Protected Operations

What a protected operation is

A Protected Operation is a specific business action such as customer.create, payment_transaction.create, team_announcement.create, invoice.export, bank_account.update, or tax_document.download.

The operation key is the value developers send from the SDK or /api/evaluate. It includes both the business resource and the action so policies can target concrete runtime behavior.

Runtime evaluation resolves the protected operation before risk scoring so sensitivity, action type, resource type, category, and assigned policy can shape risk interpretation.

Why not just create_record?

The same generic action can have very different risk. Creating a team announcement is usually low sensitivity, creating a customer is often medium sensitivity, and creating a payment transaction can be critical.

Those three operations can all use actionType=create while still having different resource types, sensitivities, and policies.

Fields

• operationKey: stable developer-facing key, usually resource.action.
• actionType: create, read, update, delete, export, change, approve, download, or custom.
• resourceType: the business resource, such as customer, invoice, bank_account, or payment_transaction.
• sensitivity: low, medium, high, or critical.
• category: functional grouping such as writes, exports, billing/payment, permissions, or administrative.
• policy: reusable protection profile assigned to this operation.

Example

await shield.evaluate({
  operationKey: "payment_transaction.create",
  actor,
  resource: { type: "payment_transaction", id: paymentId },
  requestData: { amount, currency },
});