> ## Documentation Index > Fetch the complete documentation index at: https://onecli.sh/docs/llms.txt > Use this file to discover all available pages before exploring further. # Create a policy rule > Creates a new policy rule. Rules control how agents interact with external services: - **block** — reject matching requests outright. - **rate_limit** — allow up to N requests per time window. Requires `rateLimit` and `rateLimitWindow`. - **manual_approval** — hold matching requests for human approval before forwarding. ## OpenAPI ````yaml /openapi.yaml post /rules openapi: 3.1.0 info: title: OneCLI API version: '1.0' description: > The OneCLI API lets you manage agents, secrets, policy rules, app connections, and user settings programmatically. **Base URL:** `https://api.onecli.sh/v1` (Cloud) or `http://localhost:10254/v1` (self-hosted) ## Authentication All endpoints require authentication via one of: - **API Key** — `Authorization: Bearer ` header. Generate keys in the dashboard or via `GET /v1/user/api-key`. - **Session** — Cookie-based session from the web dashboard. For organization-scoped API keys, include the `X-Project-Id` header to specify which project to operate on. servers: - url: https://api.onecli.sh/v1 description: OneCLI Cloud - url: http://localhost:10254/v1 description: Self-hosted (Docker) security: - bearerAuth: [] tags: - name: Agents description: Manage agents and their access tokens, secrets, and configuration. - name: Secrets description: Manage credentials that the gateway injects into outbound requests. - name: Rules description: >- Manage policy rules that control how agents interact with external services. - name: User description: Manage your user profile and API keys. - name: Projects description: >- Manage projects within your organization. Requires admin role for create/update and owner role for delete. Cloud only. - name: Team description: Provision team members programmatically. Requires admin role. Cloud only. - name: Apps description: >- Manage app connections (OAuth and direct credentials) and BYOC configuration. - name: Organization Secrets description: >- Manage secrets at the organization level. Organization secrets apply across all projects. Cloud only. - name: Organization Rules description: >- Manage policy rules at the organization level. Organization rules apply across all projects. Cloud only. - name: Organization Connections description: Manage app connections at the organization level. Cloud only. - name: Organization App Config description: Manage BYOC app configuration at the organization level. Cloud only. - name: Partner Organizations description: >- Create and manage customer organizations as a partner. Requires a Partner API key. Cloud only. - name: Partner Projects description: Manage projects within an unclaimed partner organization. Cloud only. - name: Partner Secrets description: >- Manage partner-level secrets inherited by every organization you manage. Cloud only. - name: Partner Budgets description: >- Cap how much an organization can spend on a partner LLM key. Owner or admin only. Cloud only. - name: Partner Members description: >- Manage who can sign in to your partner portal. Owner or admin only. Cloud only. - name: Organization Partner description: Inspect and detach an organization's partner relationship. Cloud only. paths: /rules: post: tags: - Rules summary: Create a policy rule description: > Creates a new policy rule. Rules control how agents interact with external services: - **block** — reject matching requests outright. - **rate_limit** — allow up to N requests per time window. Requires `rateLimit` and `rateLimitWindow`. - **manual_approval** — hold matching requests for human approval before forwarding. operationId: createRule requestBody: required: true content: application/json: schema: type: object required: - name - hostPattern - action - enabled properties: name: type: string minLength: 1 maxLength: 255 example: Block destructive GitHub API calls hostPattern: type: string minLength: 1 maxLength: 1000 example: api.github.com pathPattern: type: string maxLength: 1000 example: /repos/*/delete method: type: string enum: - GET - POST - PUT - PATCH - DELETE action: type: string enum: - block - rate_limit - manual_approval enabled: type: boolean agentId: type: string description: Scope rule to a specific agent (omit for all agents) rateLimit: type: integer minimum: 1 maximum: 1000000 description: Required when action is `rate_limit` rateLimitWindow: type: string enum: - minute - hour - day description: Required when action is `rate_limit` conditions: type: array maxItems: 10 items: $ref: '#/components/schemas/RuleCondition' responses: '201': description: Rule created content: application/json: schema: $ref: '#/components/schemas/PolicyRule' '400': description: Validation error content: application/json: schema: $ref: '#/components/schemas/Error' components: schemas: RuleCondition: type: object description: >- A condition that must match for the rule to apply. Conditions inspect the request body to enable fine-grained filtering beyond host/path/method. required: - target - operator - value properties: target: type: string enum: - body description: What part of the request to inspect. operator: type: string enum: - contains description: How to match the value against the target. value: type: string minLength: 1 maxLength: 1000 description: The string to match against. key: type: string maxLength: 500 description: Optional JSON key path within the body to scope the match. PolicyRule: type: object properties: id: type: string name: type: string hostPattern: type: string pathPattern: type: string nullable: true method: type: string nullable: true enum: - GET - POST - PUT - PATCH - DELETE - null action: type: string enum: - block - rate_limit - manual_approval enabled: type: boolean agentId: type: string nullable: true rateLimit: type: integer nullable: true rateLimitWindow: type: string nullable: true enum: - minute - hour - day - null scope: type: string metadata: type: object conditions: type: array items: $ref: '#/components/schemas/RuleCondition' createdAt: type: string format: date-time Error: type: object properties: error: type: string required: - error securitySchemes: bearerAuth: type: http scheme: bearer description: API key obtained from the dashboard or `GET /user/api-key` ````