API reference: Config backup
The config backup API exports a complete organization configuration snapshot and imports it back. Use it for backups before major changes, environment cloning (prod → staging), and audit trail. The current schema version is 2.0.
All endpoints require admin authentication.
Base path: /api/admin/orgs/{org_id}/config
Endpoints
Section titled “Endpoints”| Method | Path | Description |
|---|---|---|
GET | /api/admin/orgs/{org_id}/config/export | Export org config snapshot |
POST | /api/admin/orgs/{org_id}/config/import | Import org config from snapshot |
What is included in a config snapshot
Section titled “What is included in a config snapshot”Schema version 2.0 exports 20 configuration domains:
Core configuration (6 domains)
| Domain | Contents |
|---|---|
dlp_rules | Org-level DLP detector rules |
compliance_bundles | Compliance bundle definitions with seed rule mappings |
policy_templates | Policy rule templates |
routing_rules | AI provider routing rules |
enterprise_entitlements | Feature entitlement overrides |
org_metadata | Organization display name and settings |
Group configuration (3 domains)
| Domain | Contents |
|---|---|
group_dlp_configs | Per-group DLP detector overrides |
group_model_access | Per-group and org-level model ALLOW/DENY rules |
group_compliance_bundles | Per-group compliance bundle assignments |
Access and policy controls (5 domains)
| Domain | Contents |
|---|---|
content_filters | Keyword block, topic block, and custom instruction filters |
quotas | Per-user and per-group token, request, and cost quotas |
kill_switch_state | Kill switch on/off state |
fallback_chains | AI provider fallback chain configurations |
ip_allowlist | IP allowlist entries |
Observability and operations (5 domains)
| Domain | Contents |
|---|---|
webhooks | Webhook configurations (HMAC secrets are not exported) |
alert_rules | Alert rule definitions |
saml_idp_configs | SAML IdP configurations — export-only (not imported) |
model_catalog | Model catalog entries — export-only (not imported) |
retention_policies | Data retention policy rules |
Note: SAML IdP configs and model catalog entries are included in exports for documentation purposes but are not applied during import. HMAC secrets for webhooks are excluded from exports.
GET /api/admin/orgs/{org_id}/config/export
Section titled “GET /api/admin/orgs/{org_id}/config/export”Export a complete configuration snapshot for the organization.
Authentication: Admin Bearer token
Path parameters:
| Parameter | Type | Description |
|---|---|---|
org_id | UUID | The organization’s UUID |
Response 200 OK:
{ "schema_version": "2.0", "backup_version": "2026-03-12T14:30:00Z", "exported_at": "2026-03-12T14:30:00.123456Z", "org_id": "org_01abc123-...", "config": { "dlp_rules": [...], "compliance_bundles": [...], "policy_templates": [...], "routing_rules": [...], "enterprise_entitlements": [...], "org_metadata": {...}, "group_dlp_configs": [...], "group_model_access": [...], "group_compliance_bundles": [...], "content_filters": [...], "quotas": { "users": [...], "groups": [...] }, "model_catalog": [...], "kill_switch_state": {...}, "fallback_chains": [...], "webhooks": [...], "alert_rules": [...], "saml_idp_configs": [...], "ip_allowlist": [...], "retention_policies": [...] }}Audit log: Every export writes an org_config_exported audit log entry with the exporting admin’s identity.
Saving the export to a file
Section titled “Saving the export to a file”curl -s \ -H "Authorization: Bearer ${ADMIN_TOKEN}" \ "https://api.arbitex.ai/api/admin/orgs/${ORG_ID}/config/export" \ | jq . > config-backup-$(date +%Y%m%d).jsonPOST /api/admin/orgs/{org_id}/config/import
Section titled “POST /api/admin/orgs/{org_id}/config/import”Import an organization configuration from a previously exported snapshot. The import is additive — it does not delete resources that exist in the target org but are absent from the snapshot. Conflict resolution is handled per-domain using the merge strategy described below.
Authentication: Admin Bearer token
Path parameters:
| Parameter | Type | Description |
|---|---|---|
org_id | UUID | The organization’s UUID |
Request body: A ConfigExportResponse object (the full snapshot returned by the export endpoint).
{ "schema_version": "2.0", "backup_version": "2026-03-12T14:30:00Z", "exported_at": "2026-03-12T14:30:00.123456Z", "org_id": "org_01abc123-...", "config": { ... }}Supported schema versions: 1.0, 2.0. A snapshot exported with schema version 1.0 can be imported into a 2.0 instance — missing v2.0 domains are skipped.
Response 200 OK:
{ "org_id": "org_01abc123-...", "imported_at": "2026-03-12T15:00:00.456789Z", "summary": { "dlp_rules": {"created": 4, "skipped": 1}, "compliance_bundles": {"created": 3, "skipped": 0}, "content_filters": {"created": 2, "skipped": 0}, "quotas": {"users_created": 5, "groups_created": 2}, "routing_rules": {"created": 1, "skipped": 0}, "webhooks": {"created": 2, "note": "HMAC secrets not restored — regenerate after import"} }}Validation errors 422 Unprocessable Entity: The request body does not match the ConfigImportRequest schema.
Audit log: Every import writes an org_config_imported audit log entry.
Import merge behavior
Section titled “Import merge behavior”| Domain | Conflict behavior |
|---|---|
dlp_rules | Skip if a rule with the same name already exists |
compliance_bundles | Skip if a bundle with the same name already exists |
content_filters | Skip if a filter with the same name already exists |
policy_templates | Skip if a template with the same name already exists |
routing_rules | Skip if a rule with the same name already exists |
quotas | Skip if the user or group already has a quota set |
webhooks | Always create (generates a new HMAC secret — see note below) |
alert_rules | Skip if a rule with the same name already exists |
ip_allowlist | Skip if the same CIDR/IP already exists |
retention_policies | Skip if a policy with the same name already exists |
Webhook HMAC secrets: Webhook HMAC secrets are not included in exports for security reasons. Imported webhooks are created with a new auto-generated secret. After import, re-configure the secret on your webhook receiver.
Environment cloning workflow
Section titled “Environment cloning workflow”To clone configuration from a production org to a staging org:
-
Export from production:
Terminal window curl -s \-H "Authorization: Bearer ${PROD_ADMIN_TOKEN}" \"https://api.arbitex.ai/api/admin/orgs/${PROD_ORG_ID}/config/export" \> prod-config.json -
Review the snapshot and remove any sensitive entries you do not want cloned to staging.
-
Import into staging:
Terminal window curl -s -X POST \-H "Authorization: Bearer ${STAGING_ADMIN_TOKEN}" \-H "Content-Type: application/json" \-d @prod-config.json \"https://api.arbitex.ai/api/admin/orgs/${STAGING_ORG_ID}/config/import" -
Review the import summary and regenerate webhook HMAC secrets on the staging webhook receivers.
See also
Section titled “See also”- Audit log — query
org_config_exportedandorg_config_importedaudit entries - Compliance bundles — compliance bundle management
- Content filters API reference — content filter object schema
- Quotas API reference — quota object schema