API
Use the API for gates, evidence, passports, and connector status.
Pipeline writes use bearer gate tokens. Console reads use authenticated sessions. Examples use the customer self-hosted API origin, not Arconath dogfood infrastructure.
Gate evaluation
POST /gate/evaluate
curl -sS https://release-passport.example.com/releasepassport/v1/gate/evaluate \
-H "Authorization: Bearer $RELEASEPASSPORT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"mode": "shadow",
"service": {
"name": "checkout-api",
"namespace": "apps-checkout",
"environment": "production"
},
"artifact": {
"digest": "sha256:abc123..."
},
"release": {
"releaseId": "gh-123456",
"sourceSha": "9f3c8b7",
"renderedManifestPath": "rendered/checkout-api.yaml"
},
"health": {
"ready": true,
"requireHealthyTarget": true
},
"rollback": {
"available": true,
"verified": false
}
}'Evidence ingestion
POST /evidence/ingest
curl -sS https://release-passport.example.com/releasepassport/v1/evidence/ingest \
-H "Authorization: Bearer $RELEASEPASSPORT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"source": "github_actions",
"externalId": "run-123456",
"service": { "name": "checkout-api", "namespace": "apps-checkout" },
"release": { "releaseId": "gh-123456", "sourceSha": "9f3c8b7" },
"artifact": { "digest": "sha256:abc123..." },
"evidence": [
{ "type": "smoke", "status": "passed", "summary": "render and health smoke passed" }
]
}'Passport read
GET /passports/{id}
curl -sS https://release-passport.example.com/releasepassport/v1/passports/pp_01HXR8K3M2 \
-H "Cookie: releasepassport_session=..."Connector status
GET /integrations
curl -sS https://release-passport.example.com/releasepassport/v1/integrations \
-H "Cookie: releasepassport_session=..."Endpoint map
EndpointPOST /gate/evaluate
AuthBearer gate token
Use caseCI/CD asks for a release verdict before promotion.
NotesMutation route. Fail closed without a valid token.
EndpointPOST /evidence/ingest
AuthBearer evidence/gate token
Use caseCI, tests, scanners, or approved automation attach evidence.
NotesSanitize payloads; never send secrets.
EndpointGET /passports
AuthSession
Use caseConsole lists release passports.
NotesUsed by Passports page and reports.
EndpointGET /passports/{id}
AuthSession
Use caseRead a single passport detail.
NotesShows verdict, blockers, evidence timeline, policies, comments.
EndpointGET /integrations
AuthSession
Use caseRead connector health and freshness.
NotesUsed by Integrations and Overview.
EndpointGET /license/status
AuthInternal/session as configured
Use caseRuntime checks active license and entitlements.
NotesDo not expose signing secrets.
| Endpoint | Auth | Use case | Notes |
|---|---|---|---|
| POST /gate/evaluate | Bearer gate token | CI/CD asks for a release verdict before promotion. | Mutation route. Fail closed without a valid token. |
| POST /evidence/ingest | Bearer evidence/gate token | CI, tests, scanners, or approved automation attach evidence. | Sanitize payloads; never send secrets. |
| GET /passports | Session | Console lists release passports. | Used by Passports page and reports. |
| GET /passports/{id} | Session | Read a single passport detail. | Shows verdict, blockers, evidence timeline, policies, comments. |
| GET /integrations | Session | Read connector health and freshness. | Used by Integrations and Overview. |
| GET /license/status | Internal/session as configured | Runtime checks active license and entitlements. | Do not expose signing secrets. |
API design rules
Write APIs fail closed
Gate and evidence mutation routes require tokens. A missing, wrong, expired, or wrong-scope token must not create passports, evidence, connector updates, reports, or license changes.
Read APIs are role-aware
Console reads use authenticated sessions and workspace membership. Reports are sanitized and should not leak token values, kubeconfigs, OIDC secrets, payment provider keys, or private raw evidence.