Runloop
Runloop Network Policies API

Define and manage egress Network Policies that restrict outbound network access from Devboxes. Allow/deny rules at account scope, attachable per Devbox at launch.
Runloop Network Policies API is one of 13 APIs that Runloop publishes on the APIs.io network, described by a machine-readable OpenAPI specification.
This API exposes 1 machine-runnable capability that can be deployed as REST, MCP, or Agent Skill surfaces via Naftiko and 1 JSON Schema definition.
Tagged areas include AI, AI Agents, Network Policy, and Security. The published artifact set on APIs.io includes API documentation, an OpenAPI specification, 1 Naftiko capability spec, and 1 JSON Schema.
Documentation GitHub OpenAPI
OpenAPI Specification

openapi: 3.0.3
info:
  title: Runloop Network Policies API
  version: '0.1'
  description: "Define and manage egress Network Policies that restrict outbound network access from Devboxes \u2014 per-policy\
    \ allow/deny rules at the account scope."
  contact:
    name: Runloop AI Support
    url: https://runloop.ai
    email: [email protected]
servers:
- url: https://api.runloop.ai
  description: Runloop API
  variables: {}
tags:
- name: network-policies
paths:
  /v1/network-policies:
    post:
      tags:
      - network-policies
      summary: Create a NetworkPolicy.
      description: Create a new NetworkPolicy with the specified egress rules. The policy can then be applied to blueprints,
        devboxes, or snapshot resumes.
      operationId: createNetworkPolicy
      parameters: []
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/NetworkPolicyCreateParameters'
        required: false
      responses:
        '200':
          description: NetworkPolicy created successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/NetworkPolicyView'
        '400':
          description: Bad request. Name already exists or is invalid.
        '401':
          description: Unauthorized. Invalid or missing authentication.
        '403':
          description: Forbidden. Account does not have devbox capability.
        '500':
          description: Internal server error.
      deprecated: false
    get:
      tags:
      - network-policies
      summary: List NetworkPolicies.
      description: List all NetworkPolicies for the authenticated account.
      operationId: listNetworkPolicies
      parameters:
      - name: name
        in: query
        description: Filter by name (partial match supported).
        required: false
        deprecated: false
        allowEmptyValue: true
        schema:
          type: string
      - name: id
        in: query
        description: Filter by ID.
        required: false
        deprecated: false
        allowEmptyValue: true
        schema:
          type: string
      - name: limit
        in: query
        description: The limit of items to return. Default is 20. Max is 5000.
        required: false
        deprecated: false
        allowEmptyValue: true
        schema:
          type: integer
          format: int32
      - name: starting_after
        in: query
        description: Load the next page of data starting after the item with the given ID.
        required: false
        deprecated: false
        allowEmptyValue: true
        schema:
          type: string
      - name: include_total_count
        in: query
        description: If true (default), includes total_count in the response. Set to false to skip the count query for better
          performance on large datasets.
        required: false
        deprecated: false
        allowEmptyValue: true
        schema:
          type: boolean
      responses:
        '200':
          description: Successfully retrieved list of NetworkPolicies.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/NetworkPolicyListView'
        '401':
          description: Unauthorized. Invalid or missing authentication.
        '403':
          description: Forbidden. Account does not have devbox capability.
        '500':
          description: Internal server error.
      deprecated: false
  /v1/network-policies/{id}:
    get:
      tags:
      - network-policies
      summary: Get a NetworkPolicy.
      description: Get a specific NetworkPolicy by its unique identifier.
      operationId: getNetworkPolicy
      parameters:
      - name: id
        in: path
        description: The unique identifier of the NetworkPolicy.
        required: true
        deprecated: false
        allowEmptyValue: false
        schema:
          type: string
      responses:
        '200':
          description: Successfully retrieved the NetworkPolicy.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/NetworkPolicyView'
        '401':
          description: Unauthorized. Invalid or missing authentication.
        '403':
          description: Forbidden. Account does not have devbox capability.
        '404':
          description: NetworkPolicy not found.
        '500':
          description: Internal server error.
      deprecated: false
    post:
      tags:
      - network-policies
      summary: Update a NetworkPolicy.
      description: Update an existing NetworkPolicy. All fields are optional.
      operationId: updateNetworkPolicy
      parameters:
      - name: id
        in: path
        description: The unique identifier of the NetworkPolicy to update.
        required: true
        deprecated: false
        allowEmptyValue: false
        schema:
          type: string
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/NetworkPolicyUpdateParameters'
        required: false
      responses:
        '200':
          description: NetworkPolicy updated successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/NetworkPolicyView'
        '400':
          description: Bad request. Invalid parameters.
        '401':
          description: Unauthorized. Invalid or missing authentication.
        '403':
          description: Forbidden. Account does not have devbox capability.
        '404':
          description: NetworkPolicy not found.
        '500':
          description: Internal server error.
      deprecated: false
  /v1/network-policies/{id}/delete:
    post:
      tags:
      - network-policies
      summary: Delete a NetworkPolicy.
      description: Delete an existing NetworkPolicy. This action is irreversible.
      operationId: deleteNetworkPolicy
      parameters:
      - name: id
        in: path
        description: The unique identifier of the NetworkPolicy to delete.
        required: true
        deprecated: false
        allowEmptyValue: false
        schema:
          type: string
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/EmptyRecord'
        required: false
      responses:
        '200':
