Control D is a customizable DNS filtering and traffic redirection platform that allows users to manage internet access, enforce policies, and monitor usage across devices and networks.
Control D is a customizable DNS filtering and traffic redirection platform that allows users to manage internet access, enforce policies, and monitor usage across devices and networks. On Nagent, Control D is exposed as a fully-configurable security & identity tools integration that any agent can call — 54 actions, and API key authentication. No code is required to wire Control D into your workflow — connect it once via the External Integrations panel and reuse it across every agent you build.
Agent builders use Control D to automate the kinds of tasks security & identity tools teams previously handled manually. Concrete examples — each one is a single agent step in Nagent — include:
Every action and trigger is paired with a structured input/output schema (visible in the sections below), so when you wire Control D into Helix — our agentic agent builder — the editor knows exactly what each step expects and produces. Configure once, deploy anywhere across your Nagent agents.
Every operation an agent can call against Control D, with input parameters and output schema. Drop these into any step of an agent built in Helix.
CONTROL_D_DELETE_DEVICES_DEVICE_IDPermanently delete a Control-D device/endpoint by its ID. WARNING: This is a destructive operation. Deleting a device will break DNS resolution on any physical gadget configured to use this device's unique DNS resolvers. Use GET /devices to retrieve valid device IDs before calling this action.
Input parameters
Unique identifier of the device to delete. Use GET /devices to retrieve valid device IDs.
Optional header to impersonate a child sub-organization admin (organization accounts only).
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_DELETE_PROFILES_PROFILE_IDPermanently deletes a Control D profile by its unique identifier (PK). IMPORTANT: The profile must be orphaned (not enforced by any device) before it can be deleted. If the profile is currently assigned to one or more devices, the deletion will fail. Use this tool when you need to remove an unused profile from the account. To check if a profile is safe to delete, first verify it has no associated devices using the Get Devices or Get Profile endpoints.
Input parameters
The unique primary key (PK) of the profile to delete. The profile must be orphaned (not enforced by any device) to be deleted successfully.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_DELETE_PROFILES_PROFILE_ID_RULES_RULE_IDDelete a custom DNS rule from a Control D profile by its rule identifier (hostname/domain). This tool removes a DNS filtering rule from the specified profile. Rules in Control D are identified by the hostname/domain they target (e.g., 'example.com', 'ads.domain.com'). Prerequisites: - Obtain profile_id from GET /profiles endpoint - Obtain rule_id (the hostname/domain) from GET /profiles/{profile_id}/rules endpoint Note: Requires write access to the API (read-only tokens will receive a 403 error).
Input parameters
The identifier of the custom rule to delete. In Control D, rules are identified by their hostname/domain (e.g., 'example.com', 'ads.domain.com', '*.example.org'). This is the PK field returned when listing rules.
Primary key (PK) of the profile from which to delete the rule. Obtain this from the GET /profiles endpoint.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_DELETE_PROFILES_PROFILE_ID_RULES_RULE_ID_FOLDER_IDDelete a custom DNS rule from a specific folder in a Control D profile. This action permanently removes a custom rule (e.g., block, bypass, spoof, or redirect) from the specified folder within a profile. Requires valid profile_id, rule_id, and folder_id which can be obtained from: - profile_id: Get Profiles action - folder_id: Get Profile Folders action - rule_id: List Custom Rules in Folder action
Input parameters
The unique identifier of the custom rule to delete. Obtain from GET /profiles/{profile_id}/rules/{folder_id} or the List Custom Rules in Folder action.
The folder (group) identifier containing the rule. Obtain from GET /profiles/{profile_id}/groups or the Get Profile Folders action.
The profile's primary key (PK). Obtain from GET /profiles or the Get Profiles action.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_DELETE_PROFILES_PROFILE_ID_SCHEDULES_SCHEDULE_IDTool to delete a specific schedule within a profile. Use after confirming profile_id and schedule_id.
Input parameters
Unique identifier of the profile from which to delete the schedule
Unique identifier of the schedule to delete
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_ACCESSList up to the latest 50 IP addresses that were used to query against a specific Device (resolver). Use this to retrieve known access IPs associated with a device in your Control D account.
Input parameters
Primary key (unique identifier) of the device to retrieve access IPs for. Required parameter.
