Documentation
messaging.send
messaging.send
What this action is
Send a message to one or more recipients.
When to use it
Use this action when you are about to send a message to one or more recipients.
Real-world example
Example: your AI agent proposes an operation that would result in
messaging.send. Before you apply the side effect, validate the exact payload with ASG.When not to use it
Do not use messaging.send for planning, drafting, or simulation. Only call ASG when your system is prepared to execute on PASS or stop on WARN/BLOCK.
Allowed action_type values
This field is enforced. If it is not listed, do not send it.
send
Canonical payload (This will PASS)
json
24 lines
{
"action_kind": "messaging.send",
"action_type": "send",
"ai_output": {},
"context": {
"account_id": "example",
"actor_user_id": "example",
"compliance_context": "example",
"idempotency_key": "example",
"message_body": "example",
"payload_preview": "example",
"payload_schema": "example",
"purpose": "example",
"recent_duplicate_count": 1,
"recipient_count": 0,
"recipient_source": "example",
"request_id": "example",
"system_instructions": "example",Required context
| Field | Required | Type | Consequence |
|---|---|---|---|
account_id | Required | string | BLOCK: Missing required context (account_id). |
actor_user_id | Required | string | BLOCK: Missing required context (actor_user_id). |
compliance_context | Required | string | BLOCK: Missing required context (compliance_context). |
idempotency_key | Required | string | BLOCK: Missing required context (idempotency_key). |
message_body | Required | string | BLOCK: Missing required context (message_body). |
payload_preview | Required | string | WARN: Missing required context (payload_preview). |
payload_schema | Required | string | WARN: Missing required context (payload_schema). |
purpose | Required | string | WARN: Missing required context (purpose). |
recent_duplicate_count | Required | number | BLOCK: Missing required context (recent_duplicate_count). |
recipient_count | Required | number | BLOCK: Missing required context (recipient_count). |
recipient_source | Required | string | BLOCK: Missing required context (recipient_source). |
request_id | Required | string | BLOCK: Missing required context (request_id). |
system_instructions | Required | string | BLOCK: Missing required context (system_instructions). |
template_id | Required | string | WARN: Missing required context (template_id). |
user_input | Required | string | BLOCK: Missing required context (user_input). |
workflow | Required | string | BLOCK: Missing required context (workflow). |
workflowName | Required | string | BLOCK: Missing required context (workflowName). |
blast_radius_estimate | Optional | number | No direct consequence (not required). |
maxRecords | Optional | number | No direct consequence (not required). |
recent_actions_count | Optional | number | No direct consequence (not required). |
records_count | Optional | number | No direct consequence (not required). |
time_window_minutes | Optional | number | No direct consequence (not required). |
Decision behavior (PASS / WARN / BLOCK)
AI Safety Gate is fail-closed by design. If validation or approval polling cannot be safely completed (missing required context, invalid responses, timeouts, or unexpected errors), execution must stop.
| Status | What ASG returns | What you must do |
|---|---|---|
| PASS | Allowed by safety policy. | Execute the action. |
| WARN | Review required by safety policy. | Do not execute. Persist decision_id and wait for human approval. Approval does not modify policies and does not change the original decision — it authorizes execution for this specific decision_id. |
| BLOCK | Blocked by safety policy. | Do not execute. Fix payload/context and re-validate. |
Policy behavior
This ActionKind is evaluated against managed policies derived from the managed policy catalog.
