Allowlists & Blocklists

Restrict agent spending to specific domains or always-block sensitive targets.

Runtime

Examples update across this page and persist as you navigate docs.

nomiqon.com

Domain controls let you define exactly which external services an agent is permitted to spend toward. They operate on the hostname extracted from the spend request URL.

Allowlist

When allowlist is set, the agent may only spend toward hostnames in that list. Any other hostname returns 403 policy_domain_blocked.

typescriptnomiqon.com

policy: {
  dailyCap: "10.00",
  allowlist: [
    "api.openai.com",
    "api.anthropic.com",
    "api.pinecone.io",
    "replicate.com",
  ],
}

Blocklist

Blocklist entries are always rejected, even if the hostname also appears on the allowlist. Use blocklists to permanently prohibit data-exfiltration targets.

typescriptnomiqon.com

policy: {
  dailyCap: "10.00",
  blocklist: [
    "competitor-api.com",
    "known-phishing-domain.net",
  ],
}

Wildcard matching

typescriptnomiqon.com

policy: {
  allowlist: [
    "*.openai.com",       // matches api.openai.com, files.openai.com, etc.
    "api.anthropic.com",  // exact match only
  ],
}

⚠Warning

Wildcard matching applies only to subdomains (*.host.com). Glob patterns such as *.com are rejected at policy creation time.

← PreviousDaily & Total Caps Next →Policy Enforcement