Manage Policies
Set up and manage governance policies for Flex vaults — spending limits, whitelists, and cooldowns.
Policies let you enforce automated governance rules on Flex vault transactions. This guide covers creating, approving, editing, and managing policies.
Creating a policy
Section titled “Creating a policy”-
Propose the policy — an Initiator (or higher) creates the policy, which enters a
PENDINGstate:Terminal window curl -X POST https://api.tholos.app/vault/{vaultId}/policies \-H "Authorization: Bearer $THOLOS_API_TOKEN" \-H "Content-Type: application/json" \-d '{"name": "Daily spending limit","conditions": [...],"authorizedSigners": [1, 2, 3]}' -
Notify approvers — optionally send push notifications to vault signers:
Terminal window curl -X POST https://api.tholos.app/policy/{policyId}/notify \-H "Authorization: Bearer $THOLOS_API_TOKEN" -
Approve the policy — each signer approves using the challenge-response flow:
Terminal window # Get challengecurl https://api.tholos.app/policy/{policyId}/challenge \-H "Authorization: Bearer $SIGNER_TOKEN"# Approvecurl -X POST https://api.tholos.app/policy/{policyId}/approve \-H "Authorization: Bearer $SIGNER_TOKEN" -
Policy becomes active — once the vault’s approval threshold is met, the policy starts enforcing rules on all new transactions.
Checking policy status
Section titled “Checking policy status”# Get policy detailscurl https://api.tholos.app/policy/{policyId} \ -H "Authorization: Bearer $THOLOS_API_TOKEN"
# Get approval statuscurl https://api.tholos.app/policy/{policyId}/approvals \ -H "Authorization: Bearer $THOLOS_API_TOKEN"Editing an active policy
Section titled “Editing an active policy”You can edit an active policy without downtime. The current policy stays enforced while the edit is pending:
-
Submit the edit:
Terminal window curl -X POST https://api.tholos.app/policy/{policyId}/edit \-H "Authorization: Bearer $THOLOS_API_TOKEN" \-H "Content-Type: application/json" \-d '{"name": "Updated spending limit","conditions": [...]}' -
Signers approve the edit:
Terminal window # Get challenge for the editcurl https://api.tholos.app/policy/{policyId}/edit/{editId}/challenge \-H "Authorization: Bearer $SIGNER_TOKEN"# Approve the editcurl -X POST https://api.tholos.app/policy/{policyId}/edit/{editId}/approve \-H "Authorization: Bearer $SIGNER_TOKEN" -
Edit applies atomically — when the threshold is met, the edit replaces the current policy.
If an edit needs to be cancelled:
curl -X DELETE https://api.tholos.app/policy/{policyId}/edit/{editId} \ -H "Authorization: Bearer $THOLOS_API_TOKEN"Deactivating and reactivating
Section titled “Deactivating and reactivating”Deactivate a policy
Section titled “Deactivate a policy”curl -X POST https://api.tholos.app/policy/{policyId}/deactivate \ -H "Authorization: Bearer $THOLOS_API_TOKEN"This creates a deactivation request that requires signer approvals (same threshold as the vault).
Reactivate a policy
Section titled “Reactivate a policy”curl -X POST https://api.tholos.app/policy/{policyId}/reactivate \ -H "Authorization: Bearer $THOLOS_API_TOKEN"Also requires signer approvals.
Deleting a policy
Section titled “Deleting a policy”Policies in PENDING, REJECTED, or DEACTIVATED states can be permanently deleted:
curl -X DELETE https://api.tholos.app/policy/{policyId} \ -H "Authorization: Bearer $THOLOS_API_TOKEN"Next steps
Section titled “Next steps”- Policies concept — understand policy types and evaluation
- Roles & Permissions — who can create and approve policies
- API Reference — see all policy endpoints