How-to

Deny a specific sender

Applies to: .NET SDK, Node.js SDK Last updated: 2026-06-11

Goal

Block messages from a specific identity. The deny rule overrides any allow rule that would otherwise match.

Code

using HexaEight.Bridge;
using HexaEight.Bridge.Authorization;

var client = new Client();
var policies = (CasbinAuthorizationProvider)client.Authorization;

await policies.AddPolicyRuleAsync(new PolicyRule(
    Sender:      "[email protected]",
    Destination: "self",
    Realm:       "default",
    Direction:   "inbound",
    Effect:      "deny"));

Verifying the rule fired

var msg = await client.DecryptEnvelopeAsync(envelopeFromHacker);
Console.WriteLine($"Authorized:   {msg.Authorized}");      // Denied
Console.WriteLine($"DenyTier:     {msg.DenyTier}");         // Default
Console.WriteLine($"DenialReason: {msg.DenialReason}");
Console.WriteLine($"Body:         {msg.Body}");
// Body: "redacted due to authorization enforcement"

Blocking a whole domain

await policies.AddPolicyRuleAsync(new PolicyRule(
    Sender:      "*@evil.com",
    Destination: "self",
    Realm:       "default",
    Direction:   "inbound",
    Effect:      "deny"));

Blocking outbound to a destination

To prevent your agent from sending to a particular destination:

await policies.AddPolicyRuleAsync(new PolicyRule(
    Sender:      "*",
    Destination: "untrusted-service.com",
    Realm:       "default",
    Direction:   "outbound",
    Effect:      "deny"));

If your code calls EncryptEnvelopeAsync with that destination, the SDK throws instead of producing an envelope.

See also