For organization accounts, impersonate a child sub-organization admin to view/modify access IPs within that sub-org.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_ANALYTICS_ENDPOINTSTool to list analytics storage regions and their endpoints. Use after authenticating to retrieve available analytics regions.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_ANALYTICS_LEVELSTool to retrieve available analytics log levels for Control D devices. Use when you need to know what analytics options can be configured on devices (No Analytics, Some Analytics, Full Analytics).
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_BILLING_PAYMENTSTool to retrieve billing history of all payments made. Use when you need to access payment records, transaction history, or billing information for the account.
Input parameters
Optional organization ID to impersonate a child sub-organization admin. Only applicable for organization accounts with sub-organizations.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_BILLING_PRODUCTSRetrieve all products currently activated on the Control D account. Use this to view active billing products, subscriptions, and their details.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_DEVICESLists all Control D devices (endpoints) associated with the account. Each device represents a unique DNS resolver that enforces a Profile (set of filtering rules). Use this to retrieve device inventory, check device status, or get resolver configuration details. Optionally filter by device_type to get only 'users' (desktops/mobiles/browsers) or 'routers'.
Input parameters
Filter devices by type. Use 'users' for desktop/mobile/browser devices, 'routers' for router devices. Omit to get all devices.
Optional organization ID to impersonate a child sub-organization admin. Only applicable for organization accounts with sub-organizations.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_DEVICES_TYPESList all allowed device types in Control D. Returns categorized device types (OS, Browser, TV, Router) with their available icon identifiers and human-readable labels. Use when you need to display device type options or validate device icon identifiers when creating or updating devices.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_IPTool to retrieve the current IP address and datacenter information for the API request. Use when you need to check which IP address is being used or which Control D datacenter is handling requests.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_NETWORKTool to retrieve network stats on available services in different POPs (Points of Presence). Use when you need information about service availability across Control D's network infrastructure.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_ORGANIZATIONS_MEMBERSTool to view organization membership. Use to retrieve a list of all members in the organization including their email, status, permission levels, and last activity.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_ORGANIZATIONS_ORGANIZATIONTool to view the authenticated organization's details. Use after confirming a valid API token.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_ORGANIZATIONS_SUB_ORGANIZATIONSTool to view sub-organizations and their details. Use when you need to list all sub-organizations under the authenticated organization account.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_PROFILESTool to list all profiles associated with the authenticated account. Use when you need an overview of accessible profiles.
Input parameters
For organization accounts only; impersonate a child sub-organization admin for all Profiles-scope calls
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_PROFILES_OPTIONSRetrieves all available configuration options for DNS profiles in Control D. Returns a list of profile options including security filters (Safe Search, AI Malware Filter), TTL settings, block responses, and advanced DNS options (DNSSEC, DNS64, CNAME Flattening). Each option includes its type (toggle/dropdown/field), default value, and documentation URL. Use this to discover what settings can be configured when creating or updating profiles.
Input parameters
For organization accounts only; impersonate a child sub-organization admin for all Profiles-scoped calls
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_PROFILES_PROFILE_IDTool to retrieve details of a specific profile by its ID. Use when you need full profile details after confirming the profile_id.
Input parameters
Unique identifier of the profile to retrieve
For organization accounts only; impersonate a child sub-organization admin to retrieve the profile in that context.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_PROFILES_PROFILE_ID_ANALYTICSRetrieve analytics data for a Control D profile. Returns DNS query statistics and traffic data for the specified profile. Use profile_id='0' to get analytics for all profiles, or specify a profile ID from the List Profiles endpoint.
Input parameters
Unique identifier (PK) of the profile to fetch analytics for. Use '0' to fetch analytics for all profiles, or a specific profile ID obtained from the List Profiles endpoint.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_PROFILES_PROFILE_ID_ANALYTICS_LOGSRetrieves DNS query activity logs for a specific Control D profile. This tool fetches analytics logs that record DNS queries made through the profile, including details about blocked, allowed, and redirected queries. Use this to monitor DNS activity, audit security policies, or troubleshoot DNS resolution issues. Prerequisites: - A valid profile_id obtained from GET /profiles endpoint - Analytics must be enabled for the profile to have log data Common use cases: - View recent DNS queries for a profile - Filter logs by date range to analyze specific time periods - Audit which domains were blocked or allowed
Input parameters
UTC end timestamp for filtering logs in ISO 8601 format. Logs up to this time will be included. If omitted, defaults to current time.
