Skip to content

Security

Gate adds policy checks around the model providers and tools you already use. When a check is enabled, Gate can flag, redact, or block risky content before it reaches the model, before a response reaches the caller, or both, depending on the policy.

This page explains the security controls as a whole. For the prompt-injection feature specifically, see Prompt-injection defense.

What Gate checks

CheckWhat it is for
Prompt injectionAttempts to override instructions, extract hidden prompts, hijack an agent’s goal, or smuggle instructions through untrusted content.
PII / PHIPersonal and health-related data such as emails, phone numbers, SSNs, credit cards, and medical references.
Credentials and secretsCloud keys, provider keys, access tokens, JWTs, private keys, service-account material, and secret-like tokens.

Usage limits, rate limits, and billing controls are enforced separately from these security checks. They can still stop a request, but they are not prompt or content detections.

How decisions work

Each enabled check returns an action. If more than one check fires on a request or response, the strictest action wins.

ActionWhat happens
AllowNo enabled check found anything that requires action.
FlagThe request or response continues, and Gate records the detection.
RedactSensitive values are replaced before content is forwarded or shown in readable message records.
BlockThe request or response is rejected before it continues.

Prompt-injection policies support Flag and Block. PII, PHI, and credential policies support Flag, Redact, and Block.

New organizations default to Flag for the security checks, so early traffic surfaces detections without surprising users with blocks or silent rewrites. Move a policy to Redact or Block once you have reviewed your own traffic.

Configuring policies

Open Policies in the dashboard. From there you can:

  • Turn each check on or off.
  • Choose the action for each check.
  • Choose input, output, or bidirectional scanning for PII, PHI, and credentials.
  • Tune prompt-injection sensitivity on Pro.
  • Turn basic prompt-injection screening on or off on Free.

Policy changes take effect shortly after they are saved. They do not require a redeploy.

Prompt-injection policy

Prompt-injection detection runs on model inputs. On Pro, Gate can also scan untrusted tool-result content as its own check because indirect injection often arrives through retrieved data.

Free organizations get basic regex screening on by default, and can turn it off under Policies. Pro organizations get the full detector, tool-result scanning, and Low, Medium, or High sensitivity presets. Higher sensitivity catches more suspicious traffic and creates more false positives. See Prompt-injection defense for the preset targets and plan behavior.

Sensitive-data redaction

PII, PHI, and credential checks can redact matched values. Redaction replaces the sensitive value with a safer representation before the content continues through Gate.

The redaction style can be:

  • Placeholder: replace with a typed token such as <EMAIL> or <SECRET_TOKEN>.
  • Mask: replace with a fixed mask.
  • Hash: replace with a hash value for correlation without retaining the original.

Input redaction happens before a request is forwarded to the model. Output redaction happens before the response is shown to the caller when the response can be safely rewritten. For streaming responses, Gate scans as the stream is handled; if a secret would otherwise be leaked and cannot be safely redacted in place, Gate fails closed rather than forwarding the secret.

Prompt content and erasure

The tamper-evident audit trail does not store prompt or response text. It anchors fingerprints and request metadata so the record can be verified without making the readable content permanent.

Readable message content is stored separately under your retention settings. The Messages view reads from that separate store. When retained content is deleted, the readable prompt or response is removed while the proof that the request happened remains verifiable. See Audit trail.

Redaction affects what is forwarded and what readable message records contain. It is separate from the audit proof, which is designed not to depend on retained cleartext.

Blocked requests

A blocked request never reaches the model. Gate returns HTTP 403 in the provider-shaped error format for the endpoint you called, so existing SDK error handling continues to work.

For OpenAI-compatible endpoints (/v1/chat/completions):

{
"error": {
"code": "security_blocked",
"message": "Request blocked by security policy.",
"source": "gateway",
"type": "permission_error"
}
}

For the Anthropic Messages API (/v1/messages):

{
"type": "error",
"error": {
"type": "permission_error",
"message": "Request blocked by security policy."
}
}

The response does not include matched content, raw detector output, or scores. The dashboard shows a broad summary on the affected request.

Cross-turn replay protection

When Gate blocks or redacts a risky user turn, it prevents the same content from slipping back into the model as conversation history on a later turn. Depending on the situation, Gate either blocks the replay or strips the previously rejected content from the forwarded history.

This runs automatically.

False positives

If a legitimate request was flagged or blocked, click Report false positive on the request detail page. Reports help improve the detector and create a documented review trail.