Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.getovra.com/llms.txt

Use this file to discover all available pages before exploring further.

A policy is a JSON-serializable rule-set attached to an agent. Exactly one policy per agent, mutable. The policy engine evaluates a policy on every intent, grant, issue, redeem, and checkout — pure-function, deterministic, fully testable. Agents can read their policy but never modify it. Modification is dashboard or API-key only — agent tokens always get 403.

Enforcement levels

LevelBehavior
enforceBlock the transaction. Returns policy_denied.
approveAllow but flag for human approval.
warnLog an advisory; transaction proceeds.

Field reference

Limits

FieldTypeNotes
maxTransactionEurosnumberPer-transaction cap
dailyLimitEurosnumberUTC day rolling sum
weeklyLimitEurosnumberISO week, resets Monday
monthlyLimitEurosnumberCalendar month
autoApproveLimitEurosnumberBelow this, no human needed
requireApprovalAbovenumberAbove this, human required

Merchant + geo

FieldTypeNotes
merchantAllowliststring[]Allowlist of merchant names
merchantBlockliststring[]Blocklist
allowedMccsstring[]MCC codes
blockedMccsstring[]MCC codes
allowedCountriesstring[]ISO 3166-1 alpha-2
blockedCountriesstring[]ISO 3166-1 alpha-2
lockToFirstMerchantbooleanLock card to first merchant seen

Time + cooldown

FieldTypeNotes
activeHoursStart / activeHoursEndint 0–23UTC hour window
timezonestringIANA tz string
allowedDaysenum[]monsun
cooldownMinutesintMin minutes between charges

Lifecycle

FieldTypeNotes
expiresAfterMinutesintAuto-expire policy
expirationActionenumfreeze · close · notify
maxUsageCountintLock card after N charges

Required behavior

FieldTypeNotes
requireIntentbooleanSacred — defaults true, never silently dropped
requireAttestationbooleanRequire signed attestation per charge
attestationWindowMinutesintValidity window for attestation
amountTolerancePercentnumberAllowed deviation actual vs expected

Create a policy

curl -X POST https://api.getovra.com/policies \
  -H "Authorization: Bearer $OVRA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Subscriptions only",
    "description": "Recurring SaaS, sub EUR 250",
    "enforcementLevel": "enforce",
    "maxTransactionEuros": 250,
    "monthlyLimitEuros": 1000,
    "merchantAllowlist": ["hetzner.com", "openai.com", "anthropic.com"],
    "allowedCountries": ["DE", "US", "GB"],
    "autoApproveLimitEuros": 50
  }'

Update a policy

curl -X PATCH https://api.getovra.com/policies/po_... \
  -H "Authorization: Bearer $OVRA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "monthlyLimitEuros": 1500 }'
Updates propagate live — including to the card-issuer-native control surface.

Pre-built presets

policy-presets.ts ships templates for common patterns:
Allowed MCCs: 4111, 4112, 4131, 4511, 7011, 7012. Country allowlist matches your travel countries. Hard daily cap.
Merchant allowlist of known SaaS providers. lockToFirstMerchant true. Monthly cap.
MCC 5734/5735/7372 (software). Per-transaction ceiling. Auto-approve sub-€20.

Risk thresholds (per-policy)

You can override the default 70/85/95 risk thresholds per policy: 
curl -X PATCH https://api.getovra.com/risk/config \
  -H "Authorization: Bearer $OVRA_API_KEY" \
  -d '{
    "thresholdReview": 60,
    "thresholdDeny": 80,
    "thresholdFreeze": 95,
    "autoFreezeEnabled": false
  }'
Constraint: thresholdReview < thresholdDeny < thresholdFreeze. See Control for risk engine details.

Surfaces

SurfaceCapability
REST/policies, /risk/config, /risk/violations
SDKovra.policies.*
MCPovra_policy (read-only)
Dashboard/dashboard/policies, /dashboard/risk

Next

Control

The two engines that read policy and risk together.

Intents

What policy decisions are made against.

Cards

How policy syncs to card-issuer-native controls.