Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.langchain.com/llms.txt

Use this file to discover all available pages before exploring further.

Private beta: The LLM Gateway is in private beta. Sign up for the waitlist to get access.
When a PII or secrets redaction policy is active, the gateway scans outbound requests before they reach the LLM provider. If sensitive data is detected, it is redacted from the request. The agent continues to receive a response. Redacted content is also redacted in the LangSmith trace, so sensitive data does not persist in your observability data either.

PII detection

The gateway detects and redacts the following categories of personally identifiable information:
CategoryExamples
NamesPerson names in natural language
Nationality, religion, or political affiliationNationality
LocationsAddresses, cities, countries
Detection uses Presidio for named entities (names, locations, and NRP) and pattern-based rules for structured identifiers.

Secrets detection

The gateway detects and redacts API keys, tokens, and credentials across a wide range of providers and formats:
CategoryPatterns detected
Social Security NumbersUS SSN patterns (for example, 123-45-6789)
Phone numbersUS phone number patterns
LangSmithPersonal tokens, service keys
AWSAccess tokens
GitHubPersonal access tokens, fine-grained PATs, OAuth tokens, app tokens
GitLabPersonal access tokens
AI providersOpenAI API keys, Anthropic API keys
Cloud platformsGCP API keys, Azure AD client secrets
Collaboration toolsSlack bot/user/app tokens, Datadog access tokens
Package registriesPyPI upload tokens, npm access tokens
CryptographicPrivate keys
StripeAccess tokens

Enable redaction policies

Creating and managing policies requires organization:manage permission.
  1. Go to Settings → Gateway → LLM Gateway.
  2. Click Create policy.
  3. Select PII redaction or Secrets redaction as the policy type.
  4. Configure which categories to detect (or enable all).
  5. Save.
Redaction policies apply to all requests that pass through the gateway in the scope where they’re configured. They take effect immediately.

How redacted content appears

When PII or a secret is detected, the content is replaced with a placeholder in both the request sent to the provider and the LangSmith trace. For example: Original request: 
Please process the refund for John Smith, SSN 123-45-6789.
Upstream redaction: 
Please process the refund for [SAFE_TO_USE:PERSON_kbqdjxyz], SSN [SAFE_TO_USE:US_SSN_abqxlmwp]
Placeholders follow the format [SAFE_TO_USE:<CATEGORY>_<suffix>]:
  • SAFE_TO_USE: fixed prefix marking the value as a redacted placeholder.
  • <CATEGORY>: the detected type. Examples: PERSON, LOCATION, US_SSN, US_PHONE_NUMBER, OPENAI_API_KEY, GITHUB_PAT, LANGSMITH_PERSONAL_TOKEN.
  • <suffix>: an 8-character random tag.
The trace in LangSmith shows the redacted version along with metadata indicating that redaction occurred and which categories were detected. Downstream de-redacted response: As the upstream provider is returning a response, the gateway will replace the redaction placeholders with caller’s original values. For example, your agent may see this response: 
Checking Confirming John Smith's SSN to be 123-45-6789.... Okay! I will process the full refund.

What redaction covers

What it covers:
  • Outbound request content (the message sent to the LLM provider) is scanned and redacted before it leaves the gateway.
  • The redacted version is what appears in LangSmith traces.
What it does not cover:
  • Responses from the LLM provider: if the model generates sensitive data in its response, that content is not redacted. Streaming response redaction is in progress.
  • Data already in your traces: redaction only applies to requests flowing through the gateway. Traces written directly to the LangSmith API (bypassing the gateway) are not scanned.
  • Platform-level ingestion: if your requirement is to prevent PII from ever entering LangSmith regardless of how it arrives (for example, data residency compliance), gateway redaction alone is not sufficient. That requires ingestion-level redaction, which is a separate capability.
  • Prompt scanning: system prompts, developer prompts, and tool-call arguments are not scanned. Scanner failures are fail-close: if a PII or secrets scanner is unreachable, slow or errors, that stage blocks the request from proceeding.
This distinction matters. If your security model requires that sensitive data never reaches any system (not just the LLM provider) make sure you understand which surface the gateway covers and which surfaces require additional controls.

Next steps

Connect these docs to Claude, VSCode, and more via MCP for real-time answers.
Edit this page on GitHub or file an issue.