APIs
Access Decision Service (ADS) provides REST APIs that serve as the programmatic interface for various ADS functions. These APIs are designed to offer a streamlined approach to query access permissions and to manage the service itself.
Evaluation API
The Evaluation API of ADS provides a suite of RESTful endpoints through which you can submit authorization queries. The API processes these queries against defined access policies and returns authorization decisions in the form of responses.
Reverse query API
The Reverse query evaluation API allows you to POST reverse queries in JSON format for evaluation. The response provides information on what constraints need to be satisfied to get an expected PDP decision (as defined in the request).
Administration API
The Administration API is used for the operational management of ADS. It includes a range of RESTful endpoints for service maintenance, including those for conducting health checks, monitoring service metrics, and retrieving system information. This API is crucial for continuous monitoring and ensuring that ADS operates efficiently.
Available APIs vary based on the selected deployment mode (ads, caq, or ads_caq). For example, the Evaluation API requires ads mode, while the Reverse Query API requires caq mode. Selecting ads_caq enables the full suite of APIs.
Follow the links below to read more information on ADS APIs:
Evaluation API
Evaluation endpoints, decisions, and examples
Reverse query API
Reverse query evaluation endpoints and examples
Administration API
Healthcheck, metrics, and system info endpoints
Authentication
You can enhance security by incorporating authentication in the authorization process of ADS.
When ADS is configured to use authentication, any request without authentication headers, or with invalid credentials, will return HTTP 401 Unauthorized.
The authorization header carries authentication parameters. For example, in basic authentication, this header includes the word Basic followed by a base64-encoded string that merges the username, a colon character, and the password.
While most HTTP clients provide simplified methods for inputting these details, understanding the underlying process is essential.
Example
The following examples use curl:
curl --data @request.json -H content-type:application/xacml+json http://localhost:8080/authorize -H authorization:Basic\ YWRzLXVzZXI6c2VjcmV0
This command is simplified with -u in curl, which internally constructs the necessary authorization header:
curl --data @request.json -H content-type:application/xacml+json http://localhost:8080/authorize -u ads-user:secret
For detailed information, refer to the documentation of your respective HTTP client.
Read more on authentication options in the Authentication section.
OpenAPI documentation
The OpenAPI/Swagger documentation for ADS service endpoints is available in JSON format below:
{
"openapi": "3.1.0",
"info": {
"title": "Access Decision Service API",
"description": "API to evaluate access decisions",
"version": "2.0"
},
"servers": [
{
"url": "http://localhost:8283",
"description": "Generated server url"
}
],
"paths": {
"/health": {
"get": {
"tags": [
"Application health"
],
"summary": "Health Check",
"description": "Checks the health of the application",
"responses": {
"200": {
"description": "OK",
"content": {
"application/json": {
"schema": {},
"example": {
"status": "string",
"components": {
"diskSpace": {
"status": "string",
"details": {
"total": 0,
"free": 0,
"threshold": 0,
"path": "string",
"exists": true
}
},
"liveness": {
"status": "string",
"details": {
