Runloop Network Policies API
Define and manage egress Network Policies that restrict outbound network access from Devboxes. Allow/deny rules at account scope, attachable per Devbox at launch.
OpenAPI Specification
openapi: 3.0.3
info:
title: Runloop Network Policies API
version: '0.1'
description: "Define and manage egress Network Policies that restrict outbound network access from Devboxes \u2014 per-policy\
\ allow/deny rules at the account scope."
contact:
name: Runloop AI Support
url: https://runloop.ai
email: support@runloop.ai
servers:
- url: https://api.runloop.ai
description: Runloop API
variables: {}
tags:
- name: network-policies
paths:
/v1/network-policies:
post:
tags:
- network-policies
summary: Create a NetworkPolicy.
description: Create a new NetworkPolicy with the specified egress rules. The policy can then be applied to blueprints,
devboxes, or snapshot resumes.
operationId: createNetworkPolicy
parameters: []
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/NetworkPolicyCreateParameters'
required: false
responses:
'200':
description: NetworkPolicy created successfully.
content:
application/json:
schema:
$ref: '#/components/schemas/NetworkPolicyView'
'400':
description: Bad request. Name already exists or is invalid.
'401':
description: Unauthorized. Invalid or missing authentication.
'403':
description: Forbidden. Account does not have devbox capability.
'500':
description: Internal server error.
deprecated: false
get:
tags:
- network-policies
summary: List NetworkPolicies.
description: List all NetworkPolicies for the authenticated account.
operationId: listNetworkPolicies
parameters:
- name: name
in: query
description: Filter by name (partial match supported).
required: false
deprecated: false
allowEmptyValue: true
schema:
type: string
- name: id
in: query
description: Filter by ID.
required: false
deprecated: false
allowEmptyValue: true
schema:
type: string
- name: limit
in: query
description: The limit of items to return. Default is 20. Max is 5000.
required: false
deprecated: false
allowEmptyValue: true
schema:
type: integer
format: int32
- name: starting_after
in: query
description: Load the next page of data starting after the item with the given ID.
required: false
deprecated: false
allowEmptyValue: true
schema:
type: string
- name: include_total_count
in: query
description: If true (default), includes total_count in the response. Set to false to skip the count query for better
performance on large datasets.
required: false
deprecated: false
allowEmptyValue: true
schema:
type: boolean
responses:
'200':
description: Successfully retrieved list of NetworkPolicies.
content:
application/json:
schema:
$ref: '#/components/schemas/NetworkPolicyListView'
'401':
description: Unauthorized. Invalid or missing authentication.
'403':
description: Forbidden. Account does not have devbox capability.
'500':
description: Internal server error.
deprecated: false
/v1/network-policies/{id}:
get:
tags:
- network-policies
summary: Get a NetworkPolicy.
description: Get a specific NetworkPolicy by its unique identifier.
operationId: getNetworkPolicy
parameters:
- name: id
in: path
description: The unique identifier of the NetworkPolicy.
required: true
deprecated: false
allowEmptyValue: false
schema:
type: string
responses:
'200':
description: Successfully retrieved the NetworkPolicy.
content:
application/json:
schema:
$ref: '#/components/schemas/NetworkPolicyView'
'401':
description: Unauthorized. Invalid or missing authentication.
'403':
description: Forbidden. Account does not have devbox capability.
'404':
description: NetworkPolicy not found.
'500':
description: Internal server error.
deprecated: false
post:
tags:
- network-policies
summary: Update a NetworkPolicy.
description: Update an existing NetworkPolicy. All fields are optional.
operationId: updateNetworkPolicy
parameters:
- name: id
in: path
description: The unique identifier of the NetworkPolicy to update.
required: true
deprecated: false
allowEmptyValue: false
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/NetworkPolicyUpdateParameters'
required: false
responses:
'200':
description: NetworkPolicy updated successfully.
content:
application/json:
schema:
$ref: '#/components/schemas/NetworkPolicyView'
'400':
description: Bad request. Invalid parameters.
'401':
description: Unauthorized. Invalid or missing authentication.
'403':
description: Forbidden. Account does not have devbox capability.
'404':
description: NetworkPolicy not found.
'500':
description: Internal server error.
deprecated: false
/v1/network-policies/{id}/delete:
post:
tags:
- network-policies
summary: Delete a NetworkPolicy.
description: Delete an existing NetworkPolicy. This action is irreversible.
operationId: deleteNetworkPolicy
parameters:
- name: id
in: path
description: The unique identifier of the NetworkPolicy to delete.
required: true
deprecated: false
allowEmptyValue: false
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/EmptyRecord'
required: false
responses:
'200':
description: NetworkPolicy deleted successfully.
content:
application/json:
schema:
$ref: '#/components/schemas/NetworkPolicyView'
'400':
description: Bad request. Policy is in use by active devboxes.
