Security
Gate adds policy checks around the model providers and tools you already use. When a check is enabled, Gate can flag, redact, or block risky content before it reaches the model, before a response reaches the caller, or both, depending on the policy.
This page explains the security controls as a whole. For the prompt-injection feature specifically, see Prompt-injection defense.
What Gate checks
| Check | What it is for |
|---|---|
| Prompt injection | Attempts to override instructions, extract hidden prompts, hijack an agent’s goal, or smuggle instructions through untrusted content. |
| PII / PHI | Personal and health-related data such as emails, phone numbers, SSNs, credit cards, and medical references. |
| Credentials and secrets | Cloud keys, provider keys, access tokens, JWTs, private keys, service-account material, and secret-like tokens. |
Usage limits, rate limits, and billing controls are enforced separately from these security checks. They can still stop a request, but they are not prompt or content detections.
How decisions work
Each enabled check returns an action. If more than one check fires on a request or response, the strictest action wins.
| Action | What happens |
|---|---|
| Allow | No enabled check found anything that requires action. |
| Flag | The request or response continues, and Gate records the detection. |
| Redact | Sensitive values are replaced before content is forwarded or shown in readable message records. |
| Block | The request or response is rejected before it continues. |
Prompt-injection policies support Flag and Block. PII, PHI, and credential policies support Flag, Redact, and Block.
New organizations default to Flag for the security checks, so early traffic surfaces detections without surprising users with blocks or silent rewrites. Move a policy to Redact or Block once you have reviewed your own traffic.
Configuring policies
Open Policies in the dashboard. From there you can:
- Turn each check on or off.
- Choose the action for each check.
- Choose input, output, or bidirectional scanning for PII, PHI, and credentials.
- Tune prompt-injection sensitivity on Pro.
- Turn basic prompt-injection screening on or off on Free.
Policy changes take effect shortly after they are saved. They do not require a redeploy.
Prompt-injection policy
Prompt-injection detection runs on model inputs. On Pro, Gate can also scan untrusted tool-result content as its own check because indirect injection often arrives through retrieved data.
Free organizations get basic regex screening on by default, and can turn it off under Policies. Pro organizations get the full detector, tool-result scanning, and Low, Medium, or High sensitivity presets. Higher sensitivity catches more suspicious traffic and creates more false positives. See Prompt-injection defense for the preset targets and plan behavior.
Sensitive-data redaction
PII, PHI, and credential checks can redact matched values. Redaction replaces the sensitive value with a safer representation before the content continues through Gate.
The redaction style can be:
- Placeholder: replace with a typed token such as
<EMAIL>or<SECRET_TOKEN>. - Mask: replace with a fixed mask.
- Hash: replace with a hash value for correlation without retaining the original.
Input redaction happens before a request is forwarded to the model. Output redaction happens before the response is shown to the caller when the response can be safely rewritten. For streaming responses, Gate scans as the stream is handled; if a secret would otherwise be leaked and cannot be safely redacted in place, Gate fails closed rather than forwarding the secret.
Prompt content and erasure
The tamper-evident audit trail does not store prompt or response text. It anchors fingerprints and request metadata so the record can be verified without making the readable content permanent.
Readable message content is stored separately under your retention settings. The Messages view reads from that separate store. When retained content is deleted, the readable prompt or response is removed while the proof that the request happened remains verifiable. See Audit trail.
Redaction affects what is forwarded and what readable message records contain. It is separate from the audit proof, which is designed not to depend on retained cleartext.
Blocked requests
A blocked request never reaches the model. Gate returns HTTP 403 in the provider-shaped error format for the endpoint you called, so existing SDK error handling continues to work.
For OpenAI-compatible endpoints (/v1/chat/completions):
{ "error": { "code": "security_blocked", "message": "Request blocked by security policy.", "source": "gateway", "type": "permission_error" }}For the Anthropic Messages API (/v1/messages):
{ "type": "error", "error": { "type": "permission_error", "message": "Request blocked by security policy." }}The response does not include matched content, raw detector output, or scores. The dashboard shows a broad summary on the affected request.
Cross-turn replay protection
When Gate blocks or redacts a risky user turn, it prevents the same content from slipping back into the model as conversation history on a later turn. Depending on the situation, Gate either blocks the replay or strips the previously rejected content from the forwarded history.
This runs automatically.
False positives
If a legitimate request was flagged or blocked, click Report false positive on the request detail page. Reports help improve the detector and create a documented review trail.
Related
- Prompt-injection defense: how prompt-injection protection behaves.
- How Gate works: where security checks run in the request flow.
- Audit trail: the tamper-evident request record.