"deadlocks": {
"healthy": true,
"time": "2026-01-27T11:54:05.510Z",
"message": "string"
}
}
},
"ping": {
"status": "string"
},
"readiness": {
"status": "string",
"details": {
"domainStatus": {
"domainIdentity": "string",
"lastSuccessfulReconfigureDate": "2026-01-27T11:54:05.510Z",
"lastDomainReconfigureDate": "2026-01-27T11:54:05.510Z",
"lastDomainReconfigureErrorMessage": "string"
}
}
},
"startup": {
"status": "string"
}
},
"groups": [
"string"
]
}
}
}
}
}
}
},
"/health/liveness": {
"get": {
"tags": [
"Application health"
],
"summary": "Liveness Check",
"description": "Checks the liveness of the application",
"responses": {
"200": {
"description": "OK",
"content": {
"application/json": {
"schema": {},
"example": {
"status": "string",
"details": {
"deadlocks": {
"healthy": true,
"time": "2026-01-27T11:54:05.507Z",
"message": "string"
}
}
}
}
}
}
}
}
},
"/health/startup": {
"get": {
"tags": [
"Application health"
],
"summary": "Startup Check",
"description": "Checks if the application is up and running",
"responses": {
"200": {
"description": "OK",
"content": {
"application/json": {
"schema": {},
"example": {
"status": "string"
}
}
}
}
}
}
},
"/health/readiness": {
"get": {
"tags": [
"Application health"
],
"summary": "Readiness Check",
"description": "Checks the readiness of the application",
"responses": {
"200": {
"description": "OK",
"content": {
"application/json": {
"schema": {},
"example": {
"status": "string",
"details": {
"domainStatus": {
"domainIdentity": "string",
"lastSuccessfulReconfigureDate": "2026-01-27T12:00:32.692Z",
"lastDomainReconfigureDate": "2026-01-27T12:00:32.692Z",
"lastDomainReconfigureErrorMessage": "string"
}
}
}
}
}
}
}
}
},
"/info": {
"get": {
"tags": [
"Application health"
],
"summary": "Custom Actuator Info",
"description": "Returns info related to the application (custom implementation)",
"responses": {
"200": {
"description": "OK",
"content": {
"application/json": {
"schema": {},
"example": {
"application": {
"name": "access-decision-service",
"version": "2.x.x",
"vendor": "com.axiomatics.access-decision-service",
"engineΜode": "ADS_CAQ"
},
"java": {
"vendor": "Generic Vendor",
"version": "17.x.x"
},
"identity": "string",
"domainIdentity": "string"
}
}
}
}
}
}
},
"/authorize": {
"post": {
"tags": [
"Access Decision Service Operations"
],
"summary": "Evaluate XACML XML/JSON request",
"description": "Evaluate XACML XML/JSON request",
"operationId": "evaluateXmlRequest",
"requestBody": {
"description": "XACML request payload",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/RequestWrapper"
},
"examples": {
"Simple Request": {
"description": "Simple Request",
"value": {
"Request": {
"AccessSubject": [
{
"Attribute": [
{
"AttributeId": "Testnew.Role",
"Value": "manager"
}
]
}
]
}
}
},
"Multiple AccessSubjects": {
"description": "Multiple AccessSubjects",
"value": {
"Request": {
"AccessSubject": [
{
"Id": "id1",
"Attribute": [
{
"AttributeId": "Testnew.Name",
"Value": "Alice"
},
{
"AttributeId": "Testnew.Location",
"Value": "Stockholm"
},
{
"AttributeId": "Testnew.Postal",
"Value": 22222
}
]
},
{
"Id": "id2",
"Attribute": [
{
"AttributeId": "Testnew.Name",
"Value": "Bob"
},
{
"AttributeId": "Testnew.Location",
"Value": "Athens"
},
{
"AttributeId": "Testnew.Postal",
"Value": 33333
}
]
}
],
"MultiRequests": {
"RequestReference": [
{
"ReferenceId": [
"id1"
]
}
]
}
}
}
},
"Action and Resource Attributes": {
"description": "Action and Resource Attributes",
"value": {
"Request": {
"AccessSubject": [],
"Action": [
{
"Attribute": [
{
"AttributeId": "action.identity",
"Value": "send"
}
]
}
],
"Resource": [
