Policy Enforcement
Policies control which API calls your agents can make. Set per-session when creating a sandbox token.
Default action
Section titled “Default action”policies: { default: "deny", // block everything not explicitly allowed}Or:
policies: { default: "allow", // allow everything not explicitly blocked}Rules allow or deny requests matching a domain, method, and path pattern:
policies: { default: "deny", rules: [ // Allow all requests to OpenAI { domain: "api.openai.com" },
// Allow only GET to specific GitHub repos { domain: "api.github.com", methods: ["GET"], paths: ["/repos/acme/*"] },
// Allow POST to a specific endpoint { domain: "api.stripe.com", methods: ["POST"], paths: ["/v1/charges"] }, ],}Rules are evaluated in order. The first match wins. If no rule matches, the default action applies.
Rate limiting
Section titled “Rate limiting”Limit requests per domain:
policies: { default: "allow", rateLimit: { "api.openai.com": "20/min", "api.github.com": "100/hour", },}Rate limits are enforced per-session. When exceeded, requests are blocked with a 429 response.
Shadow mode
Section titled “Shadow mode”Test policies without enforcing them:
const session = await sylo.createSandboxToken({ // ... shadowMode: true,});In shadow mode, policy violations are logged as "would-block" instead of "deny", but the request is allowed through. Useful for testing new policies in production.
Policy webhook
Section titled “Policy webhook”For complex authorization logic, delegate decisions to your own endpoint:
policies: { policyWebhook: "https://your-api.com/authorize",}Sylo sends the request details to your webhook and blocks or allows based on the response.