Guardrails
Guardrails apply content protections to AI requests before they reach the model. They are configured facility-wide under Settings (cog) → Guardrails, and individual API keys and agents can override them.
"Apply content protections to every request for this facility. None are enabled by default. Individual keys can override these."

Figure 1: The Guardrails page — templates, the three built-in guardrails, and Content filters
The built-in guardrails
| Guardrail | What it does |
|---|---|
| PII masking | "Detect and mask personal data (names, emails, phone numbers, etc.) before prompts reach the model." |
| Secret redaction | "Strip API keys, tokens and other secrets out of prompts before they are sent upstream." |
| Prompt-injection shield | "Block common prompt-injection / jailbreak attempts (e.g. "ignore previous instructions", "developer mode") before they reach the model." |
PII masking and secret redaction rewrite the prompt (the request still goes through, with sensitive spans masked). The prompt-injection shield blocks matching requests outright with a content policy violation error (HTTP 403).
Templates
The Templates row applies a preset selection in one click, then Save changes:
| Template | Selection |
|---|---|
| None | No guardrails (the default). |
| PII protection | PII masking. |
| Secret redaction | Secret redaction. |
| Injection shield | Prompt-injection shield. |
| Strict | All three. |
Saving shows "Guardrail settings saved."
Content filters
Below the guardrails, Content filters let you add your own rules:
"Custom regular expressions evaluated on prompt content by the proxy. Redact rewrites matches to [REDACTED]; block rejects the request. Individual keys can override these."
Click Add filter and provide:
| Field | Behaviour |
|---|---|
| Pattern | A regular expression ("Regular expression, e.g. \b\d{16}\b" — that example matches 16-digit card numbers). Unsafe patterns are rejected; patterns are capped at 300 characters, and a facility can have up to 25 filters. |
| Action | Redact — matches are rewritten to [REDACTED] and the request continues; Block — the request is rejected with a content policy violation error. |
| Label (optional) | A name for the filter. |
Use Remove to delete a filter, then Save changes. With none configured: "No content filters. Add one to redact or block matching prompt text."
Per-key and per-agent overrides
Each API key and each connected agent has an Override facility guardrails toggle in its configuration drawer:
- Off (default): the key/agent inherits the facility's guardrail and content-filter selection.
- On: the key/agent uses its own selection instead — "Select none to explicitly disable guardrails for this key." This is how you exempt one trusted integration from facility-wide masking, or apply stricter rules to a single key.
What callers see
- Redactions are silent — the model simply receives
[REDACTED](or masked PII/secrets) in place of the matched text. - Blocks return HTTP 403 with the message "Request blocked by content policy" and code
content_policy_violation. See the error table in Connecting your application.
Prompt content is scanned in transit only — guardrails never store what they scan.