Skip to main content
You can modify response bodies before they reach your clients. This enables use cases like:
  • Response sanitization - Strip internal details or inappropriate content
  • PII redaction - Remove sensitive information from outputs
  • Adding disclaimers - Append legal notices or warnings
  • Content transformation - Modify response formats

Available actions

Use different actions depending on whether responses are streaming:
ActionPhaseUse Case
response-body-find-replaceon_http_responseNon-streaming responses
sse-find-replaceon_event_stream_messageStreaming responses (stream: true)

Non-streaming responses

For standard (non-streaming) responses, use response-body-find-replace on the on_http_response phase:
policy.yaml
on_http_request:
  - actions:
      - type: ai-gateway
        config:
          providers:
            - id: openai
              api_keys:
                - value: "${secrets.get('openai-api-key')}"
on_http_response:
  - actions:
      - type: response-body-find-replace
        config:
          replacements:
            # Redact phone numbers
            - from: "\\b\\d{3}[-.\\s]?\\d{3}[-.\\s]?\\d{4}\\b"
              to: "[PHONE REDACTED]"

Streaming responses

When clients request streaming responses (stream: true), providers return Server-Sent Events (SSE). Use sse-find-replace on the on_event_stream_message phase to modify content in real-time:
policy.yaml
on_http_request:
  - actions:
      - type: ai-gateway
        config:
          providers:
            - id: openai
              api_keys:
                - value: "${secrets.get('openai-api-key')}"
on_event_stream_message:
  - actions:
      - type: sse-find-replace
        config:
          replacements:
            - field: data
              from: "\\b\\d{3}-\\d{2}-\\d{4}\\b"
              to: "[SSN REDACTED]"
The field parameter specifies which SSE field to modify. Valid values are data (default) and retry.

Redacting PII from responses

Prevent sensitive information in outputs from reaching your users.

Redact multiple PII patterns

policy.yaml
on_http_request:
  - actions:
      - type: ai-gateway
        config:
          providers:
            - id: openai
              api_keys:
                - value: "${secrets.get('openai-api-key')}"
on_http_response:
  - actions:
      - type: response-body-find-replace
        config:
          replacements:
            - from: "\\b\\d{3}-\\d{2}-\\d{4}\\b"
              to: "[SSN REDACTED]"
            - from: "\\b\\d{4}[- ]?\\d{4}[- ]?\\d{4}[- ]?\\d{4}\\b"
              to: "[CARD REDACTED]"
            - from: "\\b\\d{3}[-.\\s]?\\d{3}[-.\\s]?\\d{4}\\b"
              to: "[PHONE REDACTED]"

Adding disclaimers

Append legal disclaimers or warnings to AI-generated content.
policy.yaml
on_http_request:
  - actions:
      - type: ai-gateway
        config:
          providers:
            - id: openai
              api_keys:
                - value: "${secrets.get('openai-api-key')}"
on_http_response:
  - actions:
      - type: response-body-find-replace
        config:
          replacements:
            - from: '"finish_reason":\s*"stop"'
              to: '"finish_reason": "stop", "disclaimer": "This response was generated by AI and may contain errors."'

Sanitizing error messages

Remove internal error details from responses before sending to clients:
policy.yaml
on_http_request:
  - actions:
      - type: ai-gateway
        config:
          providers:
            - id: openai
              api_keys:
                - value: "${secrets.get('openai-api-key')}"
on_http_response:
  - expressions:
      - "res.status_code >= 500"
    actions:
      - type: response-body-find-replace
        config:
          replacements:
            - from: '"stack_trace":\s*"[^"]*"'
              to: '"stack_trace": "[HIDDEN]"'

Common patterns for responses

PatternMatches
\b\d{3}-\d{2}-\d{4}\bUS Social Security Numbers
\b\d{3}[-.\s]?\d{3}[-.\s]?\d{4}\bUS Phone numbers
\b\d{4}[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}\bCredit card numbers
[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}Email addresses
`“(errorstack_traceinternal)”:\s*”[^”]*“`Internal error fields

Handling both streaming and non-streaming

If your API supports both modes, configure both phases:
policy.yaml
on_http_request:
  - actions:
      - type: ai-gateway
        config:
          providers:
            - id: openai
              api_keys:
                - value: "${secrets.get('openai-api-key')}"
# Non-streaming responses
on_http_response:
  - actions:
      - type: response-body-find-replace
        config:
          replacements:
            - from: "\\b\\d{3}-\\d{2}-\\d{4}\\b"
              to: "[SSN]"
# Streaming responses
on_event_stream_message:
  - actions:
      - type: sse-find-replace
        config:
          replacements:
            - field: data
              from: "\\b\\d{3}-\\d{2}-\\d{4}\\b"
              to: "[SSN]"

Next steps