{
"Attribute": [
{
"AttributeId": "item.recipient.email",
"Value": "bill@wyldstallyns.com"
}
]
},
{
"Attribute": [
{
"AttributeId": "item.recipient.email",
"Value": "bill@axiomatics.se"
}
]
},
{
"Attribute": [
{
"AttributeId": "item.gui",
"Value": 123
}
]
}
]
}
}
},
"Role, Resource, Action, Environment": {
"description": "Role, Resource, Action, Environment",
"value": {
"Request": {
"AccessSubject": [
{
"Attribute": [
{
"AttributeId": "role",
"Value": "employee"
}
]
}
],
"Resource": [
{
"Attribute": [
{
"AttributeId": "document_id",
"Value": "companypolicy"
}
]
}
],
"Action": [
{
"Attribute": [
{
"AttributeId": "idaction",
"Value": "view"
}
]
}
],
"Environment": [
{
"Attribute": [
{
"AttributeId": "isAllowed",
"Value": true
}
]
}
]
}
}
}
}
},
"application/xacml+json": {
"schema": {
"$ref": "#/components/schemas/RequestWrapper"
},
"examples": {
"Simple Request": {
"description": "Simple Request",
"value": {
"Request": {
"AccessSubject": [
{
"Attribute": [
{
"AttributeId": "Testnew.Role",
"Value": "manager"
}
]
}
]
}
}
},
"Multiple AccessSubjects": {
"description": "Multiple AccessSubjects",
"value": {
"Request": {
"AccessSubject": [
{
"Id": "id1",
"Attribute": [
{
"AttributeId": "Testnew.Name",
"Value": "Alice"
},
{
"AttributeId": "Testnew.Location",
"Value": "Stockholm"
},
{
"AttributeId": "Testnew.Postal",
"Value": 22222
}
]
},
{
"Id": "id2",
"Attribute": [
{
"AttributeId": "Testnew.Name",
"Value": "Bob"
},
{
"AttributeId": "Testnew.Location",
"Value": "Athens"
},
{
"AttributeId": "Testnew.Postal",
"Value": 33333
}
]
}
],
"MultiRequests": {
"RequestReference": [
{
"ReferenceId": [
"id1"
]
}
]
}
}
}
},
"Action and Resource Attributes": {
"description": "Action and Resource Attributes",
"value": {
"Request": {
"AccessSubject": [],
"Action": [
{
"Attribute": [
{
"AttributeId": "action.identity",
"Value": "send"
}
]
}
],
"Resource": [
{
"Attribute": [
{
"AttributeId": "item.recipient.email",
"Value": "bill@wyldstallyns.com"
}
]
},
{
"Attribute": [
{
"AttributeId": "item.recipient.email",
"Value": "bill@axiomatics.se"
}
]
},
{
"Attribute": [
{
"AttributeId": "item.gui",
"Value": 123
}
]
}
]
}
}
},
"Role, Resource, Action, Environment": {
"description": "Role, Resource, Action, Environment",
"value": {
"Request": {
"AccessSubject": [
{
"Attribute": [
{
"AttributeId": "role",
"Value": "employee"
}
]
}
],
"Resource": [
{
"Attribute": [
{
"AttributeId": "document_id",
"Value": "companypolicy"
}
]
}
],
"Action": [
{
"Attribute": [
{
"AttributeId": "idaction",
"Value": "view"
}
]
}
],
"Environment": [
{
"Attribute": [
{
"AttributeId": "isAllowed",
"Value": true
}
]
}
]
}
}
}
}
},
"application/xacml+xml": {}
}
},
"responses": {
"200": {
"description": "Successfully evaluated the XACML XML/JSON request",
"content": {
"application/xacml+json": {
"schema": {
"oneOf": [
{
"$ref": "#/components/schemas/Response"
},
{
"$ref": "#/components/schemas/ResponseCtx"
}
]
}
},
"application/xacml+xml": {
"schema": {
"oneOf": [
{
"$ref": "#/components/schemas/Response"
},
{
"$ref": "#/components/schemas/ResponseCtx"
}
]
}
},
"application/json": {
"schema": {
"oneOf": [
{
"$ref": "#/components/schemas/Response"
},
{
"$ref": "#/components/schemas/ResponseCtx"
}
]
}
}
}
},
"400": {
"description": "Bad request due to invalid input",
"content": {
"application/json": {
"schema": {
"oneOf": [
{
"$ref": "#/components/schemas/ResponseCtx"
},
{
"$ref": "#/components/schemas/ErrorResponse"
}
]
},
"examples": {
"Parsing error": {
"description": "Parsing error",
"value": {
"code": 400,
"message": "ERROR_6700_PARSING_ERROR: Error in parsing the XACML Request."
