How-to

Add a session rule

Applies to: .NET SDK Last updated: 2026-06-22

Goal

Apply a rule only to session-mediated traffic at this agent — typical for relay endpoints and any flow where the agent is acting on behalf of a session user.

Code (session-mediated traffic, agent-name convention)

await policies.AddPolicyRuleAsync(new PolicyRule(
    Sender:      "[email protected]",
    Destination: "claude01.mycompany.com",
    Realm:       $"session:{client.Name}",    // agent's own name → realm "session:<agent>"
    Direction:   "outbound",
    Effect:      "allow"));

And in the agent's relay/dispatch handler, pass the same value to AuthorizeAsync:

var decision = await client.Authorization.AuthorizeAsync(
    sender:      "[email protected]",
    destination: "claude01.mycompany.com",
    direction:   "outbound",
    sessionId:   client.Name);                // realm becomes "session:<agent>"

When the rule fires

This rule matches any session-mediated request at this agent whose sender/destination match. The Tier 2 realm is bound to the agent's identity — copying the encrypted policy to a differently-named agent will not activate it.

Per-conversation rules (advanced, less common)

If you specifically need rules scoped to a single conversation (e.g. a SaaS tenant id, a transient permission window), you can still pass a custom id as sessionId and write rules in the session:<your-id> realm. Keep in mind that those rules become invisible the moment the id changes, so you must add and remove them explicitly.

string conversationId = "abc-123";
await policies.AddPolicyRuleAsync(new PolicyRule(
    Sender:      "external-service.example.com",
    Destination: "self",
    Realm:       $"session:{conversationId}",
    Direction:   "inbound",
    Effect:      "allow"));

Typical use cases

Cleaning up after the session

await policies.RemovePolicyRuleAsync(rule);

See also