> ## Documentation Index > Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt > Use this file to discover all available pages before exploring further. # Create a policy > Creates a new security policy. You can define rules for services like Winbox, SSH, and HTTP/S, including which networks are allowed to access them. ## OpenAPI ````yaml /api/en/control-plane.yaml post /control-plane/policies openapi: 3.0.3 info: title: Altostrat Control Plane API version: 1.0.0 description: >- The Altostrat Control Plane API is the microservice responsible for managing the configuration, security policies, and on-demand access for individual MikroTik network sites. It serves as the central orchestration layer within the Altostrat SDX platform, translating high-level user configurations into actionable commands and secure access rules for managed network devices. This API allows you to programmatically manage: - **Policies:** Centralized firewall and service management rules that define how sites behave and what traffic is permitted. - **Transient Access:** Secure, time-limited SSH and Winbox connections to your devices for remote diagnostics and maintenance, without exposing them permanently to the internet. - **API Credentials:** The unique credentials used by the Altostrat platform to securely communicate with and manage each of your network sites. Developers use this API to automate network security configurations, manage device access policies, and create temporary, secure connections for remote operations. servers: - url: https://v1.api.altostrat.io description: Production API Server security: - bearerAuth: [] tags: - name: Policies description: Manage firewall and service access policies for sites. - name: Transient Access description: Create and manage temporary, secure administrative access to sites. - name: Transient Port Forwarding description: >- Create and manage temporary, secure port forwards to devices behind a site. - name: Site Operations description: Perform actions and manage configurations for specific sites. - name: Site Notes description: Read and update the note attached to a managed site. paths: /control-plane/policies: post: tags: - Policies summary: Create a policy description: >- Creates a new security policy. You can define rules for services like Winbox, SSH, and HTTP/S, including which networks are allowed to access them. requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/PolicyRequest' responses: '201': description: The newly created policy object. content: application/json: schema: $ref: '#/components/schemas/Policy' '400': description: Bad Request - The request was malformed or invalid. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' '500': description: Internal Server Error. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' components: schemas: PolicyRequest: type: object required: - name - trusted_networks - winbox - ssh - http - https - telnet - ftp - api - api_ssl properties: name: type: string description: A human-readable name for the policy. maxLength: 100 example: Branch Office Policy custom_input_rules: type: boolean description: Whether custom input rules are being used. default: true example: true trusted_networks: type: array description: >- A list of CIDR networks that are considered trusted across all services in this policy. items: type: string description: A valid IPv4 CIDR notation. example: 10.100.0.0/16 winbox: $ref: '#/components/schemas/PolicyServiceRule' ssh: $ref: '#/components/schemas/PolicyServiceRule' http: $ref: '#/components/schemas/PolicyServiceRule' https: $ref: '#/components/schemas/PolicyServiceRule' telnet: $ref: '#/components/schemas/PolicyServiceRule' ftp: $ref: '#/components/schemas/PolicyServiceRule' api: $ref: '#/components/schemas/PolicyServiceRule' api_ssl: $ref: '#/components/schemas/PolicyServiceRule' sites: type: array description: >- An array of Site UUIDs to apply this policy to upon creation or update. items: type: string format: uuid example: - d290f1ee-6c54-4b01-90e6-d701748f0851 Policy: type: object properties: id: type: string format: uuid description: The unique identifier for the policy. example: a1b2c3d4-e5f6-7890-1234-567890abcdef name: type: string description: A human-readable name for the policy. example: Default Corporate Policy slug: type: string description: A unique, URL-friendly identifier for the policy. example: default-corporate-policy-a1b2c3d4e5 default: type: boolean description: Whether this is the default policy for the workspace. example: true custom_input_rules: type: boolean description: Whether custom input rules are being used. example: true trusted_networks: type: array description: >- A list of CIDR networks that are considered trusted across all services in this policy. items: type: string example: 10.0.0.0/8 winbox: $ref: '#/components/schemas/PolicyServiceRule' ssh: $ref: '#/components/schemas/PolicyServiceRule' http: $ref: '#/components/schemas/PolicyServiceRule' https: $ref: '#/components/schemas/PolicyServiceRule' telnet: $ref: '#/components/schemas/PolicyServiceRule' ftp: $ref: '#/components/schemas/PolicyServiceRule' api: $ref: '#/components/schemas/PolicyServiceRule' api_ssl: $ref: '#/components/schemas/PolicyServiceRule' sites: type: array description: A list of Site UUIDs that this policy is applied to. items: type: string format: uuid example: - d290f1ee-6c54-4b01-90e6-d701748f0851 created_at: type: string format: date-time description: The timestamp when the policy was created. example: '2025-10-29T01:00:00Z' updated_at: type: string format: date-time description: The timestamp when the policy was last updated. example: '2025-10-29T02:30:00Z' ErrorResponse: type: object properties: type: type: string description: A broad category for the error (e.g., 'invalid_request_error'). example: invalid_request_error code: type: string description: A short, unique string identifying the specific error. example: parameter_missing message: type: string description: A human-readable description of what went wrong. example: The 'name' parameter is required for this request. doc_url: type: string description: >- A direct link to the documentation page for this specific error code. example: https://docs.altostrat.io/errors/parameter_missing PolicyServiceRule: type: object properties: enabled: type: boolean description: Whether this service is enabled. example: true port: type: integer description: The port number for this service. example: 8291 networks: type: array description: A list of CIDR networks allowed to access this service. items: type: string example: 198.51.100.0/24 securitySchemes: bearerAuth: type: http scheme: bearer bearerFormat: JWT description: Enter your JWT bearer token. ````