Anonymize sensitive data in requests and responses
Configure the AI Sanitizer plugin to use your sanitizer service to anonymize all sensitive data and credentials in both client requests and LLM responses.
Prerequisites
- You have enabled the AI Proxy or AI Proxy Advanced plugin
Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: ai-sanitizer
config:
anonymize:
- all_and_credentials
sanitization_mode: BOTH
port: 8080
host: example.service.com
redact_type: placeholder
recover_redacted: false
Make the following request:
curl -i -X POST http://localhost:8001/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-sanitizer",
"config": {
"anonymize": [
"all_and_credentials"
],
"sanitization_mode": "BOTH",
"port": 8080,
"host": "example.service.com",
"redact_type": "placeholder",
"recover_redacted": false
},
"tags": []
}
'
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-sanitizer",
"config": {
"anonymize": [
"all_and_credentials"
],
"sanitization_mode": "BOTH",
"port": 8080,
"host": "example.service.com",
"redact_type": "placeholder",
"recover_redacted": false
},
"tags": []
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: ai-sanitizer
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
labels:
global: 'true'
config:
anonymize:
- all_and_credentials
sanitization_mode: BOTH
port: 8080
host: example.service.com
redact_type: placeholder
recover_redacted: false
plugin: ai-sanitizer
" | kubectl apply -f -
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_sanitizer" "my_ai_sanitizer" {
enabled = true
config = {
anonymize = ["all_and_credentials"]
sanitization_mode = "BOTH"
port = 8080
host = "example.service.com"
redact_type = "placeholder"
recover_redacted = false
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}
Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: ai-sanitizer
service: serviceName|Id
config:
anonymize:
- all_and_credentials
sanitization_mode: BOTH
port: 8080
host: example.service.com
redact_type: placeholder
recover_redacted: false
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-sanitizer",
"config": {
"anonymize": [
"all_and_credentials"
],
"sanitization_mode": "BOTH",
"port": 8080,
"host": "example.service.com",
"redact_type": "placeholder",
"recover_redacted": false
},
"tags": []
}
'
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-sanitizer",
"config": {
"anonymize": [
"all_and_credentials"
],
"sanitization_mode": "BOTH",
"port": 8080,
"host": "example.service.com",
"redact_type": "placeholder",
"recover_redacted": false
},
"tags": []
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane. -
serviceId: Theidof the service the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-sanitizer
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
anonymize:
- all_and_credentials
sanitization_mode: BOTH
port: 8080
host: example.service.com
redact_type: placeholder
recover_redacted: false
plugin: ai-sanitizer
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the service resource:
kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=ai-sanitizer
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_sanitizer" "my_ai_sanitizer" {
enabled = true
config = {
anonymize = ["all_and_credentials"]
sanitization_mode = "BOTH"
port = 8080
host = "example.service.com"
redact_type = "placeholder"
recover_redacted = false
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
service = {
id = konnect_gateway_service.my_service.id
}
}
Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: ai-sanitizer
route: routeName|Id
config:
anonymize:
- all_and_credentials
sanitization_mode: BOTH
port: 8080
host: example.service.com
redact_type: placeholder
recover_redacted: false
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-sanitizer",
"config": {
"anonymize": [
"all_and_credentials"
],
"sanitization_mode": "BOTH",
"port": 8080,
"host": "example.service.com",
"redact_type": "placeholder",
"recover_redacted": false
},
"tags": []
}
'
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-sanitizer",
"config": {
"anonymize": [
"all_and_credentials"
],
"sanitization_mode": "BOTH",
"port": 8080,
"host": "example.service.com",
"redact_type": "placeholder",
"recover_redacted": false
},
"tags": []
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane. -
routeId: Theidof the route the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-sanitizer
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
anonymize:
- all_and_credentials
sanitization_mode: BOTH
port: 8080
host: example.service.com
redact_type: placeholder
recover_redacted: false
plugin: ai-sanitizer
