Attempt to apply a candidate runtime config
const url = 'https://example.com/admin/v1/config/apply';const options = { method: 'POST', headers: {'X-Api-Key': '<X-Api-Key>', 'Content-Type': 'application/json'}, body: '{"break_glass":false,"break_glass_approval":{"approval_reference":"example","approved_by":"example","emergency_change_class":"example","expires_at_unix_seconds":1,"rate_limit_identity":"example","reason":"example"},"break_glass_approval_reference":"example","bundle_id":"example","config_yaml":"example","local_approval_reference":"example","previous_config_hash":"example","root_version":1,"sequence":1,"stream_id":"default","tuf":{"datastore_dir":"example","metadata_dir":"example","root_path":"example","target_name":"example","targets_dir":"example"}}'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request POST \ --url https://example.com/admin/v1/config/apply \ --header 'Content-Type: application/json' \ --header 'X-Api-Key: <X-Api-Key>' \ --data '{ "break_glass": false, "break_glass_approval": { "approval_reference": "example", "approved_by": "example", "emergency_change_class": "example", "expires_at_unix_seconds": 1, "rate_limit_identity": "example", "reason": "example" }, "break_glass_approval_reference": "example", "bundle_id": "example", "config_yaml": "example", "local_approval_reference": "example", "previous_config_hash": "example", "root_version": 1, "sequence": 1, "stream_id": "default", "tuf": { "datastore_dir": "example", "metadata_dir": "example", "root_path": "example", "target_name": "example", "targets_dir": "example" } }'Standalone mode applies only signed local TUF config targets. Governed signed credential issuer key rotations can swap the issuer runtime after anti-rollback acceptance. Break-glass apply additionally requires approval details, a locally configured rate-limit policy, and a signed emergency change class. Inline config candidates are rejected with registry.admin.config.inline_apply_rejected. Other signed changes remain restart-required.
Authorizations
Section titled “Authorizations”Request Bodyrequired
Section titled “Request Bodyrequired”object
Apply-only emergency mode. Verify and dry-run reject break-glass requests.
object
Must appear in the signed target change_classes and be authorized by local trust roots.
Local approval reason. Audit records store only a hash of this value.
Apply-only reference for a matching durable break-glass approval record in the verifier-owned local approval store.
Operator-visible candidate identifier. Signed TUF targets may derive it from target metadata.
Inline YAML candidate for verify and dry-run diagnostics.
Apply-only reference for a matching local approval record used by root_transition bundles.
Governed predecessor config hash. Requests and signed target metadata may provide either bare lowercase SHA-256 hex or sha256:<64 lowercase hex>; responses, audit, docs, and errors use the canonical sha256:-prefixed form.
Monotonic bundle sequence. Signed TUF targets may derive it from target metadata.
Governance stream identifier used by anti-rollback state.
object
Remote TUF config source. The source must exactly match an entry in the operator-configured config_trust.remote_tuf_repositories allowlist (comparing root_path, metadata_base_url, targets_base_url, and datastore_dir); unlisted sources are rejected before any fetch.
object
Deprecated and ignored. Fetch policy is taken from the matching config_trust.remote_tuf_repositories allowlist entry.
HTTPS TUF metadata base URL. HTTP loopback is accepted only when the matching allowlist entry sets allow_dev_insecure_fetch_urls.
HTTPS TUF targets base URL. HTTP loopback is accepted only when the matching allowlist entry sets allow_dev_insecure_fetch_urls.
Responses
Section titled “Responses”Compatible signed config was applied without restart
object
Optional diagnostic detail. Previous-config-hash mismatch details use canonical sha256:<64 lowercase hex> for the expected value and name the detected received format.
Posture projection of the outcome, such as accepted, rejected, or not_applied.
Config apply outcome, such as applied, verified, rejected_restart_required, rejected_readiness, or rejected_rollback.
Example
{ "applied": true, "bundle_id": "demo-bundle", "posture_result": "accepted", "restart_required": false, "result": "applied", "sequence": 2}Candidate config is invalid
object
Example
{ "code": "config.candidate_invalid", "detail": "candidate config could not be parsed", "status": 400, "title": "Candidate config invalid", "type": "https://docs.registry-notary.dev/problems/config/candidate_invalid"}Missing or invalid credential
object
Example
{ "code": "auth.missing_credential", "detail": "missing authentication credential", "status": 401, "title": "Missing credential", "type": "https://docs.registry-notary.dev/problems/auth/missing_credential"}Caller lacks registry_notary:admin scope
object
Example
{ "code": "auth.scope_denied", "detail": "missing required scope", "status": 403, "title": "Scope denied", "type": "https://docs.registry-notary.dev/problems/auth/scope_denied"}Candidate config requires restart and was not applied
object
Optional diagnostic detail. Previous-config-hash mismatch details use canonical sha256:<64 lowercase hex> for the expected value and name the detected received format.
Posture projection of the outcome, such as accepted, rejected, or not_applied.
Config apply outcome, such as applied, verified, rejected_restart_required, rejected_readiness, or rejected_rollback.
Example
{ "applied": false, "bundle_id": "demo-bundle", "posture_result": "rejected", "restart_required": true, "result": "rejected_restart_required", "sequence": 1}