Create a policy

Policies control what your agents are allowed to do. Without any rules, all requests are denied by default.

Create an allow-all rule

To get started quickly:

1. Navigate to Policies in the dashboard
2. Click Add Rule
3. Enter a name (for example, "Allow all tools")
4. Set the effect to Allow
5. Leave tool patterns as * to match all tools
6. Set the status to Active
7. Click Create Rule

This allows all agents to use all tools. You can add more specific rules later to lock things down.

How rules work

Rules are evaluated top-to-bottom — the first match wins. If no rule matches, the request is denied.

• Allow rules permit the tool call
• Deny rules block it
• Drag rules in the table to reorder them

Put more specific rules above more general ones. For example, a deny rule for delete_* at position 1 blocks deletes even if an allow-all rule exists below it.

Next steps

Once you have basic access working, you can refine your policies with:

• Scope filters — restrict rules to specific MCP servers, agents, or agent instances
• Tool patterns — use wildcards like send_* or list_* to match groups of tools
• Conditions — add CEL expressions for dynamic logic (for example, agent.slug == "claude-code")
• Argument-level conditions — gate on the live tool-call payload via request.args.* (for example, only allow send_message when request.args.channel_id == "C_GENERAL")
• Impact preview — see which tools and agents a rule affects before saving

See the full policies guide for details, including the use-case catalog for argument-level conditions.