'401':
description: Unauthorized. Invalid or missing authentication.
'403':
description: Forbidden. Account does not have devbox capability.
'404':
description: NetworkPolicy not found.
'500':
description: Internal server error.
deprecated: false
components:
schemas:
EgressRulesView:
type: object
additionalProperties: false
description: Egress (outbound) network rules for a NetworkPolicy.
properties:
allow_all:
type: boolean
description: If true, all egress traffic is allowed and other fields are ignored. Used for ALLOW_ALL policies.
allow_devbox_to_devbox:
type: boolean
description: If true, allows traffic between the account's own devboxes via tunnels.
allowed_hostnames:
type: array
items:
type: string
description: 'DNS-based allow list with wildcard support. Examples: [''github.com'', ''*.npmjs.org'', ''api.openai.com''].
Empty list with allow_all=false means no network access (DENY_ALL behavior).'
allow_agent_gateway:
type: boolean
description: If true, allows devbox egress to the agent gateway for credential proxying.
allow_mcp_gateway:
type: boolean
description: If true, allows devbox egress to the MCP hub for MCP server access.
required:
- allow_all
- allow_devbox_to_devbox
- allowed_hostnames
- allow_agent_gateway
- allow_mcp_gateway
EmptyRecord:
type: object
additionalProperties: false
properties: {}
NetworkPolicyCreateParameters:
type: object
additionalProperties: false
description: Parameters required to create a new NetworkPolicy.
properties:
name:
type: string
description: The human-readable name for the NetworkPolicy. Must be unique within the account.
description:
type: string
nullable: true
description: Optional description for the NetworkPolicy.
allow_all:
type: boolean
nullable: true
description: (Optional) If true, all egress traffic is allowed (ALLOW_ALL policy). Defaults to false.
allow_devbox_to_devbox:
type: boolean
nullable: true
description: (Optional) If true, allows traffic between the account's own devboxes via tunnels. Defaults to false.
If allow_all is true, this is automatically set to true.
allowed_hostnames:
type: array
items:
type: string
nullable: true
description: '(Optional) DNS-based allow list with wildcard support. Examples: [''github.com'', ''*.npmjs.org''].'
allow_agent_gateway:
type: boolean
nullable: true
description: (Optional) If true, allows devbox egress to the agent gateway for credential proxying. Defaults to
false.
allow_mcp_gateway:
type: boolean
nullable: true
description: (Optional) If true, allows devbox egress to the MCP hub for MCP server access. Defaults to false.
required:
- name
NetworkPolicyListView:
type: object
additionalProperties: false
description: A list of NetworkPolicies with pagination information.
properties:
network_policies:
type: array
items:
$ref: '#/components/schemas/NetworkPolicyView'
description: The list of NetworkPolicies.
has_more:
type: boolean
description: Whether there are more results available.
total_count:
type: integer
format: int32
nullable: true
description: Total count of items in this response.
required:
- network_policies
- has_more
NetworkPolicyUpdateParameters:
type: object
additionalProperties: false
description: Parameters for updating an existing NetworkPolicy. All fields are optional.
properties:
name:
type: string
nullable: true
description: Updated human-readable name for the NetworkPolicy.
description:
type: string
nullable: true
description: Updated description for the NetworkPolicy.
allow_all:
type: boolean
nullable: true
description: If true, all egress traffic is allowed (ALLOW_ALL policy).
allow_devbox_to_devbox:
type: boolean
nullable: true
description: If true, allows traffic between the account's own devboxes via tunnels.
allowed_hostnames:
type: array
items:
type: string
nullable: true
description: 'Updated DNS-based allow list with wildcard support. Examples: [''github.com'', ''*.npmjs.org''].'
allow_agent_gateway:
type: boolean
nullable: true
description: If true, allows devbox egress to the agent gateway.
allow_mcp_gateway:
type: boolean
nullable: true
description: If true, allows devbox egress to the MCP hub.
NetworkPolicyView:
type: object
additionalProperties: false
description: A NetworkPolicy defines egress network access rules for devboxes. Policies can be applied to blueprints,
devboxes, and snapshot resumes.
properties:
id:
type: string
description: The unique identifier of the NetworkPolicy.
name:
type: string
description: The human-readable name of the NetworkPolicy. Unique per account.
description:
type: string
nullable: true
description: Optional description of the NetworkPolicy.
egress:
$ref: '#/components/schemas/EgressRulesView'
description: The egress rules for this policy.
create_time_ms:
type: integer
format: int64
description: The creation time of the NetworkPolicy (Unix timestamp in milliseconds).
update_time_ms:
type: integer
format: int64
description: Last update time of the NetworkPolicy (Unix timestamp in milliseconds).
required:
- id
- name
- egress
- create_time_ms
- update_time_ms
securitySchemes:
bearerAuth:
scheme: bearer
type: http
security:
- bearerAuth: []