Skip to main content
Activation required. AI access management must be enabled for your tenant before you can use it. To get started, contact the C1 support team for a walkthrough.
Tool call hooks are interception points that run on every governed MCP tool call. They can observe a call, modify its inputs or outputs, or deny it outright. Use them to redact sensitive data, cap risky parameters, or enforce conditional access rules that see beyond the entitlement grant model.

How hooks work

Each hook fires on one of two events: Hooks run in priority order (lower priority numbers run first). Each hook is independently enabled or disabled and can be scoped to specific tools with a CEL filter expression. Multiple hooks can stack on the same call — input or output modifications from earlier hooks are passed to later ones, and any hook can short-circuit the chain by denying. Hooks are fail-closed. If a hook errors, times out, or its filter expression fails to evaluate, the call is denied. Custom function hooks have a 60-second invocation timeout. Every hook execution is recorded in the audit log with one of these statuses: ALLOWED, MUTATED, DENIED, ERROR, TIMEOUT, or FILTER_ERROR.

Configure a hook

1
Go to AI > C1 Gateway > Settings and find the Hooks section.
2
Click Add hook.
3
Fill out the form:
4
If you selected Built-in pattern, choose the pattern and configure its options. If you selected Custom function, pick the function from the dropdown.
5
Click Save.

Built-in patterns

C1 ships five pre-built hook patterns. Each one is a self-contained handler with its own configuration; no function code is required.

Custom function hooks

When the built-in patterns don’t fit, write a function and attach it to a hook. C1 invokes the function with a JSON payload describing the call and uses the return value to decide whether to allow, modify, or deny. See the Functions overview and Create a function for how to author and deploy a function.

Pre-tool-use payload

The function receives:
tool_source is either builtin or connector. classification is the tool’s configured action class (READ, WRITE, DESTRUCTIVE, SENSITIVE, or DANGEROUS).

Post-tool-use payload

The function receives the same fields plus the call result:

Return value

In both events the function returns an object with any subset of these fields:
  • Set deny: true to block the call. The reason is recorded in the audit log and surfaced to the AI client as a denial.
  • Omit input (pre) or output (post) when you don’t need to modify the payload.
  • Returning an empty object {} is equivalent to allowing the call unchanged.
If the function throws, exceeds the 60-second timeout, or returns invalid JSON, the call is denied and the failure is recorded as ERROR or TIMEOUT in the audit log.