Model access API
The model access API controls which AI models are available to your organization and to specific groups. Rules support glob patterns (for example, gpt-5*) for matching families of models. Group rules take precedence over org-level defaults.
Concepts
Section titled “Concepts”Access types
Section titled “Access types”Each rule has an access_type of either allow or deny.
allow— explicitly permits access to a model (or pattern). When any allow rule exists at the group or org level, the system switches to allowlist mode: only explicitly allowed models are accessible.deny— explicitly blocks access to a model (or pattern). In denylist-only mode (no allow rules), all models are accessible except those explicitly denied.
Resolution algorithm
Section titled “Resolution algorithm”For each request, access is resolved in this order:
- Load the user’s group memberships and the group model access rules for those groups.
- Load the org-level default rules (no group assignment).
- If no rules exist at all → unrestricted (all models allowed).
- Check group rules first using fnmatch pattern matching:
- If any group ALLOW rule matches → allowed.
- If any group DENY rule matches (and no ALLOW matched) → denied.
- If no group rules matched, check org defaults:
- If any org ALLOW rule matches → allowed.
- If any org DENY rule matches → denied.
- If allow rules exist anywhere (group or org) but nothing matched → denied (allowlist mode). Otherwise → allowed.
Glob patterns
Section titled “Glob patterns”Model IDs may contain fnmatch-style glob patterns:
| Pattern | Matches |
|---|---|
gpt-4o | Exactly gpt-4o |
gpt-5* | Any model starting with gpt-5 |
claude-* | Any Claude model |
* | Any model from the specified provider |
Patterns are matched against the exact model identifier string as submitted in the API request.
Org-level model access defaults
Section titled “Org-level model access defaults”Org defaults apply to all users in your organization that are not covered by a more specific group rule.
Base URL: https://api.arbitex.ai/api/admin/model-access
List org defaults
Section titled “List org defaults”GET /api/admin/model-access/org-defaultsReturns all org-level model access rules for your tenant.
Request
curl https://api.arbitex.ai/api/admin/model-access/org-defaults \ -H "Authorization: Bearer arb_live_your-api-key-here"Response 200 OK
[ { "id": "mra_01HZ_ORG_GPT4", "tenant_id": "org_acme", "model_id": "gpt-4o", "provider": "openai", "access_type": "deny", "created_at": "2026-03-01T10:00:00Z", "updated_at": "2026-03-01T10:00:00Z" }, { "id": "mra_01HZ_ORG_CLAUDE", "tenant_id": "org_acme", "model_id": "claude-*", "provider": "anthropic", "access_type": "allow", "created_at": "2026-03-01T10:00:00Z", "updated_at": "2026-03-01T10:00:00Z" }]Create or update an org default
Section titled “Create or update an org default”POST /api/admin/model-access/org-defaultsCreates a new org-level default rule. If a rule already exists for the same model_id and provider, it is updated to the new access_type.
Request body
| Field | Type | Required | Description |
|---|---|---|---|
model_id | string | Yes | Model identifier or glob pattern |
provider | string | Yes | Provider identifier (e.g. openai, anthropic) |
access_type | string | Yes | "allow" or "deny" |
curl -X POST https://api.arbitex.ai/api/admin/model-access/org-defaults \ -H "Authorization: Bearer arb_live_your-api-key-here" \ -H "Content-Type: application/json" \ -d '{ "model_id": "claude-*", "provider": "anthropic", "access_type": "allow" }'Response 201 Created
{ "id": "mra_01HZ_ORG_CLAUDE", "tenant_id": "org_acme", "model_id": "claude-*", "provider": "anthropic", "access_type": "allow", "created_at": "2026-03-09T14:30:00Z", "updated_at": "2026-03-09T14:30:00Z"}Delete an org default
Section titled “Delete an org default”DELETE /api/admin/model-access/org-defaults/{model_id}Removes an org-level default rule. The model_id path parameter supports URL-encoded patterns.
curl -X DELETE \ "https://api.arbitex.ai/api/admin/model-access/org-defaults/claude-*" \ -H "Authorization: Bearer arb_live_your-api-key-here"Response 204 No Content on success.
Group model access
Section titled “Group model access”Group rules override org defaults for users who are members of the specified group. Group membership comes from your SCIM directory sync.