Example threshold shapes used by applicable policies: {"maxActionsPerMinute":5} | {"maxRecipients":50} | {"maxRecords":1000}
Related policies: Data policies, Messaging policies
| Policy summary | Severity | Required context | Thresholds | Approval | Remediation |
|---|---|---|---|---|---|
| Block exfiltration of secrets, API keys, tokens, private certificates, passwords. | BLOCK | ai_output | — | — | Redact secrets. Rotate compromised keys immediately. Add secret scanning to outputs. |
| Block handling or disclosure of payment card data (PCI) and full bank credentials. | BLOCK | ai_output | — | — | Do not transmit payment credentials. Use provider-hosted payment pages or tokenized references only. |
| Block outbound messages that contain secrets/credentials or sensitive internal data. | BLOCK | message_body | — | — | Redact sensitive tokens. Replace with references. Ensure destinations are allowlisted. |
| Block prompt injection and instruction override attempts. | BLOCK | ai_output, system_instructions, user_input | — | — | Remove/neutralize attacker instructions. Use structured tool arguments. Re-run with sanitized user input. |
| Block repeated retries/loops that cause duplicate side effects. | BLOCK | idempotency_key, recent_duplicate_count | {"maxActionsPerMinute":5} | — | Enforce idempotency keys. Add dedupe. Stop runaway retries with backoff + circuit breakers. |
| Block sharing of PHI/medical records without explicit compliant handling. | BLOCK | ai_output, compliance_context | — | — | Require compliant workflows (HIPAA/Baa etc.) and explicit authorization before any PHI handling. |
| Block spammy bulk outbound messaging and unsolicited broadcasts. | BLOCK | recipient_count, recipient_source, message_body | {"maxRecipients":50} | — | Use opt-in lists only. Add rate limits and require templates/approvals for high-volume sends. |
| Block when required integration context is missing. | BLOCK | workflow, workflowName, system_instructions, user_input, actor_user_id, account_id, request_id, idempotency_key | — | — | Include the required context fields so the gate can make a deterministic decision and record an auditable event. |
| Warn on regulated claims (legal/medical/financial) unless using approved templates/disclaimers. | WARN | message_body, template_id | — | WARN requires approval | Use approved templates with disclaimers. Route to review for anything custom or high-risk. |
| Warn when output contains PII and requires redaction/minimization before sharing/exporting. | WARN | ai_output, purpose | {"maxRecords":1000} | WARN requires approval | Redact/minimize. Ensure recipient/destination is approved. Log data-handling purpose for audit. |
| Warn when structured tool args are invalid/missing required fields. | WARN | payload_schema, payload_preview | — | — | Fix payload schema/validation. Require requiredContext fields before allowing execution. |
Approval behavior
If validation returns WARN, you must pause execution and wait for approval.
WARN requires human approval. Approval authorizes execution for the same decision_id and does not modify policies or change the original decision record.
WARN responses include a
decision_id and an approval_token.Applicable WARN policies for this ActionKind require explicit approval.
- See When approval is required.
- See WARN → approval lifecycle.
- See Polling behavior.
- If approval cannot be completed, see Approval failures.
Common errors
| Mistake | What happens | Fix |
|---|---|---|
| Using an unknown action_kind | BLOCK: Unknown action_kind. Supported action_kind values: money.move, money.refund, money.credit, money.payout, billing.change, billing.cancel, identity.role_change, identity.auth_change, identity.user_create, identity.user_delete, admin.access, data.export, data.import, data.read, data.write, data.delete, data.purge, data.share, messaging.send, messaging.broadcast, messaging.webhook, integrations.connect, integrations.disconnect, integrations.scope_change, workflow.execute, workflow.modify, support.case_update. | Fix: Unknown action kind |
| Using an unsupported action_type | BLOCK: Unknown action_type for action_kind messaging.send. Supported action_type values: send. | Use one of the allowed values listed above. |
| Omitting required context | BLOCK: Missing required context (workflow, workflowName, system_instructions). | Fix: Missing context |
| Sending the wrong JSON types | WARN: Schema mismatch. Proceeding with enforcement using normalized input. | Fix: Schema mismatch |
| Approval token generation fails | Approval token generation failed. Blocking by default. | Treat as BLOCK (fail closed). Retry validation later. |
Copy-paste examples
Minimal
json
24 lines
{
"action_kind": "messaging.send",
"action_type": "send",
"ai_output": {},
"context": {
"account_id": "example",
"actor_user_id": "example",
"compliance_context": "example",
"idempotency_key": "example",
"message_body": "example",
"payload_preview": "example",
"payload_schema": "example",
"purpose": "example",
"recent_duplicate_count": 1,
"recipient_count": 0,
"recipient_source": "example",
"request_id": "example",
"system_instructions": "example",Full
json
29 lines
{
"action_kind": "messaging.send",
"action_type": "send",
"ai_output": {},
"context": {
"account_id": "example",
"actor_user_id": "example",
"compliance_context": "example",
"idempotency_key": "example",
"message_body": "example",
"payload_preview": "example",
"payload_schema": "example",
"purpose": "example",
"recent_duplicate_count": 1,
"recipient_count": 0,
"recipient_source": "example",
"request_id": "example",
"system_instructions": "example",Legal & Responsibility Notice
Summary
Informational only
Provided for general guidance. Not legal, compliance, security, or professional advice.
You control implementation
You are responsible for policies, prompts, integrations, workflows, and regulatory requirements.
Liability limitation
To the maximum extent permitted by law, the company disclaims liability for losses arising from use of this documentation or implementations based on it.