Start the OPA server with opa run --server (optionally specifying a bundle or policy directory with -b or a policy file argument); by default it listens on port 8181
Load policies by bundling them (opa build) and configuring OPA to pull from a bundle server, or by POSTing Rego policy text to /v1/policies/POLICY_ID to upload individual policies at runtime
Evaluate a policy decision by sending a POST to /v1/data/PACKAGE/RULE with a JSON body containing an input object; the response body's result field contains the policy decision
Structure your Rego package hierarchy to mirror your authorization model (e.g., authz.allow, authz.deny) so that callers have a stable, predictable query path
Use partial evaluation or the compile API (/v1/compile) to push policy decisions to the edge or to generate query plans for performance-sensitive paths
Configure OPA's decision log plugin to emit structured log entries of every query and decision to your SIEM or logging pipeline for audit purposes
Known gotchas
The /v1/data path returns an empty result (not false) when a rule is undefined; callers must treat an undefined or missing result field as a deny, not an allow
OPA's built-in HTTP server has no authentication by default; place it behind a sidecar or internal network boundary and never expose it directly to the internet
Rego rule ordering does not determine evaluation priority the way it does in some other languages; all matching rules contribute to the set or value, so duplicate allow rules are fine but duplicate deny rules can conflict
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp