Secret Redaction
The secret_redaction guardrail detects API keys, passwords, and other secrets that may have leaked into LLM responses.
Import
Section titled “Import”from pydantic_ai_guardrails.guardrails.output import secret_redactionBasic Usage
Section titled “Basic Usage”from pydantic_ai_guardrails import GuardedAgentfrom pydantic_ai_guardrails.guardrails.output import secret_redaction
guarded_agent = GuardedAgent( agent, output_guardrails=[ secret_redaction(), ],)Parameters
Section titled “Parameters”| Parameter | Type | Default | Description |
|---|---|---|---|
patterns | list[str] | None | Default patterns | Custom regex patterns |
Default Patterns
Section titled “Default Patterns”The guardrail detects these secret patterns by default:
| Type | Pattern | Example |
|---|---|---|
| OpenAI API key | sk-[a-zA-Z0-9]{32,} | sk-abc123... |
| AWS Access Key | AKIA[A-Z0-9]{16} | AKIAIOSFODNN7EXAMPLE |
| GitHub Token | ghp_[a-zA-Z0-9]{36} | ghp_abc123... |
| Generic API Key | api[_-]?key[=:]\s*\S+ | api_key=xyz123 |
| Password | password[=:]\s*\S+ | password=secret |
| Bearer Token | Bearer\s+[a-zA-Z0-9._-]+ | Bearer eyJ... |
Examples
Section titled “Examples”Default Detection
Section titled “Default Detection”guardrail = secret_redaction()Custom Patterns
Section titled “Custom Patterns”guardrail = secret_redaction( patterns=[ r'sk-[a-zA-Z0-9]{32,}', # OpenAI r'AKIA[A-Z0-9]{16}', # AWS r'my-company-key-[a-z0-9]{20}', # Custom company format ],)Violation Result
Section titled “Violation Result”When triggered, returns:
{ 'tripwire_triggered': True, 'message': 'Potential secrets detected in output', 'severity': 'critical', 'metadata': { 'patterns_matched': ['openai_api_key', 'aws_access_key'], }, 'suggestion': 'Remove or redact all API keys and secrets from the response',}Use Cases
Section titled “Use Cases”- Data protection: Prevent accidental exposure of credentials
- Compliance: Meet security requirements
- Training safety: Catch model leaking training data
- API security: Protect keys from logs and responses
Related
Section titled “Related”- Output Guardrails Guide
- Auto-Retry
- PII Detector (for input)