IAM aggregate APIs
These endpoints back the AI/MCP IAM cockpit. They return workspace-scoped read models so clients do not have to stitch tools, scopes, role bindings, consent, and end-user state in the browser.
All endpoints require an admin JWT and workspace admin/owner role.
| Method | Route |
|---|---|
GET | /authsec/v1/workspaces/:workspace_id/applications/posture-summary |
GET | /authsec/v1/applications/:id/tool-exposure |
GET | /authsec/v1/applications/:id/scopes |
GET | /authsec/v1/applications/:id/scopes/:scope_id/impact |
GET | /authsec/v1/applications/:id/access-assignments |
GET | /authsec/v1/applications/:id/end-user-access-summary |
GET | /authsec/v1/applications/:id/effective-access?user_id=... |
POST | /authsec/v1/applications/:id/access-simulations |
POST | /authsec/v1/applications/:id/access-change-previews |
POST | /authsec/v1/applications/:id/evidence-exports |
Access simulation
POST /authsec/v1/applications/:id/access-simulations
{
"user_id": "6df1f0f4-...",
"tool_id": "7b24f1fb-...",
"client_id": "optional-oauth-client-id"
}
Returns:
{
"verdict": "denied",
"failed_condition": "missing_role_scope",
"safest_fix": "Assign a role that grants one of the tool's access labels.",
"decision_trace": [
{"check": "user_active", "state": "ok"},
{"check": "application_launched", "state": "ok"},
{"check": "tool_mapped", "state": "ok"},
{"check": "role_grants_scope", "state": "blocked"}
]
}
The simulation uses the backend scope resolver that runtime policy uses for scope decisions, then wraps the result in operator-friendly language.
Phase 5 compatibility
During the tenant_id to workspace_id overlap, read and write workspace_id first. tenant_id may still appear in compatibility JSON until the Day 8 removal window.