UTC start timestamp for filtering logs in ISO 8601 format. Logs from this time onwards will be included. If omitted, defaults to API's default range.
The unique identifier (PK) of the profile to retrieve analytics logs for. Obtain profile IDs from the GET /profiles endpoint.
For multi-organization accounts, specify a sub-organization ID to impersonate that organization's context when retrieving analytics logs.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_PROFILES_PROFILE_ID_ANALYTICS_LOGS_LOG_IDTool to retrieve a specific analytics log entry by its ID. Use when you need details of an analytics log for a given profile.
Input parameters
Identifier of the analytics log entry to retrieve.
Identifier of the target profile (Profile PK).
For organization accounts, impersonate a child sub-organization admin for profiles-scope API calls. Optional.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_PROFILES_PROFILE_ID_ANALYTICS_SUMMARYTool to fetch a summary of analytics data for a given profile. Use after confirming profile ID and desired date range.
Input parameters
End date for analytics summary in ISO 8601 format, inclusive.
Start date for analytics summary in ISO 8601 format, inclusive.
Identifier of the target profile (Profile PK).
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_PROFILES_PROFILE_ID_ANALYTICS_TOP_DOMAINSTool to fetch top domains accessed within a specific profile. Use after confirming profile ID.
Input parameters
End date for analytics in ISO 8601 format, inclusive.
Start date for analytics in ISO 8601 format, inclusive.
Identifier of the target profile (Profile PK).
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_PROFILES_PROFILE_ID_ANALYTICS_TOP_SERVICESTool to fetch top services accessed within a profile. Use after confirming the profile ID and desired date range.
Input parameters
End date for analytics data in ISO 8601 format, inclusive.
Start date for analytics data in ISO 8601 format, inclusive.
Identifier of the target profile (Profile PK).
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_PROFILES_PROFILE_ID_FILTERSList all native (Control D curated) filters for a profile and their current states. Native filters are hand-curated blocklists maintained by Control D (e.g., 'Ads & Trackers', 'Malware', 'Adult Content'). Use this to see which filters are enabled/disabled for a profile. For 3rd party community filters, use the GET /profiles/{profile_id}/filters/external endpoint instead.
Input parameters
Primary key (PK) of the target profile. Obtain this from the GET /profiles endpoint.
For organization accounts, impersonate a child sub-organization admin for profiles-scope API calls. Optional.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_PROFILES_PROFILE_ID_FILTERS_EXTERNALTool to list third-party filters for a specific profile. Use when you need to retrieve all external filters and their states after confirming the profile ID.
Input parameters
Primary key (PK) of the target profile. Obtain this from the GET /profiles endpoint.
For organization accounts, impersonate a child sub-organization admin for profiles-scope API calls. Optional.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_PROFILES_PROFILE_ID_FOLDERSList all rule folders (groups) within a Control D profile. Rule folders are used to organize and group custom DNS rules. Each folder has an action type (BLOCK, BYPASS, SPOOF, or REDIRECT) and contains multiple rules. Use this after obtaining a valid profile_id from the list profiles endpoint.
Input parameters
Primary key (PK) of the profile. This is an alphanumeric string identifier obtained from the list profiles endpoint.
For organization accounts, impersonate a child sub-organization admin for profile-scoped API calls. Optional.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_PROFILES_PROFILE_ID_RULESRetrieve custom DNS rules for a Control D profile. Returns rules that control domain resolution (BLOCK, BYPASS, SPOOF, or REDIRECT actions). Omit folder_id to list root folder rules, or provide a folder_id to list rules in a specific folder.
Input parameters
Target folder ID to list rules from. Use '0' or omit entirely for root folder rules. Get folder IDs from GET /profiles/{profile_id}/folders endpoint.
The profile's primary key (PK). Obtain this alphanumeric ID from the GET /profiles endpoint.
For organization accounts only: impersonate a child sub-organization admin within Profiles scope.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_PROFILES_PROFILE_ID_RULES_RULE_ID_FOLDER_IDTool to retrieve a specific rule within a folder by its ID. Use when you need full details of a custom rule in a profile's folder.