}
}
}
},
"application/xacml+json": {
"schema": {
"$ref": "#/components/schemas/ResponseCtx"
}
},
"application/xacml+xml": {
"schema": {
"$ref": "#/components/schemas/ResponseCtx"
}
}
}
},
"500": {
"description": "Internal server error during the evaluation process",
"content": {
"application/json": {
"schema": {
"oneOf": [
{
"$ref": "#/components/schemas/ResponseCtx"
},
{
"$ref": "#/components/schemas/ErrorResponse"
}
]
},
"examples": {
"Internal server error": {
"description": "Internal server error",
"value": {
"code": 500,
"message": "Proper message based on the exception"
}
}
}
},
"application/xacml+json": {
"schema": {
"$ref": "#/components/schemas/ResponseCtx"
}
},
"application/xacml+xml": {
"schema": {
"$ref": "#/components/schemas/ResponseCtx"
}
}
}
}
}
}
},
"/authorization/simplified-constraints": {
"post": {
"tags": [
"Contextual Authorization Query Operations"
],
"summary": "Evaluate a request to produce a human readable response",
"description": "Generate a human readable response based on the domain configured and input request",
"operationId": "evaluateForPlainText",
"requestBody": {
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/CaqRequest"
}
}
},
"required": true
},
"responses": {
"200": {
"description": "OK",
"content": {
"text/plain": {
"schema": {
"type": "string"
}
},
"application/json": {
"schema": {
"$ref": "#/components/schemas/VerbalCaqResponse"
}
}
}
}
}
}
},
"/authorization/constraints": {
"post": {
"tags": [
"Contextual Authorization Query Operations"
],
"summary": "Evaluate a request",
"description": "Generate a constraints result based on the domain configured and input request",
"operationId": "evaluate",
"requestBody": {
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/CaqRequest"
}
}
},
"required": true
},
"responses": {
"200": {
"description": "OK",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/AstCaqResponse"
}
}
}
}
}
}
},
"/": {
"get": {
"tags": [
"Access Decision Service Operations"
],
"summary": "Application Entry Point",
"description": "This endpoint serves as the root entry point according to the XACML REST API specification.",
"operationId": "getRootEntryPoint",
"responses": {
"200": {
"description": "Successfully processed the request.",
"content": {
"application/xml": {
"schema": {
"oneOf": [
{
"type": "string"
},
{
"$ref": "#/components/schemas/XML"
}
]
},
"example": "\u003c?xml version\u003d\"1.0\" encoding\u003d\"UTF-8\"?\u003e\n\u003cresources xmlns\u003d\u0027http://ietf.org/ns/home-documents\u0027 xmlns:atom\u003d\u0027http://www.w3.org/2005/Atom\u0027\u003e\n \u003cresource rel\u003d\u0027http://docs.oasis-open.org/xacml/ns/relation/pdp\u0027\u003e\n \u003catom:link href\u003d\u0027/authorize\u0027/\u003e\n \u003c/resource\u003e\n\u003c/resources\u003e\n"
}
}
}
}
}
}
},
"components": {
"schemas": {
"Attribute": {
"type": "object",
"properties": {
"AttributeId": {
"type": "string"
},
"Value": {
"type": "array",
"items": {}
},
"Issuer": {
"type": "string"
},
"DataType": {
"type": "string"
},
"IncludeInResult": {
"type": "boolean"
}
}
},
"AttributeAssignment": {
"type": "object",
"properties": {
"AttributeId": {
"type": "string",
"format": "uri"
},
"Value": {},
"Category": {
"type": "string",
"format": "uri"
},
"DataType": {
"type": "string",
"format": "uri"
},
"Issuer": {
"type": "string"
}
}
},
"AttributeReference": {
"type": "object",
"properties": {
"category": {
"type": "string"
},
"type": {
"type": "string"
},
"id": {
"type": "string"
},
"issuer": {
"type": "string"
}
}
},
"Expression": {
"type": "object",
"properties": {
"referencedAttributes": {
"type": "array",
