> ## Documentation Index
> Fetch the complete documentation index at: https://docs.hitheo.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Create Guardrail Policy

> Author a new guardrail policy.

Create a new guardrail policy. Idempotent — the same `Idempotency-Key` header replays the same response.

Creating a policy does **not** auto-bind it to a key. Use [PUT /api/v1/keys/{id}/guardrails](/api-reference/guardrails/key-binding) to opt a key in.

## Authentication

Requires a Bearer token with the `billing` API key scope.

## Body

<ParamField body="name" type="string" required>
  Policy name. 1–128 chars. May not reference upstream provider names.
</ParamField>

<ParamField body="description" type="string">
  Free-text description. Up to 512 chars.
</ParamField>

<ParamField body="rules" type="object[]">
  Up to 32 rule objects. Each rule has `guardrail_id`, `phase`, `verdict`, and an optional `config` bag.
</ParamField>

<ParamField body="scope" type="string">
  `"personal"` (default) or `"team"`. Team scope requires an active org and the `manageWebhooks` permission.
</ParamField>

<ParamField body="is_default" type="boolean">
  Mark this policy as the default for its scope. At most one default per scope.
</ParamField>

## Request Examples

<CodeGroup>
  ```bash curl theme={null}
  curl -X POST https://www.hitheo.ai/api/v1/guardrail-policies \
    -H "Authorization: Bearer $THEO_API_KEY" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "Compliance-strict",
      "description": "PII redaction + jailbreak deny.",
      "rules": [
        { "guardrail_id": "pii_redactor", "phase": "input", "verdict": "redact" },
        { "guardrail_id": "prompt_injection", "phase": "input", "verdict": "deny" }
      ]
    }'
  ```

  ```typescript SDK theme={null}
  const policy = await theo.guardrails.policies.create({
    name: "Compliance-strict",
    description: "PII redaction + jailbreak deny.",
    rules: [
      { guardrail_id: "pii_redactor", phase: "input", verdict: "redact" },
      { guardrail_id: "prompt_injection", phase: "input", verdict: "deny" },
    ],
  });
  ```
</CodeGroup>

## Errors

* `400 guardrail_policy_invalid` — Unknown guardrail id, disallowed verdict for the builtin, vendor-named label, or rule cap exceeded.
* `403 missing_scope` — API key lacks the `billing` scope.
* `409 conflict` — `is_default: true` already set for this scope.
