Organisation security policy API
Customer API endpoints for per-organisation and tenant password security policies
Manage organisation security policies and tenant password defaults programmatically. All endpoints require a management API key or OAuth token with the appropriate scopes.
Authentication
| API | Token | Base URL |
|---|---|---|
| Customer API | Management API key (wocha_mgmt_...) or OAuth token | https://TENANT.api.wocha.ai/v1/customer |
| Endpoint | Required scope |
|---|---|
GET .../security-policy | organisations:read |
PUT / DELETE .../security-policy | organisations:write |
GET / PUT .../password-policy | settings:read / settings:write |
Organisation security policy
Get effective policy
Returns the merged effective policy for an organisation, with _inherited flags indicating which fields use tenant defaults versus org overrides.
Response 200 OK:
_inherited field
Each key in _inherited is a boolean:
| Value | Meaning |
|---|---|
true | Field is inherited from the tenant default (no org override) |
false | Field is overridden at the organisation level |
Use _inherited to build UIs that show inherit/override state without comparing against tenant defaults client-side.
Errors:
| Status | Code | When |
|---|---|---|
404 | not_found | Organisation does not exist |
401 | unauthorized | Invalid or missing token |
403 | forbidden | Token lacks organisations:read scope |
Update org overrides
Set organisation-specific overrides. Only include fields you want to change. Pass null to clear an override and revert to tenant inheritance.
CamelCase field names are also accepted (mfaEnforcement, mfaPolicy, etc.).
Validation rules:
mfaEnforcementcannot be less strict than the tenant defaultmfaPolicycannot be less strict than the tenant MFA policyallowedFactorsmust be a subset of tenant allowed factorspasswordMinLengthcannot be less than the tenant minimum- Password complexity and HIBP flags cannot be disabled when required by tenant
passwordMaxAgeDayscannot exceed the tenant maximum agepasswordDisallowReusecannot be less than the tenant reuse limitsessionTimeoutMinutes≥ 5,sessionIdleTimeoutMinutes≥ 1
Response 200 OK: Returns the updated effective policy (same shape as GET).
Errors:
| Status | Code | When |
|---|---|---|
400 | validation_error | Policy violates strictness rules |
404 | not_found | Organisation does not exist |
Reset to tenant defaults
Removes all organisation-specific overrides from org_security_policies.
Response 200 OK: Returns the effective policy after reset (all _inherited flags true where no legacy org_metadata overrides exist).
Tenant password policy
Configure the tenant-wide password default. All organisations inherit these values unless they override specific fields.
Get tenant password policy
Response 200 OK:
Update tenant password policy
Snake_case and camelCase field names are both accepted.
| Field | Type | Constraints |
|---|---|---|
minLength / min_length | integer | 8–128 |
requireUppercase / require_uppercase | boolean | — |
requireLowercase / require_lowercase | boolean | — |
requireNumber / require_number | boolean | — |
requireSymbol / require_symbol | boolean | — |
hibpCheck / hibp_check | boolean | — |
maxAgeDays / max_age_days | integer | ≥ 0 (0 = no expiry) |
disallowReuse / disallow_reuse | integer | ≥ 0 (0 = disabled) |
Response 200 OK: Returns the updated policy (same shape as GET).
Code examples
cURL — require MFA for an engineering org
JavaScript — read effective policy and check inheritance
JavaScript — update tenant password policy
Related
- Organisation security policies guide — policy model and Console configuration
- Adaptive MFA — MFA enforcement levels and risk engine
- MFA API — TOTP enrolment and risk events