"items": {
"$ref": "#/components/schemas/AttributeReference"
},
"uniqueItems": true
},
"variablesDependedOn": {
"type": "array",
"items": {
"type": "string"
},
"uniqueItems": true
},
"type": {
"type": "string"
}
}
},
"PolicyIdentifier": {
"type": "object",
"properties": {
"PolicyIdReference": {
"type": "array",
"items": {
"$ref": "#/components/schemas/IdReference"
}
},
"PolicySetIdReference": {
"type": "array",
"items": {
"$ref": "#/components/schemas/IdReference"
}
}
}
},
"ResponseCtx": {
"type": "object",
"properties": {
"results": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Result"
},
"uniqueItems": true
},
"xacmlVersion": {
"type": "integer",
"format": "int32"
}
}
},
"Result": {
"type": "object",
"properties": {
"Decision": {
"type": "string"
},
"Status": {
"$ref": "#/components/schemas/Status"
},
"Obligations": {
"type": "array",
"items": {
"$ref": "#/components/schemas/ObligationOrAdvice"
}
},
"AssociatedAdvice": {
"type": "array",
"items": {
"$ref": "#/components/schemas/ObligationOrAdvice"
}
},
"Category": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Attributes"
}
},
"PolicyIdentifierList": {
"$ref": "#/components/schemas/PolicyIdentifier"
}
}
},
"Status": {
"type": "object",
"properties": {
"StatusMessage": {
"type": "string"
},
"StatusDetail": {
"type": "string"
},
"StatusCode": {
"$ref": "#/components/schemas/StatusCode"
}
}
},
"Attributes": {
"type": "object",
"properties": {
"CategoryId": {
"type": "string"
},
"Id": {
"type": "string"
},
"Content": {
"type": "string"
},
"Attribute": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Attribute"
}
}
}
},
"IdReference": {
"type": "object",
"properties": {
"Id": {
"type": "string",
"format": "uri"
},
"Version": {
"type": "string"
}
}
},
"ObligationOrAdvice": {
"type": "object",
"properties": {
"Id": {
"type": "string",
"format": "uri"
},
"AttributeAssignment": {
"type": "array",
"items": {
"$ref": "#/components/schemas/AttributeAssignment"
}
}
}
},
"Response": {
"type": "object",
"properties": {
"Response": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Result"
}
}
}
},
"StatusCode": {
"type": "object",
"properties": {
"Value": {
"type": "string",
"format": "uri"
},
"StatusCode": {
"type": "array",
"items": {}
}
}
},
"ErrorResponse": {
"type": "object",
"properties": {
"code": {
"type": "integer",
"format": "int32"
},
"message": {
"type": "string"
}
}
},
"AccessSubject": {
"type": "object",
"properties": {
"shorthand": {
"type": "string"
},
"CategoryId": {
"type": "string"
},
"Id": {
"type": "string"
},
"Content": {
"type": "string"
},
"Attribute": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Attribute"
}
}
}
},
"Action": {
"type": "object",
"properties": {
"shorthand": {
"type": "string"
},
"CategoryId": {
"type": "string"
},
"Id": {
"type": "string"
},
"Content": {
"type": "string"
},
"Attribute": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Attribute"
}
}
}
},
"Codebase": {
"type": "object",
"properties": {
"shorthand": {
"type": "string"
},
"CategoryId": {
"type": "string"
},
"Id": {
"type": "string"
},
"Content": {
"type": "string"
},
"Attribute": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Attribute"
}
}
}
},
"Environment": {
"type": "object",
"properties": {
"shorthand": {
"type": "string"
},
"CategoryId": {
"type": "string"
},
"Id": {
"type": "string"
},
"Content": {
"type": "string"
},
"Attribute": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Attribute"
}
}
}
},
"IntermediarySubject": {
"type": "object",
"properties": {
"shorthand": {
"type": "string"
},
"CategoryId": {
"type": "string"
},
"Id": {
"type": "string"
},
"Content": {