Input parameters
Rule identifier used in the path
Folder identifier used in the path
Profile identifier used in the path
Optional header to impersonate a child sub-organization within Profiles scope
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_PROFILES_PROFILE_ID_SCHEDULESTool to list schedules associated with a specific profile. Use after confirming the profile ID.
Input parameters
Identifier of the target profile (Profile PK)
For organization accounts, impersonate a child sub-organization admin for profiles-scope API calls. Optional.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_PROFILES_PROFILE_ID_SCHEDULES_SCHEDULE_IDTool to retrieve a specific schedule by its ID within a profile. Use when you need details of a profile schedule after confirming the profile_id and schedule_id.
Input parameters
Identifier of the target profile (Profile PK).
Identifier of the schedule to retrieve.
For organization accounts, impersonate a child sub-organization admin for profiles-scope API calls. Optional.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_PROFILES_PROFILE_ID_SERVICESTool to list services associated with a specific profile. Use when you need to retrieve all services that have any associated rules after confirming the profile ID.
Input parameters
Unique identifier (PK) of the target profile. Obtain profile IDs by calling the List Profiles endpoint first.
For organization accounts, impersonate a child sub-organization admin for profiles-scope API calls. Optional.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_PROXIESTool to retrieve the list of usable proxy locations that traffic can be redirected through. Use when you need to see available proxy exit locations for routing traffic via transparent proxies.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_SERVICES_CATEGORIESList all available service categories in Control D. Returns categories like audio, video, social, gaming, etc. Each category contains multiple services that can be blocked or allowed. Use the returned 'PK' field as the category identifier when calling other service-related endpoints (e.g., get services by category). No parameters required - returns all available categories.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_SERVICES_CATEGORIES_CATEGORYRetrieves all services within a specific ControlD service category. Use this to discover available services (like Spotify, Netflix, Steam, etc.) that can be configured for DNS filtering or redirection. Each service includes its unique PK identifier needed for service-level configuration. First call GET /services/categories to get valid category identifiers.
Input parameters
Category identifier (PK) to retrieve services from. Valid categories include: audio, career, finance, gaming, hosting, news, recreation, shop, social, tools, vendors, video. Use GET /services/categories to retrieve the full list.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_GET_USERSRetrieve the authenticated user's account information from Control D. This tool returns comprehensive user account data including: - Basic user info (email, status, 2FA settings) - Organization membership and permissions (if applicable) - Account limits and features Use this tool to: - Verify the authenticated account details - Check organization membership and permissions - Get account status and capabilities - Retrieve the user's PK (primary key) for other API calls No parameters required - uses the authenticated API token.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_POST_DEVICESCreate a new device (DNS endpoint) in Control D. Each device gets unique DNS resolvers that enforce configured profiles. Requires a valid profile_id from GET_PROFILES. Returns DNS resolver URLs (DoH, DoT) and IPs for configuring client devices.
Input parameters
Optional description or comment for the device.
Device icon/type. Common values: 'desktop-windows', 'desktop-mac', 'desktop-linux', 'mobile-android', 'mobile-apple', 'router', 'server', 'other'.
Device name for identification (e.g., 'John's iPhone', 'Home Router').
Analytics level: 0=off, 1=basic (query counts), 2=full (includes domains). Default depends on account settings.
Enable automatic IP learning: 0=disable, 1=enable. When enabled, the device learns its IP automatically.
Primary key (PK) of the main profile to enforce on this device. Get from GET_PROFILES action.
Restrict device to authorized IPs only: 0=off, 1=on. If enabled, only pre-authorized IPs can use this endpoint.
Primary key of a second profile to enforce on this device (optional).
Set to 1 to generate legacy IPv4/IPv6 DNS resolvers in addition to the primary resolver.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_POST_PROFILESCreate a new blank profile or clone an existing one. Profiles define DNS filtering rules, services, and settings that can be applied to devices. Use this to provision a new profile before assigning rules, filters, or devices to it.
Input parameters
Name for the new profile. Must be a non-empty string.
For organization accounts only: impersonate a child sub-organization admin for this operation.
