Skip to content



The Authorization Token Service (ZTS) API

This API has the following attributes:

Attribute Value
version 1


X.509 Certificate Support

All ZTS API commands require that the client use a TLS certificate issued by Athenz. Services can use their Athenz Issued Service Identity certificates when communicating with ZTS.


Limited number of ZTS API endpoints are authorized against the configured policy data to verify that the principal has been given the rights to make the requested change. Each request description below gives the authorization command that includes the action and resource that the ZTS Server will run the authorization check against. For example, to delete an instance from the local database we have the following authorize statement:

authorize("delete", "{domain}:instance.{instanceId}");

This indicates that the principal requesting to delete instance id host001 from domain must have grant rights to action "delete" for resource called "instance.host001" in domain "".

API Documentation

Please refer to the ZTS OpenAPI documentation