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the httproute or ingress resource:
kubectl annotate -n kong httproute konghq.com/plugins=ai-sanitizer
kubectl annotate -n kong ingress konghq.com/plugins=ai-sanitizer
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_sanitizer" "my_ai_sanitizer" {
enabled = true
config = {
anonymize = ["all_and_credentials"]
sanitization_mode = "BOTH"
port = 8080
host = "example.service.com"
redact_type = "placeholder"
recover_redacted = false
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
route = {
id = konnect_gateway_route.my_route.id
}
}
Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: ai-sanitizer
consumer: consumerName|Id
config:
anonymize:
- all_and_credentials
sanitization_mode: BOTH
port: 8080
host: example.service.com
redact_type: placeholder
recover_redacted: false
Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/consumers/{consumerName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-sanitizer",
"config": {
"anonymize": [
"all_and_credentials"
],
"sanitization_mode": "BOTH",
"port": 8080,
"host": "example.service.com",
"redact_type": "placeholder",
"recover_redacted": false
},
"tags": []
}
'
Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumers/{consumerId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-sanitizer",
"config": {
"anonymize": [
"all_and_credentials"
],
"sanitization_mode": "BOTH",
"port": 8080,
"host": "example.service.com",
"redact_type": "placeholder",
"recover_redacted": false
},
"tags": []
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane. -
consumerId: Theidof the consumer the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-sanitizer
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
anonymize:
- all_and_credentials
sanitization_mode: BOTH
port: 8080
host: example.service.com
redact_type: placeholder
recover_redacted: false
plugin: ai-sanitizer
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the KongConsumer resource:
kubectl annotate -n kong CONSUMER_NAME konghq.com/plugins=ai-sanitizer
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_sanitizer" "my_ai_sanitizer" {
enabled = true
config = {
anonymize = ["all_and_credentials"]
sanitization_mode = "BOTH"
port = 8080
host = "example.service.com"
redact_type = "placeholder"
recover_redacted = false
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
consumer = {
id = konnect_gateway_consumer.my_consumer.id
}
}
Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: ai-sanitizer
consumer_group: consumerGroupName|Id
config:
anonymize:
- all_and_credentials
sanitization_mode: BOTH
port: 8080
host: example.service.com
redact_type: placeholder
recover_redacted: false
Make sure to replace the following placeholders with your own values:
-
consumerGroupName|Id: Theidornameof the consumer group the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/consumer_groups/{consumerGroupName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-sanitizer",
"config": {
"anonymize": [
"all_and_credentials"
],
"sanitization_mode": "BOTH",
"port": 8080,
"host": "example.service.com",
"redact_type": "placeholder",
"recover_redacted": false
},
"tags": []
}
'
Make sure to replace the following placeholders with your own values:
-
consumerGroupName|Id: Theidornameof the consumer group the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumer_groups/{consumerGroupId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-sanitizer",
"config": {
"anonymize": [
"all_and_credentials"
],
"sanitization_mode": "BOTH",
"port": 8080,
"host": "example.service.com",
"redact_type": "placeholder",
"recover_redacted": false
},
"tags": []
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane. -
consumerGroupId: Theidof the consumer group the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-sanitizer
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
anonymize:
- all_and_credentials
sanitization_mode: BOTH
port: 8080
host: example.service.com
redact_type: placeholder
recover_redacted: false
plugin: ai-sanitizer
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the KongConsumerGroup resource:
kubectl annotate -n kong CONSUMERGROUP_NAME konghq.com/plugins=ai-sanitizer
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_sanitizer" "my_ai_sanitizer" {
enabled = true
config = {
anonymize = ["all_and_credentials"]
sanitization_mode = "BOTH"
port = 8080
host = "example.service.com"
redact_type = "placeholder"
recover_redacted = false
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
consumer_group = {
id = konnect_gateway_consumer_group.my_consumer_group.id
}
}