Skip to content
ANCHOR

API

Anchor is API-first. UI workflows and automation use the same control-plane concepts: users, scopes, resources, accounts, policies, jobs, logs, posture signals, and Anchor Connect sessions.

The goal is not to expose every privileged action as an unmanaged script target. The goal is to let security engineering, IAM/PAM teams, and platform teams automate privileged access while preserving policy, auditability, account hygiene, and operational evidence.

Identity Authenticate

Every API workflow starts with a known actor or automation identity.

Target Target

Requests name scoped objects such as resources, accounts, policies, sessions, and logs.

Control Authorize

Permissions, scope access, effective policy, and requested operation stay connected.

Evidence Record

Job results, logs, audit records, and posture signals close the loop.

Integration Shape

Section titled “Integration Shape”

Anchor integrations should follow the control-plane pattern rather than treating the API as a shortcut around governance:

Identity Actor

A user, API client, service identity, or automation job authenticates.

Target Object

The request names resources, accounts, policies, sessions, logs, or posture data.

Control Control

Permissions, scope access, effective policy, and operation rules are evaluated.

Evidence Evidence

Results return as jobs, logs, audit records, posture signals, and review context.

API Domains

Section titled “API Domains”
  • Authentication for API identity and bearer token handling.
  • Resources API for inventory, resource context, verification, and rotation workflows.
  • Policies API for Security as Code definitions and bindings.
  • Logs API for operational events and audit evidence.
  • Posture API for compliance ratings, drift, stale account, and review signals.

What API-First Means In Anchor

Section titled “What API-First Means In Anchor”

API-first does not mean every team writes unsafe scripts around privileged access. It means automation uses the same model the console uses:

  • Authenticate a known actor or automation identity.
  • Operate against scoped objects such as resources, accounts, policies, sessions, jobs, logs, and posture signals.
  • Let Anchor evaluate permissions, scope access, effective policy, and requested operation.
  • Run controlled workflows such as verification, rotation, reconciliation, bulk preflight, policy binding, session launch, or evidence retrieval.
  • Read job results, logs, audit events, Ledger integrity, Compass findings, and Compliance Ratings as the feedback loop.

This is why Anchor is stronger than a UI-only PAM workflow. Engineers can automate the work, but the control plane still owns authorization, policy, audit, and review context.

Integration Posture

Section titled “Integration Posture”

Good integrations should make Anchor easier to operate and easier to explain. They should not bypass policy, hide target context, or create audit gaps.

Integration habitAnchor expectation
Use narrow automation identities.Avoid shared administrator credentials for recurring API work.
Keep target context explicit.Name resources, accounts, scopes, policies, and requested operations clearly.
Treat high-impact changes as reviewable.Preserve job, event, audit, and posture feedback instead of hiding it in scripts.
Keep secrets out of output.Do not log tokens, passwords, private keys, launch tokens, or raw credential material.