Skip to main content
The default plugin ships with the AI Gateway and requires no additional credentials or configuration. Reference each function by the ID default.<functionId>.
Hooks listed as beforeRequestHook run on the input (place in input_guardrails). Hooks listed as afterRequestHook run on the output (place in output_guardrails). Some functions support both.

Text matching

Checks whether the request or response text matches a regular expression pattern.Supported hooks: beforeRequestHook, afterRequestHook
rule
string
required
The regex pattern to test against the content.
not
boolean
default:"false"
When true, the verdict is inverted — passes when the pattern does not match.
Example — block credit card numbers in prompts
{
  "input_guardrails": [{
    "default.regexMatch": {
      "rule": "\\d{4}-\\d{4}-\\d{4}-\\d{4}"
    },
    "deny": true
  }]
}
Checks whether the content contains any, all, or none of a list of words or phrases.Supported hooks: afterRequestHook
words
array
required
List of words or phrases to look for.
operator
string
required
How to apply the word list. One of any, all, or none.
Example — block responses that mention competitors
{
  "output_guardrails": [{
    "default.contains": {
      "operator": "none",
      "words": ["CompetitorA", "CompetitorB"]
    },
    "deny": true
  }]
}
Checks whether the content ends with a specified string.Supported hooks: beforeRequestHook, afterRequestHook
suffix
string
required
The string the content must end with.
not
boolean
default:"false"
When true, the verdict is inverted — passes when the content does not end with the suffix.
Example — enforce responses end with a disclaimer
{
  "output_guardrails": [{
    "default.endsWith": {
      "suffix": "This is not legal advice."
    },
    "deny": false
  }]
}
Checks whether the content consists entirely of uppercase letters.Supported hooks: beforeRequestHook, afterRequestHook
not
boolean
default:"false"
When true, the verdict is inverted — passes when content is not all uppercase.
Example — reject all-caps prompts
{
  "input_guardrails": [{
    "default.alluppercase": {},
    "deny": true
  }]
}
Checks whether the content consists entirely of lowercase letters.Supported hooks: beforeRequestHook, afterRequestHook
not
boolean
default:"false"
When true, the verdict is inverted — passes when content is not all lowercase.
Example — require mixed case in user messages
{
  "input_guardrails": [{
    "default.alllowercase": {"not": true},
    "deny": false
  }]
}

Length checks

Checks whether the content falls within a specified word count range.Supported hooks: beforeRequestHook, afterRequestHook
minWords
number
default:"0"
Minimum number of words required.
maxWords
number
default:"99999"
Maximum number of words allowed.
not
boolean
default:"false"
When true, the verdict is inverted — passes when the count is outside the range.
Example — enforce concise responses (max 200 words)
{
  "output_guardrails": [{
    "default.wordCount": {
      "maxWords": 200
    },
    "deny": false
  }]
}
Checks whether the content contains a number of sentences within the specified range.Supported hooks: beforeRequestHook, afterRequestHook
minSentences
number
default:"0"
Minimum number of sentences required.
maxSentences
number
default:"99999"
Maximum number of sentences allowed.
not
boolean
default:"false"
When true, the verdict is inverted — passes when the count is outside the range.
Example — require at least 3 sentences in a response
{
  "output_guardrails": [{
    "default.sentenceCount": {
      "minSentences": 3
    },
    "deny": true
  }]
}
Checks whether the content length in characters falls within the specified range.Supported hooks: beforeRequestHook, afterRequestHook
minCharacters
number
default:"0"
Minimum character count required.
maxCharacters
number
default:"9999999"
Maximum character count allowed.
not
boolean
default:"false"
When true, the verdict is inverted — passes when the count is outside the range.
Example — block very short responses
{
  "output_guardrails": [{
    "default.characterCount": {
      "minCharacters": 50
    },
    "deny": true
  }]
}

