Policy API

Control outbound network access using DNS-based filtering. Policies define which domains sprites can reach, with support for exact matches, wildcard subdomains, and preset rule bundles.

Changes apply immediately—existing connections to newly-blocked domains are terminated. Failed DNS lookups return REFUSED for fast failure.

Get Network Policy

GET/v1/sprites/{name}/policy/network

Get the current network policy configuration.

Responses

Status	Description
200	Success
404	Not Found - Resource not found
500	Internal Server Error

Request

CLI

sprite api GET /policy/network

token := os.Getenv("SPRITE_TOKEN")
spriteName := os.Getenv("SPRITE_NAME")

client := sprites.New(token)
sprite := client.Sprite(spriteName)

policy, err := sprite.GetNetworkPolicy(context.Background())
if err != nil {
log.Fatal(err)
}

out, _ := json.MarshalIndent(policy, "", "  ")
fmt.Println(string(out))

import { SpritesClient } from '@fly/sprites';

const token = process.env.SPRITE_TOKEN!;
const spriteName = process.env.SPRITE_NAME!;

const client = new SpritesClient(token);
const sprite = client.sprite(spriteName);

const policy = await sprite.getNetworkPolicy();

console.log(JSON.stringify(policy, null, 2));

import json
import os

from sprites import SpritesClient

token = os.environ["SPRITE_TOKEN"]
sprite_name = os.environ["SPRITE_NAME"]

client = SpritesClient(token)
sprite = client.sprite(sprite_name)

policy = sprite.get_network_policy()

result = {
  "rules": [
      {"domain": rule.domain, "action": rule.action}
      for rule in policy.rules
  ]
}

print(json.dumps(result, indent=2))

token = System.get_env("SPRITE_TOKEN")
sprite_name = System.get_env("SPRITE_NAME")

client = Sprites.new(token)
sprite = Sprites.sprite(client, sprite_name)

{:ok, policy} = Sprites.get_network_policy(sprite)

policy
|> Sprites.Policy.to_map()
|> Jason.encode!(pretty: true)
|> IO.puts()

curl \
-H "Authorization: Bearer $SPRITE_TOKEN" \
"https://api.sprites.dev/v1/sprites/$SPRITE_NAME/policy/network"

Response

{
"rules": [
  {
    "action": "allow",
    "domain": "github.com"
  },
  {
    "action": "allow",
    "domain": "*.npmjs.org"
  },
  {
    "action": "deny",
    "domain": "*"
  }
]
}

---

Set Network Policy

POST/v1/sprites/{name}/policy/network

Update the network policy configuration.

Request Body

rules:NetworkPolicyRule[]

List of network policy rules

Responses

Status	Description
200	Success
400	Bad Request - Invalid request body
404	Not Found - Resource not found
500	Internal Server Error

Request

CLI

sprite api POST /policy/network -d '{"rules":[...]}'

token := os.Getenv("SPRITE_TOKEN")
spriteName := os.Getenv("SPRITE_NAME")

client := sprites.New(token)
sprite := client.Sprite(spriteName)

policy := &sprites.NetworkPolicy{
Rules: []sprites.NetworkPolicyRule{
  {Domain: "api.github.com", Action: "allow"},
  {Domain: "*.npmjs.org", Action: "allow"},
},
}

err := sprite.UpdateNetworkPolicy(context.Background(), policy)
if err != nil {
log.Fatal(err)
}

fmt.Println("Network policy updated")

import { SpritesClient } from '@fly/sprites';

const token = process.env.SPRITE_TOKEN!;
const spriteName = process.env.SPRITE_NAME!;

const client = new SpritesClient(token);
const sprite = client.sprite(spriteName);

await sprite.updateNetworkPolicy({
rules: [
  { domain: 'api.github.com', action: 'allow' },
  { domain: '*.npmjs.org', action: 'allow' },
],
});

console.log('Network policy updated');

import os

from sprites import NetworkPolicy, PolicyRule, SpritesClient

token = os.environ["SPRITE_TOKEN"]
sprite_name = os.environ["SPRITE_NAME"]

client = SpritesClient(token)
sprite = client.sprite(sprite_name)

policy = NetworkPolicy(
  rules=[
      PolicyRule(domain="api.github.com", action="allow"),
      PolicyRule(domain="*.npmjs.org", action="allow"),
  ]
)

sprite.update_network_policy(policy)

print("Network policy updated")

token = System.get_env("SPRITE_TOKEN")
sprite_name = System.get_env("SPRITE_NAME")

client = Sprites.new(token)
sprite = Sprites.sprite(client, sprite_name)

policy = %Sprites.Policy{
rules: [
  %Sprites.Policy.Rule{domain: "api.github.com", action: "allow"},
  %Sprites.Policy.Rule{domain: "*.npmjs.org", action: "allow"}
]
}

:ok = Sprites.update_network_policy(sprite, policy)

IO.puts("Network policy updated")

curl -X POST \
-H "Authorization: Bearer $SPRITE_TOKEN" \
-H "Content-Type: application/json" \
-d '{"rules":[{"action":"allow","domain":"github.com"},{"action":"allow","domain":"*.npmjs.org"}]}' \
"https://api.sprites.dev/v1/sprites/$SPRITE_NAME/policy/network"

Response

{
"rules": [
  {
    "action": "allow",
    "domain": "github.com"
  }
]
}

---