How-to

Restrict by direction

Applies to: .NET SDK, Node.js SDK Last updated: 2026-06-11

Goal

Apply different rules to messages your agent receives (inbound) versus messages it sends (outbound).

Why direction matters

Inbound and outbound are independent. A rule that allows receiving from a party does not automatically allow sending to them. This separation lets you express realistic policies such as:

Inbound-only rule

// Anyone from example.com can send messages TO our agent
await policies.AddPolicyRuleAsync(new PolicyRule(
    Sender:      "*@example.com",
    Destination: "self",
    Realm:       "default",
    Direction:   "inbound",
    Effect:      "allow"));

Outbound-only rule

// Our agent can send messages to any acme.com agent
await policies.AddPolicyRuleAsync(new PolicyRule(
    Sender:      "self",
    Destination: "*.acme.com",
    Realm:       "default",
    Direction:   "outbound",
    Effect:      "allow"));

Asymmetric example

Receive from a monitoring service, but never reply:

// Allow inbound from monitoring
await policies.AddPolicyRuleAsync(new PolicyRule(
    "[email protected]", "self", "default", "inbound", "allow"));

// Explicitly block outbound to the same address
await policies.AddPolicyRuleAsync(new PolicyRule(
    "self", "[email protected]", "default", "outbound", "deny"));

What happens on a denied outbound

If your code calls EncryptEnvelopeAsync and an outbound rule denies the operation, the SDK throws UnauthorizedAccessException. The message is never produced, never sent.

try
{
    await client.EncryptEnvelopeAsync("[email protected]", "hello");
}
catch (UnauthorizedAccessException ex)
{
    Console.WriteLine($"Outbound blocked: {ex.Message}");
}

See also