Set per-API-key quotas and source IP allowlist
PUT/invostaq-admin/tenants/:tenantId/api-keys/:keyId/policy
Admin-only. Overrides the platform-default rate-limit quotas and
sets a source-IP allowlist for a single API key. Each field is
independent — pass null to clear it and fall back to the global
default (60 GET / 20 POST per minute, no IP restriction).
Quota bounds: requestsPerMinuteGet and requestsPerMinutePost must
be between 1 and 10,000, or null.
The allowedIps field is a comma-separated list of IPv4 / IPv6 / CIDR
entries — same format as Webhook__AllowedIps. Non-matching source
IPs are rejected with 403 type: https://invostaq.com/errors/ip-not-allowed
on subsequent calls.
Changes take effect on the next request: the in-process caches
for this key (rl-override and ip-allow) are invalidated as part
of the save. No 60 s cache wait.
Request
Responses
- 200
- 400
- 401
- 403
- 404
Policy updated
Invalid JSON, empty body, or quota out of range
Missing or invalid credentials
Caller is not on the admin email allowlist
API key not found for this tenant