> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wardin.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# PII Redaction

> Automatic redaction of sensitive data before requests reach any provider.

Wardin scans the outbound request body for PII patterns and replaces them with placeholder tokens before forwarding to any LLM provider. The original values never leave your network.

## Built-in patterns

| Pattern                   | Example               | Redacted to     |
| ------------------------- | --------------------- | --------------- |
| Email address             | `alice@example.com`   | `[EMAIL]`       |
| Phone number              | `+1 (555) 867-5309`   | `[PHONE]`       |
| US Social Security Number | `123-45-6789`         | `[SSN]`         |
| Credit card number        | `4111 1111 1111 1111` | `[CREDIT_CARD]` |
| IPv4 address              | `192.168.1.1`         | `[IP_ADDRESS]`  |

## Custom patterns

Add your own regex patterns in the policy config:

```yaml theme={null}
type: pii_redaction
config:
  patterns:
    - email
    - phone
  custom_patterns:
    - name: employee_id
      regex: 'EMP-\d{6}'
      replacement: '[EMPLOYEE_ID]'
    - name: internal_order
      regex: 'ORD-[A-Z]{2}\d{8}'
      replacement: '[ORDER_ID]'
```

## Audit logging

Every redaction event is logged to ClickHouse:

```json theme={null}
{
  "event_type": "pii_redacted",
  "key_id": "key_01j...",
  "patterns_matched": ["email", "employee_id"],
  "match_count": 2,
  "timestamp": "2025-01-15T10:05:00Z"
}
```

The log records **what was redacted** (the pattern name and count), not the original value.

## Scope

PII redaction runs on:

* The `content` field of all user and assistant messages
* `system` prompt content
* Tool results

It does **not** run on:

* Response bodies from the provider (your own model output)
* Metadata fields (model, max\_tokens, etc.)

## Enabling redaction

Attach a `pii_redaction` policy to a key or to the tenant (for org-wide enforcement):

```bash theme={null}
curl -X POST https://api.wardin.ai/v1/policies \
  -H "Authorization: Bearer wardin_sk_ADMIN_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "global-pii",
    "type": "pii_redaction",
    "config": {
      "patterns": ["email", "phone", "ssn", "credit_card"]
    }
  }'
```

Then attach the policy to a key:

```bash theme={null}
curl -X PATCH https://api.wardin.ai/v1/keys/key_01j... \
  -H "Authorization: Bearer wardin_sk_ADMIN_KEY" \
  -H "Content-Type: application/json" \
  -d '{"policyIds": ["policy_01j..."]}'
```
