Verify Resource

Tests connectivity to a cloud resource using its linked credentials. This endpoint validates that EntryGuard can successfully communicate with the cloud provider and access the specified resource.

Request

POST /resources/{id}/verify

Authentication

Requires Bearer JWT Token with ORG_ADMIN role.

Authorization: Bearer <access_token>

Path Parameters

Parameter	Type	Required	Description
`id`	UUID	Yes	Resource unique identifier

Request Body

No request body is required.

Response

Success Response

Status Code: 200 OK

Response Body:

{
  "id": "550e8400-e29b-41d4-a716-446655440000",
  "name": "Production API Gateway",
  "credentialId": "7c9e6679-7425-40de-944b-e07fc1f90ae7",
  "credentialName": "AWS Production Account",
  "provider": "AWS",
  "resourceType": "SECURITY_GROUP",
  "resourceIdentifier": "sg-0abc123def456",
  "region": "eu-central-1",
  "config": {
    "port": 443,
    "protocol": "tcp"
  },
  "isActive": true,
  "lastVerifiedAt": "2026-02-18T12:00:00Z",
  "createdAt": "2026-01-15T08:00:00Z",
  "updatedAt": "2026-02-18T12:00:00Z"
}

Response Fields

Field	Type	Description
`id`	UUID	Unique resource identifier
`name`	string	Human-readable resource name
`credentialId`	UUID	ID of linked cloud credential
`credentialName`	string	Name of linked cloud credential
`provider`	string	Cloud provider: `AWS`, `GCP`, `AZURE`, or `APISIX`
`resourceType`	string	Type of resource (e.g., `SECURITY_GROUP`)
`resourceIdentifier`	string	Cloud provider's resource ID (e.g., `sg-abc123`)
`region`	string	Cloud region
`config`	object	Resource-specific configuration
`isActive`	boolean	Set to `true` if verification succeeded, `false` if failed
`lastVerifiedAt`	string (ISO 8601)	Timestamp of this verification attempt
`createdAt`	string (ISO 8601)	Resource creation timestamp
`updatedAt`	string (ISO 8601)	Updated timestamp

Error Responses

Status Code	Error	Description
`400 Bad Request`	`VERIFICATION_FAILED`	Resource verification failed (resource exists but cannot be accessed)
`401 Unauthorized`	`UNAUTHORIZED`	Missing or invalid authentication token
`403 Forbidden`	`FORBIDDEN`	User lacks `ORG_ADMIN` role
`404 Not Found`	`RESOURCE_NOT_FOUND`	Resource with specified ID does not exist
`404 Not Found`	`CLOUD_RESOURCE_NOT_FOUND`	Resource ID is valid but cloud resource doesn't exist on provider
`429 Too Many Requests`	`RATE_LIMIT_EXCEEDED`	Rate limit exceeded
`500 Internal Server Error`	`INTERNAL_ERROR`	Server error occurred

Error Response Example - Verification Failed

{
  "error": "VERIFICATION_FAILED",
  "message": "Unable to access security group sg-0abc123def456: AccessDenied - Credentials lack DescribeSecurityGroups permission",
  "timestamp": "2026-02-18T12:00:00Z"
}

Error Response Example - Cloud Resource Not Found

{
  "error": "CLOUD_RESOURCE_NOT_FOUND",
  "message": "Security group sg-0abc123def456 does not exist in region eu-central-1",
  "timestamp": "2026-02-18T12:00:00Z"
}

Example

Request

curl -X POST https://api.entryguard.io/api/v1/resources/550e8400-e29b-41d4-a716-446655440000/verify \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Content-Type: application/json"

Response - Success

{
  "id": "550e8400-e29b-41d4-a716-446655440000",
  "name": "Production API Gateway",
  "credentialId": "7c9e6679-7425-40de-944b-e07fc1f90ae7",
  "credentialName": "AWS Production Account",
  "provider": "AWS",
  "resourceType": "SECURITY_GROUP",
  "resourceIdentifier": "sg-0abc123def456",
  "region": "eu-central-1",
  "config": {
    "port": 443,
    "protocol": "tcp"
  },
  "isActive": true,
  "lastVerifiedAt": "2026-02-18T12:00:00Z",
  "createdAt": "2026-01-15T08:00:00Z",
  "updatedAt": "2026-02-18T12:00:00Z"
}

Response - Verification Failed

HTTP/1.1 400 Bad Request
Content-Type: application/json

{
  "error": "VERIFICATION_FAILED",
  "message": "Unable to access security group sg-0abc123def456: AccessDenied - Credentials lack DescribeSecurityGroups permission",
  "timestamp": "2026-02-18T12:00:00Z"
}

Notes

Verification tests that EntryGuard can communicate with the cloud provider and access the resource
For AWS Security Groups, this performs a DescribeSecurityGroups API call
If verification succeeds, isActive is set to true and lastVerifiedAt is updated
If verification fails, isActive is set to false
You should verify resources after:
- Creating a new resource
- Updating resourceIdentifier or credentialId
- Changing cloud provider credentials
- Troubleshooting session failures
Verification does not modify the cloud resource itself - it only tests read access
This operation is logged in the audit trail

Common Verification Failures

Provider	Error	Solution
AWS	`AccessDenied`	Grant `ec2:DescribeSecurityGroups` permission to IAM credentials
AWS	`InvalidGroup.NotFound`	Security group ID doesn't exist or wrong region
AWS	`UnauthorizedOperation`	IAM policy doesn't allow EC2 operations
GCP	`PERMISSION_DENIED`	Grant `compute.firewalls.get` permission
Azure	`AuthorizationFailed`	Grant Network Contributor role

Request​

Authentication​

Path Parameters​

Request Body​

Response​

Success Response​

Response Fields​

Error Responses​

Error Response Example - Verification Failed​

Error Response Example - Cloud Resource Not Found​

Example​

Request​

Response - Success​

Response - Verification Failed​

Notes​

Common Verification Failures​

Request

Authentication

Path Parameters

Request Body

Response

Success Response

Response Fields

Error Responses

Error Response Example - Verification Failed

Error Response Example - Cloud Resource Not Found

Example

Request

Response - Success

Response - Verification Failed

Notes

Common Verification Failures