Primary key of an existing profile to clone. If omitted, a blank profile is created. Get profile IDs using the GET /profiles endpoint.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_POST_PROFILES_PROFILE_ID_RULESCreate custom DNS rules for a profile to control domain resolution. Use this to block ads/trackers, bypass filtering for specific domains, spoof DNS responses with custom IPs, or redirect traffic through proxies.
Input parameters
Rule type: 0=BLOCK (block domain), 1=BYPASS (bypass filtering), 2=SPOOF (return custom IP/hostname), 3=REDIRECT (route through proxy).
Target for SPOOF (IPv4 address or hostname) or REDIRECT (proxy identifier like 'JFK', 'LAX'). Required when do=2 or do=3.
Folder ID to create the rule in. If omitted, rule is created in the root folder.
Rule status: 1=enabled, 0=disabled. Defaults to enabled.
IPv6 address for SPOOF rules (AAAA record). Only used when do=2.
List of hostnames/domains to apply the rule to. Supports wildcards (e.g., '*.example.com').
Profile primary key (PK) where rules will be created. Get this from the GET /profiles endpoint.
For organization accounts: impersonate a child sub-organization admin within the Profiles scope.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_POST_PROFILES_PROFILE_ID_RULES_FOLDER_IDTool to create custom rules within a specific folder for a profile. Use after confirming the profile and folder IDs and preparing rule definitions.
Input parameters
List of custom rule objects to create. Each rule object must include: 'do' (int: 0=BLOCK, 1=BYPASS, 2=SPOOF, 3=REDIRECT), 'status' (int: 0=disabled, 1=enabled), 'hostnames' (array of domain names). Optional: 'via' (spoof target IP/hostname or proxy ID like 'JFK'), 'via_v6' (IPv6 address for SPOOF).
Numeric folder ID (group PK) where rules will be created. Use '0' for the root folder.
Profile primary key (PK) where rules will be created
For organization accounts: impersonate a child sub-organization admin within the Profiles scope
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_POST_PROFILES_PROFILE_ID_SCHEDULESCreate a new time-based schedule within a Control D profile. Schedules allow automatic enforcement of profile rules during specified time windows. Use this to set up recurring time periods (e.g., work hours, bedtime) when specific DNS filtering rules should apply. Requires a valid profile_id from GET /profiles.
Input parameters
Schedule configuration object. Must include 'time_start' and 'time_end' in HH:MM format. Optionally specify 'tz' for timezone and 'week' for active days.
Profile primary key (PK) where schedule will be created. Obtain this from the GET /profiles endpoint
For organization accounts: impersonate a child sub-organization admin within the Profiles scope. Optional.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_PUT_DEVICES_DEVICE_IDModify an existing Control D device's settings. Use this tool to update device properties such as name, associated profiles, analytics level, IP learning, restrictions, DDNS settings, and status. At least one field to update must be provided alongside the device_id.
Input parameters
Add a description or comment to the device.
New device name.
Analytics level for the device. 0=off, 1=basic, 2=full.
Update device status: 0=pending, 1=active, 2=soft disabled, 3=hard disabled.
Enable/disable experimental ECH support and TLS bumping.
Enable/disable automatic IP learning. 0=disabled, 1=enabled.
Unique identifier (PK) of the device to modify. Obtain this from the GET /devices endpoint.
Primary key of the main profile to enforce on this device.
Make device restricted. 0=disabled, 1=enabled.
Status of public DDNS endpoint. 1=enabled, 0=disabled.
Primary key of a second profile to enforce. Use '-1' to remove the secondary profile.
DDNS hostname to query to learn new IPs.
DDNS subdomain to expose the IP on.
Optional header to impersonate a child sub-organization admin. Only applicable for organization accounts managing sub-organizations.
Status of DDNS-based IP learning. 0=disabled, 1=enabled.
Set to 1 to generate legacy IPv4/IPv6 DNS resolver, 0 to remove.
ctrld .toml config file content to deploy to the device.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_PUT_ORGANIZATIONSModify organization settings such as name, contact details, website, and device limits. Use this to update organization metadata or change billing-related limits (max_users, max_routers). Note: Changing max_users or max_routers is a billable event. Requires a write-enabled API token with organization admin permissions.
