Policies Introduction
Control transactions with custom rules using 256 Blocks's Rego-based policy engine
The 256 Blocks policy engine uses the Rego language to define flexible, powerful transaction control rules. Policies allow you to enforce spending limits, restrict access by geography, block specific operations, and implement custom business logic.
What is the Policy Engine?
The policy engine evaluates every transaction request against your defined rules before execution. Policy evaluation is completely stateless for performance whilst giving you fine-grained control over what transactions are allowed through your endpoints.
Key benefits:
- Declarative rules: Define what should be blocked, not how to block it
- Real-time evaluation: Policies are evaluated on every request with sub-millisecond latency
- Flexible conditions: Combine multiple factors like transaction value, source country, time of day, and more
How Policies Work
Policies control two independent decisions for each request:
| Rule | Controls | Default |
|---|---|---|
deny | Whether RPC/MCP requests are allowed or blocked | false (allow) |
denyGasSponsor | Whether 256 Blocks sponsors the gas fee | false (sponsor) |
These defaults are defined by the system and cannot be overridden.
Request Access (deny)
Use deny rules to block RPC or MCP requests entirely. If any deny rule matches, the request is rejected.
# Block transactions over $10,000 USD
deny if {
input.usd_value > 10000
}Gas Sponsorship (denyGasSponsor)
Use denyGasSponsor rules to control when 256 Blocks pays the gas fee. If any denyGasSponsor rule matches, the user must pay their own gas.
# Don't sponsor transactions over $100
denyGasSponsor if {
input.usd_value > 100
}Both rules are evaluated independently - a request can be allowed but not sponsored, or vice versa.
Policy Levels
Policies are evaluated at three levels, from broadest to most specific:
Platform-Level Policies
Platform policies are managed by 256 Blocks and apply to all requests across the platform. These enforce baseline security and compliance requirements that cannot be overridden. See Restrictions for details on platform-level controls.
Organization-Level Policies
Organization policies apply to all endpoints in your organization, regardless of whether they are MCP or RPC endpoints. Use organization-level policies for:
- Global compliance rules (e.g., blocked countries)
- Organization-wide spending limits
- Universal security controls
Endpoint-Level Policies
Endpoint policies apply only to a specific endpoint. Since each endpoint is either MCP or RPC (not both), the policy automatically applies to that endpoint type. Use endpoint-level policies for:
- Application-specific limits
- Custom business logic for a particular integration
- Additional restrictions beyond organization defaults
Evaluation Order
When a request arrives:
- Platform policies are evaluated first (managed by 256 Blocks)
- If denied at platform level, the request is rejected
- Organization policies are evaluated second
- If denied at org level, the request is rejected
- Endpoint policies are evaluated last
- If denied at endpoint level, the request is rejected
- If no deny rules match, the request proceeds
Each level acts as a baseline that lower levels cannot override. If a higher-level policy denies a request, no lower-level policy can allow it.
Next Steps
- Input Fields - Learn about all available data for policy decisions
- Language Reference - Master Rego syntax and operators
- Built-in Functions - Explore available functions
- Restrictions - Understand security limitations and best practices