ArmorIQ SDK
Core Methodsget_intent_token()

Policy Specification

Define authorization policies for intent tokens.

Policy Specification

Policies can be defined programmatically (in the SDK) or visually (ArmorIQ Canvas).

Policy Structure

{
    "allow": list[str],            # Allowed actions (glob patterns, e.g., "analytics-mcp/*")
    "deny": list[str],             # Denied actions (glob patterns, e.g., "data-mcp/delete_*")
    "allowed_tools": list[str],    # Whitelisted tool names (optional)
    "rate_limit": int,             # Requests per hour (optional)
    "ip_whitelist": list[str],     # Allowed IPs/CIDR ranges (optional)
    "time_restrictions": {         # Time-based access (optional)
        "allowed_hours": list[int],    # 0-23 (e.g., [9, 10, 11, ..., 17] for 9 AM - 5 PM)
        "allowed_days": list[str]      # ["Monday", "Tuesday", ...]
    },
    "priority": int                # Policy priority 0-100 (higher = more important)
}

Method 1: Programmatic (SDK)

policy = {
    "allow": ["analytics-mcp/*", "data-mcp/fetch_*"],
    "deny": ["data-mcp/delete_*"],
    "allowed_tools": ["read_file", "analyze", "aggregate"],
    "rate_limit": 100,
    "ip_whitelist": ["10.0.0.0/8"],
    "time_restrictions": {
        "allowed_hours": [9, 10, 11, 12, 13, 14, 15, 16, 17],
        "allowed_days": ["Monday", "Tuesday", "Wednesday", "Thursday", "Friday"]
    }
}

token = client.get_intent_token(
    plan_capture=plan,
    policy=policy,
    validity_seconds=3600
)

Method 2: Visual Policy Builder (ArmorIQ Canvas)

Use the drag-and-drop interface at https://armoriq.io/dashboard/policies:

  1. Click "Canvas" button to open visual builder
  2. Drag users, MCPs, and agents onto canvas
  3. Connect entities with edges (connections)
  4. Click edge to configure permissions visually
  5. Use "Browse Tools" to select allowed tools from MCP
  6. Set IP restrictions, time windows, rate limits
  7. Save policy with name and priority

Use policy ID in SDK:

# Use policy created in Canvas
token = client.get_intent_token(
    plan_capture=plan,
    policy_id="f88cf4c7-732d-44ff-901b-fd3d882c2ecf",  # From Canvas
    validity_seconds=3600
)

# Or fetch policy JSON from API and use directly
import requests
policy_response = requests.get(
   f"https://api.armoriq.io/policies/f88cf4c7-732d-44ff-901b-fd3d882c2ecf",
   headers={"Authorization": f"Bearer {user_jwt}"}
)
policy = policy_response.json()["data"]["permissions"]

token = client.get_intent_token(
    plan_capture=plan,
    policy=policy,
    validity_seconds=3600
)

Policy Encoding

The policy is automatically encoded into the CSRG token JWT payload and cryptographically verified during execution. The proxy enforces policy rules before routing requests to MCPs.

get_intent_token()

Previous Page

invoke()

Next Page

On this page

Policy SpecificationPolicy StructureMethod 1: Programmatic (SDK)Method 2: Visual Policy Builder (ArmorIQ Canvas)Policy Encoding