Skip to content
Select themeSelect language

`PUT /api/runners/{id}/grants` — set a runner's authoritative scope (system-admin). Upserts the `runner_grants` row; the next JWT refresh narrows the runner within one TTL. Audited (`runner_grant_set`).

PUT
/api/runners/{id}/grants
curl --request PUT \
--url https://example.com/api/runners/2489E9AD-2EE2-8E00-8EC9-32D5F69181C0/grants \
--header 'Content-Type: application/json' \
--data '{ "allowed_labels": [ "example" ], "allowed_workspace_ids": [ "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0" ], "class": "trusted", "isolation": "microvm", "tier": "wasm" }'
id
required
string format: uuid

Runner ID

Media typeapplication/json

A runner’s resolved grant — the request body for PUT and the response shape of both GET and PUT. Mirrors a runner_grants row + the JWT scope.

object
allowed_labels
required

Optional label restriction; empty = no label gate.

Array<string>
allowed_workspace_ids

null = trusted wildcard (any workspace); [] = edge fail-closed (none).

Array<string> | null
class
required

trusted | edge.

string
Allowed values: trusted edge
isolation
required

microvm | container.

string
Allowed values: microvm container
tier
required

wasm | docker | both.

string
Allowed values: wasm docker both

The stored grant

Media typeapplication/json

A runner’s resolved grant — the request body for PUT and the response shape of both GET and PUT. Mirrors a runner_grants row + the JWT scope.

object
allowed_labels
required

Optional label restriction; empty = no label gate.

Array<string>
allowed_workspace_ids

null = trusted wildcard (any workspace); [] = edge fail-closed (none).

Array<string> | null
class
required

trusted | edge.

string
Allowed values: trusted edge
isolation
required

microvm | container.

string
Allowed values: microvm container
tier
required

wasm | docker | both.

string
Allowed values: wasm docker both
Example
{
"class": "trusted",
"isolation": "microvm",
"tier": "wasm"
}

Invalid class/tier/isolation, or an edge runner given the trusted wildcard

Media typeapplication/json

The canonical JSON body of every error response — the single source of truth the frontend binds to. Every AppError serializes as this exact shape, and the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is what the frontend error schema is generated from, so there is no hand-written error schema on either end.

object
code
required

Machine-readable, stable error code.

string
Allowed values: not_found unauthorized forbidden bad_request unprocessable precondition_failed conflict method_not_allowed rate_limited quota_exceeded database_error docker_error vault_error internal_error
details
One of:
null
error
required

Human-readable message (the server’s English text; the client may localize by code).

string
Example
{
"code": "not_found"
}

Authentication required

Media typeapplication/json

The canonical JSON body of every error response — the single source of truth the frontend binds to. Every AppError serializes as this exact shape, and the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is what the frontend error schema is generated from, so there is no hand-written error schema on either end.

object
code
required

Machine-readable, stable error code.

string
Allowed values: not_found unauthorized forbidden bad_request unprocessable precondition_failed conflict method_not_allowed rate_limited quota_exceeded database_error docker_error vault_error internal_error
details
One of:
null
error
required

Human-readable message (the server’s English text; the client may localize by code).

string
Example
{
"code": "not_found"
}

Permission denied

Media typeapplication/json

The canonical JSON body of every error response — the single source of truth the frontend binds to. Every AppError serializes as this exact shape, and the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is what the frontend error schema is generated from, so there is no hand-written error schema on either end.

object
code
required

Machine-readable, stable error code.

string
Allowed values: not_found unauthorized forbidden bad_request unprocessable precondition_failed conflict method_not_allowed rate_limited quota_exceeded database_error docker_error vault_error internal_error
details
One of:
null
error
required

Human-readable message (the server’s English text; the client may localize by code).

string
Example
{
"code": "not_found"
}

Structured server error

Media typeapplication/json

The canonical JSON body of every error response — the single source of truth the frontend binds to. Every AppError serializes as this exact shape, and the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is what the frontend error schema is generated from, so there is no hand-written error schema on either end.

object
code
required

Machine-readable, stable error code.

string
Allowed values: not_found unauthorized forbidden bad_request unprocessable precondition_failed conflict method_not_allowed rate_limited quota_exceeded database_error docker_error vault_error internal_error
details
One of:
null
error
required

Human-readable message (the server’s English text; the client may localize by code).

string
Example
{
"code": "not_found"
}