Upsert an application's resources and permissions

curl --request PUT \ --url https://api.accessowl.com/api/v1/applications/{application_id}/structure \ --header 'Authorization: Bearer <token>' \ --header 'Content-Type: application/json' \ --data ' { "lock_version": 123, "resources": [ { "title": "<string>", "delete": true, "description": "<string>", "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a", "order": 123, "parent_resource_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a", "permissions": [ { "title": "<string>", "delete": true, "description": "<string>", "elevated": true, "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a", "requestable": true } ], "requestable": true } ] } '

{ "admin_user_ids": [ "7488a646-e31f-11e4-aace-600308960665" ], "auth_method": "okta", "data_location": "EU", "description": "Team communication platform", "id": "7488a646-e31f-11e4-aace-600308960662", "inserted_at": "2023-01-01T00:00:00Z", "last_vendor_review_at": "2026-01-15", "mfa_activated": true, "notes": "Reviewed in Q4", "owner_user_id": "7488a646-e31f-11e4-aace-600308960663", "processed_data_types": [ "customer_data" ], "provisioning_type": "automatic", "risk_level": "medium", "status": "requestable", "tags": [ { "id": "7488a646-e31f-11e4-aace-600308960666", "title": "Communication" } ], "title": "Slack", "updated_at": "2023-01-01T00:00:00Z", "url": "https://slack.com", "user_count": 150, "user_setup_url": "https://slack.com/get-started", "vendor_certificates": [ "soc2_t2", "iso_27001" ] }

Authorizations

Authorization

string

header

required

Bearer token authentication. Pass your AccessOwl API token in the Authorization header as Bearer <token>.

Headers

Idempotency-Key

string

Optional key (1–255 chars) for safely retrying a request. Reusing the same key for the same request returns 409 Conflict and is not processed again — this confirms the request was already received. Keys are retained for 14 days.

Required string length: 1 - 255

Path Parameters

application_id

string

required

Body

application/json

Update structure parameters

Upsert resources and permissions for an application. This is a partial upsert, not a full overwrite: omitted items are left untouched. To remove an item, send it with its id and delete: true (this applies to both resources and their nested permissions).

lock_version

integer

Optimistic lock version. Optional; if stale, returns 409.

resources

ResourceInput · object[]

Resources to upsert.

Show child attributes

Response

Application

An application in the organization

string<uuid>

required

Application ID

status

enum<string>

required

Application status

Available options:

ignored,

discovered,

approved,

requestable

title

string

required

Application title

admin_user_ids

string<uuid>[]

User IDs of the application's admins

auth_method

enum<string> | null

Authentication method used to sign in

Available options:

google,

microsoft,

okta,

sso_provider,

credentials,

other

data_location

string | null

Where the vendor stores data

description

string | null

Description

inserted_at

string<date-time>

Creation timestamp

last_vendor_review_at

string<date> | null

Date of the last vendor security review

mfa_activated

boolean | null

Whether MFA is activated for this application

notes

string | null

Internal notes

owner_user_id

string<uuid> | null

Owner user ID

processed_data_types

enum<string>[]

Types of data this application processes

Available options:

customer_metadata,

customer_pii,

company_metadata,

company_sensitive_data,

employee_pii,

employee_sensitive_data,

ephi

provisioning_type

enum<string>

Provisioning type

Available options:

application_admin,

automatic

risk_level

enum<string> | null

Risk level assessment

Available options:

low,

medium,

high