Guardrails
PII redaction, prompt-injection detection, geo rules, and spend limits — enforced before any provider call.
Guardrails are workspace-level policies enforced at the gateway, before your request ever reaches an upstream provider.
- PII redaction — detect and mask emails, phone numbers, and custom patterns.
- Prompt injection — block or flag suspicious system/user content.
- Geo restrictions — allow or deny requests by country code.
- Spend limits — daily workspace and per-key caps, enforced with
402 insufficient_balance. - Model allowlist — reject models that aren't on the key's or workspace's list.
Turn On a Guardrail
- Go to Guardrails in the dashboard.
- Select the Content Filters, Geographic Rules, or Rate Limits tab.
- Toggle a rule on, and choose its action: redact, warn, or block.
- Select Save changes.
Tip:
Turn on PII redaction and a model allowlist before you turn on anything else — they're the two guardrails that protect you even when a request comes from code you didn't write, like a third-party plugin or a misconfigured agent.
A blocked request returns a 403 with the specific rule that fired:
Next steps