How-to

Manually authorize a message

Applies to: .NET SDK Last updated: 2026-06-11

Goal

Apply authorization to a specific message even when global AutoEnforce is disabled, or pre-check an outbound message before encrypting.

Prerequisites

AutoEnforce must be OFF. The explicit methods AuthorizeAsync and CheckOutboundAsync throw if AutoEnforce is ON — to avoid double enforcement.

client.DisableAutoEnforce();

Inbound — authorize a received envelope

// Decrypt + run policy in one call
var msg = await client.AuthorizeAsync(envelope);

switch (msg.Authorized)
{
    case AuthorizationStatus.Allowed:
        ProcessMessage(msg.Sender, msg.Body);
        break;
    case AuthorizationStatus.Denied:
        logger.LogWarning($"Denied: {msg.DenialReason}");
        break;
}

Outbound — pre-check before encrypting

var decision = await client.CheckOutboundAsync(
    recipient:    "[email protected]",
    sessionId:    sessionId);

if (!decision.Allowed)
{
    logger.LogWarning($"Outbound blocked: {decision.Reason}");
    return;
}

// Safe to encrypt
string envelope = await client.EncryptEnvelopeAsync(
    "[email protected]", body, sessionId: sessionId);

See also