Base URL: https://api.arbitex.ai/api/admin/groups/{group_id}/model-access
List group model access rules
Section titled “List group model access rules”GET /api/admin/groups/{group_id}/model-accessReturns all model access rules for a group, ordered by model ID.
curl "https://api.arbitex.ai/api/admin/groups/grp_01HZ_FINANCE/model-access" \ -H "Authorization: Bearer arb_live_your-api-key-here"Response 200 OK
[ { "id": "mra_01HZ_GRP_O1", "group_id": "grp_01HZ_FINANCE", "tenant_id": "org_acme", "model_id": "o1", "provider": "openai", "access_type": "allow", "created_at": "2026-02-15T09:00:00Z", "updated_at": "2026-02-15T09:00:00Z" }, { "id": "mra_01HZ_GRP_GPT5", "group_id": "grp_01HZ_FINANCE", "tenant_id": "org_acme", "model_id": "gpt-5*", "provider": "openai", "access_type": "deny", "created_at": "2026-03-01T09:00:00Z", "updated_at": "2026-03-01T09:00:00Z" }]Create or update a group model access rule
Section titled “Create or update a group model access rule”POST /api/admin/groups/{group_id}/model-accessCreates or updates a model access rule for a specific group. If a rule already exists for the same model_id and provider, it is updated.
Request body
| Field | Type | Required | Description |
|---|---|---|---|
model_id | string | Yes | Model identifier or glob pattern |
provider | string | Yes | Provider identifier |
access_type | string | Yes | "allow" or "deny" |
curl -X POST \ "https://api.arbitex.ai/api/admin/groups/grp_01HZ_FINANCE/model-access" \ -H "Authorization: Bearer arb_live_your-api-key-here" \ -H "Content-Type: application/json" \ -d '{ "model_id": "o1", "provider": "openai", "access_type": "allow" }'Response 201 Created
{ "id": "mra_01HZ_GRP_O1", "group_id": "grp_01HZ_FINANCE", "tenant_id": "org_acme", "model_id": "o1", "provider": "openai", "access_type": "allow", "created_at": "2026-03-09T14:35:00Z", "updated_at": "2026-03-09T14:35:00Z"}Delete a group model access rule
Section titled “Delete a group model access rule”DELETE /api/admin/groups/{group_id}/model-access/{model_id}curl -X DELETE \ "https://api.arbitex.ai/api/admin/groups/grp_01HZ_FINANCE/model-access/o1" \ -H "Authorization: Bearer arb_live_your-api-key-here"Response 204 No Content on success. Returns 404 if the group or rule is not found.
Common scenarios
Section titled “Common scenarios”Allow only Anthropic models org-wide
Section titled “Allow only Anthropic models org-wide”Org defaults: allow all claude-* for anthropic. No other allow rules. When any allow rule exists, the org is in allowlist mode — all other providers and models are implicitly denied.
# Allow all Claude models for all users by defaultcurl -X POST https://api.arbitex.ai/api/admin/model-access/org-defaults \ -H "Authorization: Bearer arb_live_your-api-key-here" \ -H "Content-Type: application/json" \ -d '{"model_id": "claude-*", "provider": "anthropic", "access_type": "allow"}'Users can now access any model matching claude-* on anthropic. They cannot access any OpenAI or other provider model unless a separate allow rule exists.
Allow a specific group access to additional models
Section titled “Allow a specific group access to additional models”The finance group needs access to o1 in addition to the org-wide Claude allowlist.
# Add o1 allow rule for the finance groupcurl -X POST \ "https://api.arbitex.ai/api/admin/groups/grp_01HZ_FINANCE/model-access" \ -H "Authorization: Bearer arb_live_your-api-key-here" \ -H "Content-Type: application/json" \ -d '{"model_id": "o1", "provider": "openai", "access_type": "allow"}'Resolution: Finance group members → group ALLOW for o1 matches → allowed. Other users → no group rule → check org defaults → org ALLOW for claude-* matches (if Anthropic) → allowed; otherwise → denied.
Deny a specific model for a group
Section titled “Deny a specific model for a group”Block all gpt-5* models for the restricted-access group, regardless of org defaults.
curl -X POST \ "https://api.arbitex.ai/api/admin/groups/grp_01HZ_RESTRICTED/model-access" \ -H "Authorization: Bearer arb_live_your-api-key-here" \ -H "Content-Type: application/json" \ -d '{"model_id": "gpt-5*", "provider": "openai", "access_type": "deny"}'Group DENY rules take precedence over org ALLOW rules. Members of restricted-access will be denied gpt-5* models even if the org default allows them.
Error responses
Section titled “Error responses”| Status | Code | Description |
|---|---|---|
400 | bad_request | Missing required field or invalid access_type value |
403 | forbidden | API key does not have admin permissions |
404 | not_found | Group not found, or model access rule not found for DELETE |
See also
Section titled “See also”- Routing — provider-level routing rules, independent of model access control
- Policy Rule Reference —
modelsandprovidersconditions on policy rules for enforcement-layer model restrictions - Entra ID SCIM provisioning — setting up the group sync that drives group membership resolution