How-to
Manually authorize a message
Goal
Apply authorization to a specific message even when global AutoEnforce is disabled, or pre-check an outbound message before encrypting.
Prerequisites
AutoEnforce must be OFF. The explicit methods AuthorizeAsync and CheckOutboundAsync throw if AutoEnforce is ON — to avoid double enforcement.
client.DisableAutoEnforce(); Inbound — authorize a received envelope
// Decrypt + run policy in one call
var msg = await client.AuthorizeAsync(envelope);
switch (msg.Authorized)
{
case AuthorizationStatus.Allowed:
ProcessMessage(msg.Sender, msg.Body);
break;
case AuthorizationStatus.Denied:
logger.LogWarning($"Denied: {msg.DenialReason}");
break;
} Outbound — pre-check before encrypting
var decision = await client.CheckOutboundAsync(
recipient: "[email protected]",
sessionId: sessionId);
if (!decision.Allowed)
{
logger.LogWarning($"Outbound blocked: {decision.Reason}");
return;
}
// Safe to encrypt
string envelope = await client.EncryptEnvelopeAsync(
"[email protected]", body, sessionId: sessionId); See also
- Disable automatic enforcement How-to
- Handle a denied message How-to