JSON validation

Validates the response content against a JSON Schema definition. Useful when you expect structured output from the model.Supported hooks: afterRequestHook
schema
object
required
A valid JSON Schema object.
not
boolean
default:"false"
When true, the verdict is inverted — passes when the schema does not match.
Example — enforce structured output shape
{
  "output_guardrails": [{
    "default.jsonSchema": {
      "schema": {
        "type": "object",
        "properties": {
          "answer": {"type": "string"},
          "confidence": {"type": "number"}
        },
        "required": ["answer", "confidence"]
      }
    },
    "deny": true
  }]
}
Checks whether the response JSON object contains any, all, or none of the specified keys.Supported hooks: afterRequestHook
keys
array
required
List of key names to check for.
operator
string
required
How to interpret the key list. One of any, all, or none.
Example — ensure required keys exist in the response
{
  "output_guardrails": [{
    "default.jsonKeys": {
      "keys": ["summary", "tags"],
      "operator": "all"
    },
    "deny": true
  }]
}

URL and code checks

Checks whether all URLs referenced in the response content are reachable.Supported hooks: afterRequestHook
onlyDNS
boolean
default:"false"
When true, only checks that each URL’s domain resolves via DNS (much faster than full HTTP checks).
not
boolean
default:"false"
When true, the verdict is inverted — passes when URLs are not all valid.
Example — validate all URLs resolve
{
  "output_guardrails": [{
    "default.validUrls": {
      "onlyDNS": true
    },
    "deny": false
  }]
}
Checks whether the response contains a code block in a specified language.Supported hooks: afterRequestHook
format
string
required
The language to look for. Supported values: SQL, Python, TypeScript, JavaScript, Java, C#, C++, C, Ruby, PHP, Swift, Kotlin, Go, Rust, Scala, R, Perl, Shell, HTML, CSS, XML, JSON, YAML, Markdown, Dockerfile.
not
boolean
default:"false"
When true, the verdict is inverted — passes when code is not present.
Example — block responses that contain SQL
{
  "output_guardrails": [{
    "default.containsCode": {
      "format": "SQL",
      "not": true
    },
    "deny": true
  }]
}

Request and model controls

Controls which request endpoint types (e.g. chat completions, embeddings, image generation) are permitted or blocked. If neither list is provided, all request types are allowed.Supported hooks: beforeRequestHook
allowedTypes
array
Request types to allow. When combined with blockedTypes, blocked types take precedence. Can also be specified in request metadata as supported_endpoints.Possible values: complete, chatComplete, embed, rerank, moderate, stream-complete, stream-chatComplete, stream-messages, proxy, imageGenerate, createSpeech, createTranscription, createTranslation, realtime, uploadFile, listFiles, retrieveFile, deleteFile, retrieveFileContent, createBatch, retrieveBatch, cancelBatch, listBatches, getBatchOutput, listFinetunes, createFinetune, retrieveFinetune, cancelFinetune, createModelResponse, getModelResponse, deleteModelResponse, listResponseInputItems, messages.
blockedTypes
array
Request types to block. Takes precedence over allowedTypes. Can also be specified in request metadata as blocked_endpoints.
Example — only allow chat completions and embeddings
{
  "input_guardrails": [{
    "default.allowedRequestTypes": {
      "allowedTypes": ["chatComplete", "embed"]
    },
    "deny": true
  }]
}
Blocks any request whose model is not on the specified list (or, when inverted, blocks any model that is on the list).Supported hooks: beforeRequestHook
models
array
required
List of allowed model identifiers, e.g. gpt-4o, llama-3-70b, mixtral-8x7b.
not
boolean
default:"false"
When true, any model in the list is blocked instead of allowed.
Example — restrict to approved models only
{
  "input_guardrails": [{
    "default.modelwhitelist": {
      "models": ["gpt-4o", "gpt-4o-mini"]
    },
    "deny": true
  }]
}
Allow or deny requests based on metadata-driven rules that map metadata values to permitted model lists. Useful for enforcing per-user or per-team model access policies.Supported hooks: beforeRequestHook
rules
object
required
Rules object with the structure:
{
  "defaults": ["model-id"],
  "metadata": {
    "key": {
      "value": ["model-id"]
    }
  }
}
defaults defines the fallback allowed model list. metadata maps metadata key-value pairs to specific model lists.
not
boolean
default:"false"
When true, any model resolved by the rules is blocked instead of allowed.
Example — different model access per user tier
{
  "input_guardrails": [{
    "default.modelRules": {
      "rules": {
        "defaults": ["gpt-4o-mini"],
        "metadata": {
          "user_tier": {
            "pro": ["gpt-4o", "gpt-4o-mini"],
            "enterprise": ["gpt-4o", "gpt-4o-mini", "o1-preview"]
          }
        }
      }
    },
    "deny": true
  }]
}

