OEM API-First Embedding
Audience: DevOps / Platform engineers building embedded PBAC controls
Time: ~20 min (after Control Plane + first Bouncer are deployed)
Use this guide when your platform needs Control Core as a behind-the-scenes authorization engine with minimal UI dependency.
Prerequisites
- Control Plane is reachable (
/devdocs,/health/ready) - At least one bouncer is registered to the target resource path
- Sandbox and production API keys are available
- Parent platform can call Control Core APIs with bearer auth
Troubleshooting: If
/health/readyis notready, check/health/database,/health/redis, and/health/bouncersbefore continuing. Full reference: /troubleshooting
Architecture Pattern
Click to enlarge
Golden API Flow
POST /developer-portal/tokenPOST /api/v2/oem/generatePOST /api/v2/oem/validatePOST /api/v2/oem/testPOST /api/v2/oem/deploy(sandbox)- Verify via
POST /decisions/evaluateandGET /audit/logsorGET /audit/export - Disable/archive/reactivate using policy lifecycle status updates
Troubleshooting: If deploy succeeds but enforcement does not change, verify resource/bouncer binding and run a fresh
/health/bouncersplus/audit/logsquery. Common causes: wrong environment, stale binding, or bypass traffic path. Full reference: /troubleshooting
Temporary vs Permanent Controls
- Temporary controls: include
expires_atmetadata and pair it with explicit parent callbacks that disable/archive the control. - Permanent controls: keep active and promote with production workflow controls.
OEM Operator Automation
Use the bundled OEM support scripts from the deployment package:
bash scripts/oem_status_check.shfor post-deploy readiness checksbash scripts/oem_support_bundle.shfor audit/troubleshooting evidence bundles
Troubleshooting: If script output is empty, verify
CONTROL_CORE_API_URLandCONTROL_CORE_TOKENvalues and confirm token permissions. Full reference: /guides/admin/troubleshooting