// MCP TOOL REFERENCE
High Risk →

start_session

Use this first when a user wants to send or price a fax. PromptFax is built for irregular, pay-per-use outbound faxing: every real send requires a user-reviewed quote and Stripe payment authorization before transmission. MCP clients should set hostType to identify their host: chatgpt, claude, bro...

Risk signalsAccepts URL/endpoint input (files[].url) · Accepts file system path (files[].fileName) · High parameter count (15 properties) · Bulk/mass operation — affects multiple targets

Part of the PromptFax server.

start_session can trigger actions in PromptFax, with no limits today. PolicyLayer puts allow, deny, and rate-limit rules on every call. Live in minutes.

SECURE PROMPTFAX →

Free to start. No card required.

WHEN AGENTS USE THIS TOOL

AI agents invoke start_session to trigger processes or run actions in PromptFax. Execute operations can have side effects beyond the immediate call -- triggering builds, sending notifications, or starting workflows. Rate limits and argument validation are essential to prevent runaway execution.

start_session can trigger processes with real-world consequences. An uncontrolled agent might start dozens of builds, send mass notifications, or kick off expensive compute jobs. PolicyLayer enforces rate limits and validates arguments to keep execution within safe bounds.

RECOMMENDED POLICY

Execute tools trigger processes. Rate-limit and validate arguments to prevent unintended side effects.

policy.json 
{
  "version": "1",
  "default": "deny",
  "tools": {
    "start_session": {
      "limits": [
        {
          "counter": "start_session_rate",
          "window": "minute",
          "max": 10,
          "scope": "grant"
        }
      ]
    }
  }
}

See the full PromptFax policy for all 8 tools.

Get this rule live on your own PromptFax server in minutes. PolicyLayer enforces it on every call, before it runs.

ENFORCE ON MY PROMPTFAX →

MORE PROMPTFAX TOOLS

Destructive cancel Write attach_document Write checkout Write retry_failed_fax Write send_fax Read get_quote Read get_status

WHAT CAN GO WRONG

These attack patterns abuse exactly the kind of access start_session gives an agent. Each links to the full case and the policy that stops it:

Browse the full MCP Attack Database →

Every attack above starts with a tool call. PolicyLayer checks each one against your policy first, so start_session only ever does what you allow.

SECURE PROMPTFAX →

OTHER EXECUTE TOOLS

Other execute tools across the catalogue. The same approach applies to each: rate-limit and validate the arguments.

Atv build_stake_tx Atv build_unstake_tx Docs Mcp answer_how_to Acdp start_local Pentagonal pentagonal_audit Pentagonal pentagonal_compile

RELATED READING

FAQ

What does the start_session tool do? +

Use this first when a user wants to send or price a fax. PromptFax is built for irregular, pay-per-use outbound faxing: every real send requires a user-reviewed quote and Stripe payment authorization before transmission. MCP clients should set hostType to identify their host: chatgpt, claude, browser, or other. When calling this from ChatGPT, set hostType to chatgpt so PromptFax uses the ChatGPT widget and file flow. In ChatGPT, this opens the PromptFax widget; after the widget is shown, let the widget handle file selection, destination entry, automatic quote creation, Stripe Checkout, and status tracking. If no document is attached, tell the user to attach a document in the widget. The widget does not provide a document preview step. Do not tell ChatGPT users to get a quote; after the widget has a document and valid destination, tell them to verify the price and use Pay & send when ready. For Claude and other MCP hosts that cannot pass files directly, use the agent-friendly hosted PromptFax session page to guide upload/review, request a quote, launch Stripe Checkout, and poll delivery status. Do not call get_quote, checkout, or send_fax for a ChatGPT widget session unless the user explicitly asks for fallback behavior or the widget is unavailable. Use get_status only for a textual status refresh.. It is categorised as a Execute tool in the PromptFax MCP Server, which means it can trigger actions or run processes. Use rate limits and argument validation.

How do I enforce a policy on start_session? +

Register the PromptFax MCP server in PolicyLayer and add a rule for start_session: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches PromptFax. Nothing to install.

What risk level is start_session? +

start_session is a Execute tool with high risk. Execute tools should be rate-limited and have argument validation enabled.

Can I rate-limit start_session? +

Yes. Add a rate_limit block to the start_session rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.

How do I block start_session completely? +

Set action: deny in the PolicyLayer policy for start_session. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.

What MCP server provides start_session? +

start_session is provided by the PromptFax MCP server (https://promptfax.app/mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.

Enforce policy on every PromptFax tool call.

Deterministic rules across all 8 PromptFax tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

SECURE PROMPTFAX →

Free to start. No card required.

4,600+ MCP servers and 31,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.