Security and authentication

Validates a JWT token present in the request headers using a remote JWKS endpoint.Supported hooks: beforeRequestHook
jwksUri
string
required
The JWKS URI used to retrieve the public key for verification.
headerKey
string
required
The header name that carries the JWT token (e.g. Authorization).
cacheMaxAge
number
default:"86400"
How long (in seconds) to cache the JWKS response. Defaults to 24 hours.
clockTolerance
number
default:"5"
Clock skew tolerance in seconds when validating the exp and iat claims.
maxTokenAge
string
default:"1d"
Maximum acceptable token age (e.g. 1d, 2h, 30m).
Example — enforce valid JWT on every request
{
  "input_guardrails": [{
    "default.jwt": {
      "jwksUri": "https://auth.example.com/.well-known/jwks.json",
      "headerKey": "Authorization"
    },
    "deny": true
  }]
}
Checks that the request metadata contains the required keys. Useful for enforcing traceability — e.g. every request must include a user_id and session_id.Supported hooks: beforeRequestHook
metadataKeys
array
required
The metadata keys that must be present.
operator
string
default:"all"
How to interpret the key list. One of all, any, or none.
Example — require user_id and session_id in every request
{
  "input_guardrails": [{
    "default.requiredMetadataKeys": {
      "metadataKeys": ["user_id", "session_id"],
      "operator": "all"
    },
    "deny": true
  }]
}

Webhooks and logging

Forwards the request or response to an external HTTP endpoint and uses its response as the guardrail verdict. Your endpoint should return a JSON body with a verdict boolean.Supported hooks: beforeRequestHook, afterRequestHook
webhookURL
string
required
The URL to POST to, e.g. https://webhook.site/guardrail.
headers
object
Additional HTTP headers to include in the webhook request.
Example — delegate decision to a custom service
{
  "input_guardrails": [{
    "default.webhook": {
      "webhookURL": "https://your-service.example.com/guardrail",
      "headers": {
        "Authorization": "Bearer my-secret"
      }
    },
    "deny": true
  }]
}
Forwards request/response data to a logging endpoint. Always returns true as the verdict — this function never blocks traffic.Supported hooks: afterRequestHook
logURL
string
required
The URL to POST log data to, e.g. https://logging.site/collector.
headers
object
Additional HTTP headers to include in the log request.
Example — send all responses to a log collector
{
  "output_guardrails": [{
    "default.log": {
      "logURL": "https://logs.example.com/ai-responses",
      "headers": {"X-API-Key": "log-key"}
    },
    "deny": false
  }]
}

Response quality

Checks that the response content is not null, undefined, or empty. Useful for detecting when a model returns no content.Supported hooks: afterRequestHook
not
boolean
default:"false"
When true, the verdict is inverted — passes when the content is null or empty.
Example — retry if the model returns an empty response
{
  "retry": {"attempts": 3},
  "output_guardrails": [{
    "default.notNull": {},
    "deny": true
  }]
}

Transformers

Transformers mutate the request or response rather than returning a pass/fail verdict. They run in beforeRequestHook and modify the prompt before it reaches the LLM.
Prepends a configurable text string to the user’s prompt or messages before sending to the LLM. This is a transformer — it modifies the request rather than blocking it.Supported hooks: beforeRequestHook
prefix
string
required
The text to prepend. Defaults to "Please respond helpfully and accurately to the following: ".
applyToRole
string
default:"user"
For chat completions, which message role to apply the prefix to. One of user, system, or assistant.
addToExisting
boolean
default:"true"
When true, prepends the prefix to the existing message content. When false, inserts a new message with only the prefix text.
onlyIfEmpty
boolean
default:"false"
Only apply the prefix if no message exists for the specified role. Useful for conditionally adding a system message.
Example — prepend a system-level instruction to every user message
{
  "input_guardrails": [{
    "default.addPrefix": {
      "prefix": "You are a helpful assistant. Always respond in English. User query: ",
      "applyToRole": "user"
    },
    "deny": false
  }]
}
Example — add a system message only if none exists
{
  "input_guardrails": [{
    "default.addPrefix": {
      "prefix": "You are a helpful customer support assistant.",
      "applyToRole": "system",
      "onlyIfEmpty": true
    },
    "deny": false
  }]
}

Build docs developers (and LLMs) love

Get started for freeTalk to us