How-to
Add an app-level rule
Goal
Restrict a rule so it only applies when the sending application matches a specific binary or URL hash.
Why this is useful
An identity might be used by multiple applications. App-level rules let you write policies like "only the billing-portal application — even though it uses the corporate-bot identity — is permitted to write invoices."
Step 1 — Identify the application hash
Every message carries a ProtectionHash — a SHA-512 of the sending application's binary (or URL for browser apps). When you receive a message from the application you want to allow, capture its hash:
var msg = await client.DecryptEnvelopeAsync(envelope);
Console.WriteLine($"App hash: {msg.ProtectionHash}"); Step 2 — Optionally name the app
Create an app-registry.csv file in the working directory mapping hashes to readable names:
# hash, name
9C8D2F...AB12, billing-portal
4F19E0...3DCC, hr-app Step 3 — Add the rule
// Using the readable name
await policies.AddPolicyRuleAsync(new PolicyRule(
Sender: "*@acme.com",
Destination: "invoices.acme.com",
Realm: "app:billing-portal",
Direction: "outbound",
Effect: "allow"));
// Or using the hash directly
await policies.AddPolicyRuleAsync(new PolicyRule(
"*@acme.com", "invoices.acme.com",
"app:9C8D2F...AB12",
"outbound", "allow")); See also
- The authorization model Concept
- Allow a specific sender How-to