How-to

Add an app-level rule

Applies to: .NET SDK Last updated: 2026-06-11

Goal

Restrict a rule so it only applies when the sending application matches a specific binary or URL hash.

Why this is useful

An identity might be used by multiple applications. App-level rules let you write policies like "only the billing-portal application — even though it uses the corporate-bot identity — is permitted to write invoices."

Step 1 — Identify the application hash

Every message carries a ProtectionHash — a SHA-512 of the sending application's binary (or URL for browser apps). When you receive a message from the application you want to allow, capture its hash:

var msg = await client.DecryptEnvelopeAsync(envelope);
Console.WriteLine($"App hash: {msg.ProtectionHash}");

Step 2 — Optionally name the app

Create an app-registry.csv file in the working directory mapping hashes to readable names:

# hash, name
9C8D2F...AB12, billing-portal
4F19E0...3DCC, hr-app

Step 3 — Add the rule

// Using the readable name
await policies.AddPolicyRuleAsync(new PolicyRule(
    Sender:      "*@acme.com",
    Destination: "invoices.acme.com",
    Realm:       "app:billing-portal",
    Direction:   "outbound",
    Effect:      "allow"));

// Or using the hash directly
await policies.AddPolicyRuleAsync(new PolicyRule(
    "*@acme.com", "invoices.acme.com",
    "app:9C8D2F...AB12",
    "outbound", "allow"));

See also