How-to

Use wildcards in rules

Applies to: .NET SDK, Node.js SDK Last updated: 2026-06-11

Goal

Write rules that apply to groups of identities rather than enumerating each one individually.

Wildcard syntax

PatternMatchesExample
*Any sequence of characters*@example.com matches any email at example.com
?Exactly one characteragent?.acme.com matches agent1, agent2, etc.
literalExact match (case-insensitive)[email protected] matches only that identity

Common patterns

Allow everyone from a domain

await policies.AddPolicyRuleAsync(new PolicyRule(
    Sender:      "*@example.com",
    Destination: "self",
    Realm:       "default",
    Direction:   "inbound",
    Effect:      "allow"));

Allow any acme.com subdomain agent

await policies.AddPolicyRuleAsync(new PolicyRule(
    Sender:      "*.acme.com",
    Destination: "self",
    Realm:       "default",
    Direction:   "inbound",
    Effect:      "allow"));

Allow a generic agent identity prefix

// Match any generic agent name starting with this prefix
await policies.AddPolicyRuleAsync(new PolicyRule(
    Sender:      "web0-bliss-cyan-*",
    Destination: "self",
    Realm:       "default",
    Direction:   "inbound",
    Effect:      "allow"));

Match anything (use sparingly)

await policies.AddPolicyRuleAsync(new PolicyRule(
    Sender:      "*",
    Destination: "self",
    Realm:       "default",
    Direction:   "inbound",
    Effect:      "allow"));

Wildcards in the destination

The same syntax works in the destination column:

// Allow our agent to send messages to any agent under acme.com
await policies.AddPolicyRuleAsync(new PolicyRule(
    Sender:      "self",
    Destination: "*.acme.com",
    Realm:       "default",
    Direction:   "outbound",
    Effect:      "allow"));

Combining wildcard allow with literal deny

A common pattern: allow a whole domain, but block specific bad actors within it:

// Allow everyone from example.com
await policies.AddPolicyRuleAsync(new PolicyRule(
    "*@example.com", "self", "default", "inbound", "allow"));

// Block one specific account
await policies.AddPolicyRuleAsync(new PolicyRule(
    "[email protected]", "self", "default", "inbound", "deny"));

Because deny always wins, [email protected] is blocked while everyone else from example.com is allowed.

See also