedVerdict is require_approval (the default, also applied when no config row exists) or auto_deny. PUT accepts { "defaultUnmatchedVerdict": "require_approval" | "auto_deny" }.
Device actuation
Section titled “Device actuation”| Method | Path | Description |
|---|---|---|
POST |
/devices/:id/actuate-elevation |
Queue an actuate_elevation command for an approved UAC elevation. |
POST /devices/:id/actuate-elevation — organization/partner/system scope, devices:execute, MFA.
Queues the agent “go” signal for a consent.exe prompt that is already waiting on the user’s screen. The command payload that reaches the agent carries only the elevation request id and a timeout – the dormant-admin credential is minted locally by the agent and never crosses the wire.
{ "elevationRequestId": "…", "timeoutMs": 8000 }The route is single-use: it atomically transitions the request from approved to actuating in the same transaction that queues the command. A request that is not approved, or that another caller already claimed, is refused.
| Status | Meaning |
|---|---|
201 |
Command queued; returns the command id and elevationRequestId |
400 |
Invalid body, or device decommissioned |
403 |
PAM actuator disabled, site access denied, or MFA not satisfied |
404 |
Device or elevation request not found |
409 |
Request not approved (wrong_status) or already being actuated (race_lost) |
Agent ingest
Section titled “Agent ingest”| Method | Path | Description |
|---|---|---|
POST |
/agents/:id/elevation-requests |
Agent reports an observed UAC consent prompt. |
This endpoint is called by the agent, authenticated with the agent bearer token (not a user JWT), and is documented here for completeness. It records a UAC observation as an elevation_requests row with flowType: uac_intercept, runs the decisioning chain (software-policy bridge → PAM rules → org default verdict), and emits the corresponding event and audit rows. When the result is pending, Breeze additionally fans out a mobile approval request to each eligible technician and pushes it to their phones (best-effort — the 201 does not depend on push delivery; the first approver to decide on mobile wins and the siblings expire).
Request body (synthesized fields like reason are written server-side; the agent only sends discovery data):
{ "subject_username": "acme\\sarah", "target_executable_path": "C:\\Users\\sarah\\Downloads\\FirefoxSetup.exe", "target_executable_hash": "<agent-reported file hash>", "target_executable_signer": "Mozilla Corporation", "pid": 4812, "parent_image": "C:\\Windows\\explorer.exe", "command_line": "…", "observed_at": "2026-06-13T14:02:11Z"}| Status | Meaning |
|---|---|
201 |
{ "id": "…", "status": "pending" | "auto_approved" | "denied" } |
200 |
{ "id": null, "status": "ignored" } – an ignore rule matched; no request row is created |
413 |
Body exceeds 32 KB |
429 |
Per-device rate limit exceeded (about 10 requests/second) |
Decisioning fails safe: if either evaluator errors, the request is recorded as pending rather than auto-approved, regardless of the org’s configured default verdict. When no policy and no rule match (without an error), the org default verdict decides — pending under require_approval, or denied under auto_deny.
Configuration policy: enabling UAC capture
Section titled “Configuration policy: enabling UAC capture”Whether a device captures UAC prompts at all is governed by the pam configuration-policy feature, resolved through the normal policy hierarchy (partner → org → site → group → device, closest-wins). The feature’s inline settings shape is a single flag:
{ "uacInterceptionEnabled": true }uacInterceptionEnabled defaults to true at every level, so upgrades are behavior-preserving; admins opt a scope out by assigning a policy that turns it off. This toggle controls only whether devices capture elevation prompts – it does not govern the rule chain, request queue, or audit history, which are scoped to the organization and site and managed in the Privileged Access console. See Configuration Policies for how feature settings resolve.