API Examples

Anchor’s API examples are written for security engineers building access orchestration, account hygiene checks, audit evidence retrieval, and review workflows. Endpoint shapes are representative where noted; validate exact fields against your deployed Anchor version.

Purpose

Show how API-first automation maps to the same users, scopes, resources, accounts, policies, logs, and posture signals visible in the UI.

Pattern

Each example includes intent, request, response shape, and why the workflow matters for privileged access governance.

Create a Policy

Purpose: define Security as Code control logic for verification, session access, and governance review.

curl -sS -X POST "$ANCHOR_API/policies" \
  -H "Authorization: Bearer $ANCHOR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production Linux privileged access",
    "description": "Requires reason, verification, and controlled session access for production Linux accounts.",
    "rules": {
      "reason_required": true,
      "verification_required": true,
      "connect_allowed": true,
      "rotation_interval_days": 30
    }
  }'

{
  "id": 12,
  "name": "Production Linux privileged access",
  "status": "active",
  "created_at": "2026-05-06T13:00:00Z"
}

Why it matters: policy becomes repeatable privileged access governance instead of one-off administrative judgment.

Assign a Policy

Purpose: bind governance to a scope or resource so enforcement and audit evidence follow the operational boundary.

curl -sS -X POST "$ANCHOR_API/policy-bindings" \
  -H "Authorization: Bearer $ANCHOR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "policy_id": 12,
    "target_type": "scope",
    "target_id": 7
  }'

{
  "id": 88,
  "policy_id": 12,
  "target_type": "scope",
  "target_id": 7,
  "effective": true
}

Why it matters: policy-driven access works best when teams can see exactly which controls govern which resources.

List Resources

Purpose: pull the privileged resource inventory into security engineering and operational dashboards.

curl -sS "$ANCHOR_API/resources" \
  -H "Authorization: Bearer $ANCHOR_TOKEN"

[
  {
    "id": 42,
    "public_id": "res_prod_linux_admin",
    "name": "prod-linux-admin",
    "type": "linux_account",
    "scope_id": 7,
    "status": "verified",
    "policy_id": 12
  }
]

Why it matters: resource/account visibility is the foundation for account hygiene, policy drift review, and stale account detection.

Trigger Verification

Purpose: confirm that Anchor can still validate a managed resource or privileged account.

curl -sS -X POST "$ANCHOR_API/resources/42/verify" \
  -H "Authorization: Bearer $ANCHOR_TOKEN"

{
  "job_id": 501,
  "operation": "verify",
  "resource_id": 42,
  "status": "queued"
}

Why it matters: verification turns privileged access posture into current evidence, not stale inventory.

Trigger Rotation

Purpose: rotate a managed credential through an auditable job.

curl -sS -X POST "$ANCHOR_API/resources/42/rotate" \
  -H "Authorization: Bearer $ANCHOR_TOKEN"

{
  "job_id": 502,
  "operation": "rotate",
  "resource_id": 42,
  "status": "queued"
}

Why it matters: rotation becomes policy-driven, reviewable, and tied to job history instead of a hidden manual action.

Read Audit Logs

Purpose: retrieve audit evidence for access review, investigation, or reporting.

curl -sS "$ANCHOR_API/logs/audit?limit=50" \
  -H "Authorization: Bearer $ANCHOR_TOKEN"

{
  "events": [
    {
      "timestamp": "2026-05-06T13:20:13Z",
      "actor": "admin",
      "target_type": "resource",
      "target_id": 42,
      "operation": "verify",
      "status": "succeeded",
      "correlation_id": "evt_01HX..."
    }
  ]
}

Why it matters: audit trails are useful when they preserve actor, target, operation, policy context, and result.

Pull a Posture Rating

Purpose: summarize account hygiene, verification posture, policy coverage, and drift signals for a scope.

curl -sS "$ANCHOR_API/compliance/ratings?scope_id=7" \
  -H "Authorization: Bearer $ANCHOR_TOKEN"

{
  "scope_id": 7,
  "rating": "strong",
  "score": 91,
  "signals": [
    "policy_coverage_complete",
    "verification_current",
    "no_stale_privileged_accounts",
    "no_unresolved_policy_drift"
  ]
}

Why it matters: ratings turn privileged access posture into prioritized review work.

Check Policy Drift

Purpose: identify resources whose actual state no longer matches expected policy.

curl -sS "$ANCHOR_API/compliance/policy-drift?scope_id=7" \
  -H "Authorization: Bearer $ANCHOR_TOKEN"

{
  "scope_id": 7,
  "drift_count": 2,
  "items": [
    {
      "resource_id": 42,
      "signal": "rotation_due",
      "severity": "medium"
    }
  ]
}

Why it matters: policy drift visibility helps security teams fix control gaps before an audit or incident forces the issue.

Create an Access Session Request

Purpose: request policy-gated access through Anchor Connect.

curl -sS -X POST "$ANCHOR_API/connect/sessions" \
  -H "Authorization: Bearer $ANCHOR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "resource_id": 42,
    "mode": "web_terminal",
    "protocol": "ssh",
    "reason": "Production support window"
  }'

{
  "session": {
    "public_id": "acs_01HX...",
    "resource_id": 42,
    "status": "pending_launch",
    "protocol": "ssh"
  },
  "launch_token_expires_at": "2026-05-06T13:35:00Z"
}

Why it matters: access orchestration becomes policy-gated, time-bound, auditable, and connected to the target resource.