Dry-eval a policy against a SQL statement
Evaluates a single SQL statement against a policy — either a draft policy supplied inline or an existing policy referenced by id — and returns the decision the proxy would make: allow, block, mask, or row-filter. The evaluation reuses the data plane's own policy engine (the same parser, allow/block rules, row-filter rewriter, and masking analysis enforced on live agent sessions), so a what-if verdict matches real enforcement. Stateful checks a single-statement preview cannot model — per-region query and egress budgets, human approvals, and rollback/sandbox write routing — are reported as informational notes, not verdicts. This is a pure compute endpoint; it does not connect to the upstream database and persists nothing.
JWT issued by Better Auth. Verified via JWKS.
In: header
Path Parameters
Unique project identifier (prefixed, e.g. prj_xxx).
Request Body
application/json
TypeScript Definitions
Use the request body type in TypeScript.
A SQL statement to test plus the policy to test it against. Supply exactly one of policy_id (an existing saved policy) or policy (an unsaved draft, e.g. the in-progress editor form).
Response Body
application/json
application/json
application/json
application/json
application/json
application/json
curl -X POST "https://example.com/v1/projects/string/policy-evaluations" \ -H "Content-Type: application/json" \ -d '{ "sql": "SELECT email FROM users WHERE id = 1" }'{ "verdict": "allow", "rule": "ok", "reason": "string", "hint": "string", "masked_columns": [ { "column": "email", "kind": "redact" } ], "row_filter_predicate": "tenant_id = current_setting('pgbeam.tenant')", "rewritten_sql": "string", "notes": [ "string" ]}{ "error": { "code": "string", "message": "string" }}{ "error": { "code": "string", "message": "string" }}{ "error": { "code": "string", "message": "string" }}{ "error": { "code": "string", "message": "string" }}{ "error": { "code": "string", "message": "string" }}