Input parameters
Organization display name
Physical address of the organization
Organization website URL
Maximum number of user devices allowed. Changing this is a billable event.
Whether two-factor authentication is required for all members. 0 = not required, 1 = required.
Maximum number of router devices allowed. Changing this is a billable event.
Name of the responsible contact person
Primary contact email address for the organization
Contact phone number
Optional header to impersonate a sub-organization by its ID. Only usable by parent organizations.
Global profile ID to enforce on all devices in the organization
Storage region primary key for analytics data (e.g., 'syd-org01')
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_PUT_PROFILES_PROFILE_IDModify an existing profile by its ID. Use this to update profile properties such as the display name, deactivation timestamp, or lock status. Requires at least one modifiable field (name, disable_ttl, lock_status, lock_message).
Input parameters
New display name for the profile.
Account credentials required when unlocking a previously locked profile.
Profile primary key (PK) identifying the profile to modify.
Unix timestamp until which the profile is deactivated. Set to 0 to remove any prior deactivation.
Controls edit restrictions on the profile. 0 = unlocked, 1 = locked.
Custom error message returned when attempting to modify a locked profile.
For organization accounts only; impersonate a child sub-organization admin for Profiles-scope calls.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_PUT_PROFILES_PROFILE_ID_FILTERSTool to bulk update filters on a specific profile. Use when you need to enable or disable multiple filters at once. Provide a list of filter IDs with desired states.
Input parameters
List of filters to update with desired enabled states
Identifier of the target profile (Profile PK)
For organization accounts, impersonate a child sub-organization admin for profiles-scope API calls. Optional.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_PUT_PROFILES_PROFILE_ID_FILTERS_EXTERNALTool to update external filters for a specific profile. Use when toggling third-party filters after listing them.
Input parameters
List of external filter update objects. Each must include 'filter_id' and 'enabled' flag.
Unique identifier of the profile to update
For organization accounts, impersonate a child sub-organization admin within the Profiles scope
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_PUT_PROFILES_PROFILE_ID_FILTERS_FILTER_FILTERModify the enabled state of a specific native filter on a profile. Use this tool to enable or disable individual content filters like 'ads', 'malware', 'social', etc. on a specific profile. The filter status is set using integer values (1 = enabled, 0 = disabled).
Input parameters
The filter name/ID to enable or disable. Valid native filters include: 'ads' (Ads & Trackers), 'porn' (Adult Content), 'fakenews' (Clickbait), 'cryptominers' (Crypto), 'dating' (Dating), 'drugs' (Drugs), 'gambling' (Gambling), 'gov' (Government Sites), 'iot' (IoT Telemetry), 'malware' (Malware), 'nrd' (New Domains), 'typo' (Phishing), 'social' (Social), 'torrents' (Torrents), 'dnsvpn' (VPN & DNS).
Status of the filter: 1 to enable, 0 to disable.
The profile primary key (PK) to modify filters on. Obtain from GET /profiles.
For organization accounts, impersonate a child sub-organization admin for profiles-scope API calls. Optional.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_PUT_PROFILES_PROFILE_ID_RULESModify an existing custom DNS rule for a profile in Control D. Use this to update rule properties such as action type (block/bypass/spoof/redirect), status (enabled/disabled), target hostnames, and redirect destinations. Rule types: - BLOCK (do=0): Block DNS resolution for the hostnames - BYPASS (do=1): Bypass all filters for the hostnames - SPOOF (do=2): Return custom IP addresses (set via/via_v6) - REDIRECT (do=3): Route traffic through a proxy (set via to proxy ID)
Input parameters
Rule action type: 0=BLOCK, 1=BYPASS, 2=SPOOF, 3=REDIRECT
Spoof/Redirect target. For SPOOF (do=2): IPv4 address or hostname. For REDIRECT (do=3): valid proxy identifier
ID of the folder to place the rule in. Omit for root folder
Rule status: 0=disabled, 1=enabled
For SPOOF rules (do=2): IPv6 address (AAAA record)
Array of hostnames to apply the rule to (e.g., \['example.com', '*.example.org'\])
Primary key (PK) of the profile containing the rule
For organization accounts: impersonate a child sub-organization admin within the Profiles scope
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_PUT_PROFILES_PROFILE_ID_RULES_RULE_IDTool to update an existing custom rule by its ID. Use when modifying details like name, description, severity, or enabled status for a specific rule.
