The Open Policy Agent (OPA) REST API is the heart of this power. It lets you push, pull, and evaluate policies over HTTP with precision. You can check rules, query data, and update policies without touching the underlying application. You can integrate security, compliance, and decision-making into any service that speaks HTTP.
At its core, the OPA REST API follows simple patterns. Send JSON in. Get JSON out. A POST to /v1/data evaluates policies against the input you provide. GET requests pull policy state and stored data. PUT uploads new policies or data dynamically. The API speaks in a predictable contract, which makes it easy to automate, script, and plug into CI/CD pipelines.
Evaluations are stateless by default. You send input, OPA replies with a decision. But OPA can also hold data for you — facts about your environment — and make them part of future decisions. This flexibility means you can enforce fine-grained authorization, risk checks, regulatory rules, and custom logic, all without waiting for a release cycle.
OPA’s REST API supports multiple endpoints to handle different tasks:
/v1/data for evaluating rules and retrieving decision results./v1/policies for managing the full text of Rego policies./v1/status for keeping track of health and sync state./v1/query for running ad-hoc Rego queries directly.
When deployed alongside microservices, OPA acts as a centralized, consistent, and testable brain. You call it when you need an answer. It responds using the rules you’ve defined. No hidden behavior, no unexpected results, just the current truth according to your policy.
Security is native. All communication with the OPA REST API should be wrapped in TLS, with authentication protecting every endpoint. This is not optional in production. Decisions are only as trustworthy as the channel they travel through. Configure OPA to enforce these controls early, so you don’t have to retrofit them later.
Scaling is straightforward. OPA runs as a sidecar, a daemon, or as a centralized service. Its REST API means you can distribute it wherever decisions need to be made. Load balancers and orchestration tools can place OPA close to your workloads, keeping latency low while preserving strong policy governance.
Testing is the final piece. Because OPA’s decision-making is deterministic, you can record inputs and outputs from the REST API in development, check them into version control, and validate changes with CI pipelines. This turns your policies into living, testable components of your system architecture.
If you want to see OPA’s REST API in action without complex setup, you can be running real policies and decisions in minutes. Hoop.dev lets you hook up secure endpoints instantly and experiment with managing and evaluating policies right from your browser or terminal. Try it, deploy it, and watch your system obey your rules.