Creates a new security or compliance policy. Policies can be scoped globally (when `inbox_id` is null) or to a specific inbox. The `config` object shape varies by policy type.

Authorization

BearerAuth

AuthorizationBearer <token>

API key passed as a Bearer token. Production keys start with am_live_ and sandbox keys start with am_test_.

In: header

Request Body

application/json

TypeScript Definitions

Use the request body type in TypeScript.

name*string

Human-readable name for the policy.

type*string

The category of the policy:

domain_allowlist - Only allow messages from specified domains.
domain_blocklist - Block messages from specified domains.
keyword_filter - Flag or block messages containing specific keywords.
rate_limit - Limit the number of messages per time window.
pii_redaction - Automatically redact personally identifiable information.
output_scan - Scan outbound messages for data exfiltration.

action*string

The action taken when the policy is triggered:

block - Prevent the message from being delivered.
redact - Remove or mask sensitive content and deliver.
limit - Enforce rate limiting.
alert - Deliver the message but generate an alert.

Value in"block" | "redact" | "limit" | "alert"

inbox_id*|

ID of the inbox this policy is scoped to. Set to null for a global policy that applies to all inboxes.

config*

Configuration object whose shape depends on the policy type. For example, a domain_blocklist policy might include { "domains": ["competitor.com", "spam.net"] }.

Response Body

`application/json`

curl -X POST "https://secureagentmail.com/api/v1/policies" \  -H "Content-Type: application/json" \  -d '{    "name": "Block Competitor Domains",    "type": "domain_blocklist",    "action": "block",    "inbox_id": "inb_abc123",    "config": {}  }'

{
  "id": "pol_r2t5v8",
  "name": "Block Competitor Domains",
  "type": "domain_blocklist",
  "action": "block",
  "inbox_id": "inb_abc123",
  "enabled": true,
  "config": {},
  "created_at": "2026-01-20T12:00:00Z"
}

{
  "error": {
    "code": "unauthorized",
    "message": "Invalid or missing API key.",
    "status": 401
  }
}

{
  "error": {
    "code": "forbidden",
    "message": "Your API key does not have the required scope for this operation.",
    "status": 403
  }
}

{
  "error": {
    "code": "validation_error",
    "message": "The 'slug' field is required and must be a valid identifier.",
    "status": 422
  }
}

{
  "error": {
    "code": "rate_limited",
    "message": "Rate limit exceeded. Please retry after 30 seconds.",
    "status": 429
  }
}

Create policy

Authorization

Request Body

Response Body

201application/json

401application/json

403application/json

422application/json

429application/json

`application/json`

`application/json`

`application/json`

`application/json`

`application/json`