SecureAuth AI Gateway

Create a policy

Define which agents can access which tools

Policies control what your agents are allowed to do. Without any rules, all requests are denied by default.

New organizations start with a default Allow all rule so agents work out of the box. Edit or delete it once you're ready to lock things down.

Policy rules table with drag-to-reorder
Policy rules are evaluated top-to-bottom — drag to reorder

Add a rule

To create a rule of your own:

  1. Navigate to Policies in the dashboard
  2. Click Add Rule
  3. Enter a name that describes what the rule does
  4. Choose the effectAllow, Deny, or Gated (allow only when a condition holds)
  5. Set the scope to target specific resources, agents, users, or groups — leave it empty to match everything
  6. Set tool patterns to choose which tools the rule covers — * matches all tools, or use wildcards like send_*
  7. Set the status to Active to start enforcing it
  8. Click Create

New rules are added at the top of the table, so they take precedence over the default Allow all rule below them.

Rule editor sentence with effect and scope pills
The rule editor reads as a sentence — click each pill to set the effect, scope, and tools

How rules work

Rules are evaluated top-to-bottom — the first match wins. If no rule matches, the request is denied.

  • Allow rules permit the tool call
  • Deny rules block it
  • Drag rules in the table to reorder them

Put more specific rules above more general ones. For example, a deny rule for delete_* at position 1 blocks deletes even if an allow-all rule exists below it.

Next steps

Once you have basic access working, you can refine your policies with:

  • Scope — restrict rules to specific resources, agents, or instances — or match them by tag
  • Tool patterns — use wildcards like send_* or list_* to match groups of tools
  • Conditions — add CEL expressions for dynamic logic (for example, agent.slug == "claude-code")
  • Argument-level conditions — gate on the live tool-call payload via request.args.* (for example, only allow send_message when request.args.channel_id == "C_GENERAL")
  • Impact preview — see which tools and agents a rule affects before saving

See the full policies guide for details, including the use-case catalog for argument-level conditions.

On this page