Input parameters
Updated name of the custom rule
Updated enabled status of the custom rule
Unique identifier of the custom rule to update
Updated severity level of the custom rule (e.g., 0=low, 1=medium, 2=high)
Unique identifier of the profile containing the custom rule
Updated description of what the custom rule enforces
For organization accounts: impersonate a child sub-organization admin within the Profiles scope
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_PUT_PROFILES_PROFILE_ID_RULES_RULE_ID_FOLDER_IDTool to move a specific custom rule into a different folder. Use after confirming profile_id, rule_id, and folder_id.
Input parameters
The identifier of the custom rule to move. In Control D, rules are identified by their hostname/domain (e.g., 'example.com', 'ads.domain.com', '*.example.org'). This is the PK field returned when listing rules.
Target folder ID to assign the rule. Use 'root' to move the rule back to the root level.
Unique identifier of the profile containing the rule
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_PUT_PROFILES_PROFILE_ID_SCHEDULES_SCHEDULE_IDTool to update a specific schedule within a profile. Use when you need to modify schedule details after confirming profile_id and schedule_id.
Input parameters
JSON object containing the schedule fields and values to update.
Identifier of the target profile (Profile PK).
Identifier of the schedule to update.
For organization accounts, impersonate a child sub-organization admin for profile-scope API calls.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CONTROL_D_PUT_PROFILES_PROFILE_ID_SERVICES_SERVICETool to modify a specific service rule for a profile. Use when you need to update blocking, bypassing, spoofing, or proxy-redirect settings after reviewing existing rules.
Input parameters
Rule action type: 0=BLOCK (block service domains), 1=BYPASS (allow domains, overrides filters), 2=SPOOF (redirect domains to custom IP via 'via' param), 3=REDIRECT (route traffic through proxy location via 'via' param)
Required when do=2 (SPOOF): IPv4 address or hostname for A record. Required when do=3 (REDIRECT): 3-letter IATA proxy location code (e.g., 'YYZ', 'LAX', 'LHR'). Ignored for do=0/1.
Rule status: 0=disabled; 1=enabled
IPv6 address for AAAA record when do=2 (SPOOF). Ignored for other modes.
Service PK identifier to modify. Common services include streaming (netflix, youtube, spotify, twitch), social (facebook, twitter, instagram, tiktok), gaming (steam, xbox, playstation), and more. Use GET /services/categories/{category} to discover available service PKs.
Profile PK (primary key) to update. Obtain from GET /profiles endpoint.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
No publicly available marketplace agent is found using this tool yet. There are 90 agents privately built on Nagent that already use Control D.
Build on Nagent
Connect Control D to any Nagent agent in minutes — no API key management, no boilerplate. Just configure and deploy.
The five questions agent builders ask before adopting a new integration.
Open the External Integrations panel inside Nagent (app.nagent.ai/externalIntegration), find Control D, and click "Connect Now." You'll authenticate with an API key — Nagent handles credential storage and refresh automatically. Once connected, Control D is available to any agent in your workspace.
No. Nagent provides no-code integration for every tool. Once Control D is connected, you configure its 54 actions directly in the agent builder UI — no API calls, no boilerplate, no schema management.
Helix — Nagent's agentic agent builder — lets you drop Control D steps into any workflow visually. Pick an action (e.g., one of those listed above), fill in the inputs (Helix knows the required vs. optional schema for each parameter), and connect it to upstream/downstream steps. Triggers run as the entry point of an agent, so when a Control D event fires, the agent kicks off automatically.
Every Control D action and trigger ships with a fully-typed schema — input parameters with name, type, required flag, and description, plus the output payload shape. The schemas are documented in the sections above. Helix uses these schemas to validate your configuration at build time and to type-check the data flowing between steps.
Yes. While Control D ships with 54 pre-built security & identity tools actions, you can layer custom logic around them inside Helix — pre/post-processing steps, conditional branches, retries, or stitching Control D together with other connected tools. For deeper customization, talk to our team about Nagent's Agentic AI Lab — forward-deployed engineers who build Control D-based workflows tailored to your business.