diff --git a/src/Api/Startup.cs b/src/Api/Startup.cs
index e24f96a7a9..d47c0abde1 100644
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@@ -145,6 +145,14 @@ public class Startup
                     (c.Value.Contains(ApiScopes.Api) || c.Value.Contains(ApiScopes.ApiSecrets))
                 ));
             });
+
+            config.AddPolicy(Policies.Send, configurePolicy: policy =>
+            {
+                policy.RequireAuthenticatedUser();
+                policy.RequireClaim(JwtClaimTypes.Scope, ApiScopes.Send);
+                // TODO: talk with Tools about potentially
+                // policy.AddRequirements(new SameSendIdRequirement());
+            });
         });
 
         services.AddScoped<AuthenticatorTokenProvider>();
diff --git a/src/Core/IdentityServer/Policies.cs b/src/Core/IdentityServer/Policies.cs
new file mode 100644
index 0000000000..7a0cabe644
--- /dev/null
+++ b/src/Core/IdentityServer/Policies.cs
@@ -0,0 +1,8 @@
+namespace Bit.Core.IdentityServer;
+
+public static class Policies
+{
+    // TODO: migrate other existing policies to use this class
+    public const string Send = "Send";  // [Authorize(Policy = Policies.Send)]
+
+}