          description: NetworkPolicy deleted successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/NetworkPolicyView'
        '400':
          description: Bad request. Policy is in use by active devboxes.
        '401':
          description: Unauthorized. Invalid or missing authentication.
        '403':
          description: Forbidden. Account does not have devbox capability.
        '404':
          description: NetworkPolicy not found.
        '500':
          description: Internal server error.
      deprecated: false
components:
  schemas:
    EgressRulesView:
      type: object
      additionalProperties: false
      description: Egress (outbound) network rules for a NetworkPolicy.
      properties:
        allow_all:
          type: boolean
          description: If true, all egress traffic is allowed and other fields are ignored. Used for ALLOW_ALL policies.
        allow_devbox_to_devbox:
          type: boolean
          description: If true, allows traffic between the account's own devboxes via tunnels.
        allowed_hostnames:
          type: array
          items:
            type: string
          description: 'DNS-based allow list with wildcard support. Examples: [''github.com'', ''*.npmjs.org'', ''api.openai.com''].
            Empty list with allow_all=false means no network access (DENY_ALL behavior).'
        allow_agent_gateway:
          type: boolean
          description: If true, allows devbox egress to the agent gateway for credential proxying.
        allow_mcp_gateway:
          type: boolean
          description: If true, allows devbox egress to the MCP hub for MCP server access.
      required:
      - allow_all
      - allow_devbox_to_devbox
      - allowed_hostnames
      - allow_agent_gateway
      - allow_mcp_gateway
    EmptyRecord:
      type: object
      additionalProperties: false
      properties: {}
    NetworkPolicyCreateParameters:
      type: object
      additionalProperties: false
      description: Parameters required to create a new NetworkPolicy.
      properties:
        name:
          type: string
          description: The human-readable name for the NetworkPolicy. Must be unique within the account.
        description:
          type: string
          nullable: true
          description: Optional description for the NetworkPolicy.
        allow_all:
          type: boolean
          nullable: true
          description: (Optional) If true, all egress traffic is allowed (ALLOW_ALL policy). Defaults to false.
        allow_devbox_to_devbox:
          type: boolean
          nullable: true
          description: (Optional) If true, allows traffic between the account's own devboxes via tunnels. Defaults to false.
            If allow_all is true, this is automatically set to true.
        allowed_hostnames:
          type: array
          items:
            type: string
          nullable: true
          description: '(Optional) DNS-based allow list with wildcard support. Examples: [''github.com'', ''*.npmjs.org''].'
        allow_agent_gateway:
          type: boolean
          nullable: true
          description: (Optional) If true, allows devbox egress to the agent gateway for credential proxying. Defaults to
            false.
        allow_mcp_gateway:
          type: boolean
          nullable: true
          description: (Optional) If true, allows devbox egress to the MCP hub for MCP server access. Defaults to false.
      required:
      - name
    NetworkPolicyListView:
      type: object
      additionalProperties: false
      description: A list of NetworkPolicies with pagination information.
      properties:
        network_policies:
          type: array
          items:
            $ref: '#/components/schemas/NetworkPolicyView'
          description: The list of NetworkPolicies.
        has_more:
          type: boolean
          description: Whether there are more results available.
        total_count:
          type: integer
          format: int32
          nullable: true
          description: Total count of items in this response.
      required:
      - network_policies
      - has_more
    NetworkPolicyUpdateParameters:
      type: object
      additionalProperties: false
      description: Parameters for updating an existing NetworkPolicy. All fields are optional.
      properties:
        name:
          type: string
          nullable: true
          description: Updated human-readable name for the NetworkPolicy.
        description:
          type: string
          nullable: true
          description: Updated description for the NetworkPolicy.
        allow_all:
          type: boolean
          nullable: true
          description: If true, all egress traffic is allowed (ALLOW_ALL policy).
        allow_devbox_to_devbox:
          type: boolean
          nullable: true
          description: If true, allows traffic between the account's own devboxes via tunnels.
        allowed_hostnames:
          type: array
          items:
            type: string
          nullable: true
          description: 'Updated DNS-based allow list with wildcard support. Examples: [''github.com'', ''*.npmjs.org''].'
        allow_agent_gateway:
          type: boolean
          nullable: true
          description: If true, allows devbox egress to the agent gateway.
        allow_mcp_gateway:
          type: boolean
          nullable: true
          description: If true, allows devbox egress to the MCP hub.
    NetworkPolicyView:
      type: object
      additionalProperties: false
      description: A NetworkPolicy defines egress network access rules for devboxes. Policies can be applied to blueprints,
        devboxes, and snapshot resumes.
      properties:
        id:
          type: string
          description: The unique identifier of the NetworkPolicy.
        name:
          type: string
          description: The human-readable name of the NetworkPolicy. Unique per account.
        description:
          type: string
          nullable: true
          description: Optional description of the NetworkPolicy.
        egress:
          $ref: '#/components/schemas/EgressRulesView'
          description: The egress rules for this policy.
        create_time_ms:
          type: integer
          format: int64
          description: The creation time of the NetworkPolicy (Unix timestamp in milliseconds).
        update_time_ms:
          type: integer
          format: int64
          description: Last update time of the NetworkPolicy (Unix timestamp in milliseconds).
      required:
      - id
      - name
      - egress
      - create_time_ms
      - update_time_ms
  securitySchemes:
    bearerAuth:
      scheme: bearer
      type: http
security:
- bearerAuth: []
Runloop Network Policies API

Documentation

Specifications

Schemas & Data

Other Resources

OpenAPI Specification