"type": "string"
},
"Attribute": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Attribute"
}
}
}
},
"MultiRequests": {
"type": "object",
"properties": {
"RequestReference": {
"type": "array",
"items": {
"$ref": "#/components/schemas/RequestReference"
}
}
}
},
"RecipientSubject": {
"type": "object",
"properties": {
"shorthand": {
"type": "string"
},
"CategoryId": {
"type": "string"
},
"Id": {
"type": "string"
},
"Content": {
"type": "string"
},
"Attribute": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Attribute"
}
}
}
},
"Request": {
"type": "object",
"properties": {
"ReturnPolicyIdList": {
"type": "boolean"
},
"CombinedDecision": {
"type": "boolean"
},
"XPathVersion": {
"type": "string",
"format": "uri"
},
"Category": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Attributes"
}
},
"MultiRequests": {
"$ref": "#/components/schemas/MultiRequests"
},
"AccessSubject": {
"type": "array",
"items": {
"$ref": "#/components/schemas/AccessSubject"
}
},
"Resource": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Resource"
}
},
"Action": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Action"
}
},
"Environment": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Environment"
}
},
"Codebase": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Codebase"
}
},
"RecipientSubject": {
"type": "array",
"items": {
"$ref": "#/components/schemas/RecipientSubject"
}
},
"IntermediarySubject": {
"type": "array",
"items": {
"$ref": "#/components/schemas/IntermediarySubject"
}
},
"RequestingMachine": {
"type": "array",
"items": {
"$ref": "#/components/schemas/RequestingMachine"
}
}
}
},
"RequestReference": {
"type": "object",
"properties": {
"ReferenceId": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"RequestWrapper": {
"type": "object",
"properties": {
"Request": {
"$ref": "#/components/schemas/Request"
}
}
},
"RequestingMachine": {
"type": "object",
"properties": {
"shorthand": {
"type": "string"
},
"CategoryId": {
"type": "string"
},
"Id": {
"type": "string"
},
"Content": {
"type": "string"
},
"Attribute": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Attribute"
}
}
}
},
"Resource": {
"type": "object",
"properties": {
"shorthand": {
"type": "string"
},
"CategoryId": {
"type": "string"
},
"Id": {
"type": "string"
},
"Content": {
"type": "string"
},
"Attribute": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Attribute"
}
}
}
},
"AttributeValuation": {
"type": "object",
"properties": {
"attribute": {
"type": "string"
},
"values": {
"type": "array",
"items": {
"type": "string"
}
},
"issuer": {
"type": "string"
}
}
},
"CaqRequest": {
"type": "object",
"properties": {
"providedAttributes": {
"type": "array",
"items": {
"$ref": "#/components/schemas/AttributeValuation"
}
},
"mockedAttributes": {
"type": "array",
"items": {
"$ref": "#/components/schemas/AttributeValuation"
}
},
"pdpDecisionSet": {
"type": "array",
"items": {
"type": "string",
"enum": [
"PERMIT",
"DENY",
"INDETERMINATE",
"NOT_APPLICABLE"
]
},
"uniqueItems": true
},
"excludeIndeterminate": {
"type": "boolean"
},
"contextType": {
"type": "string",
"enum": [
"NONE",
"TIP",
"PATH"
]
}
}
},
"VerbalCaqResponse": {
"type": "object",
"properties": {
"response": {
"type": "string"
}
}
},
"AstCaqResponse": {
"type": "object",
"properties": {
"response": {
"$ref": "#/components/schemas/Expression"
}
}
},
"XML": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"namespace": {
"type": "string"
},
"prefix": {
"type": "string"
},
"attribute": {
"type": "boolean"
},
"wrapped": {
"type": "boolean"
},
"extensions": {
"type": "object",
"additionalProperties": {}
}
}
}
}
}
}