Star on GitHub Get Started Free
Get Started Free Star on GitHub

Guardrails

Estimated reading time: 2 minutes

Guardrails are content-level controls that define what can be said or requested in messages between entities. They operate on the semantic content of interactions, not just authentication headers or API keys.

Why guardrails?

Authentication answers "who is calling?" but not "what are they asking for?" In AI infrastructure, the content of every interaction matters:

  • An agent might be authorized to access a database tool but should not be allowed to request deletion of records
  • An MCP server might return data that should be filtered before reaching certain callers
  • An application should not receive raw error messages or internal system information

Guardrails close this gap by inspecting and filtering the content of interactions.

Configuring guardrails

Guardrails are configured per connection, per direction. For each connection, you can set:

Client-side guardrails

Controls on the client entity in the connection:

  • Outgoing requests: What the client is allowed to send
  • Incoming responses: What the client is allowed to receive

Server-side guardrails

Controls on the server entity in the connection:

  • Incoming requests: What the server will accept
  • Outgoing responses: What the server is allowed to return

Example configurations

Restrict tool access

Allow an agent to use read-only tools on an MCP server but block write operations:

  • Server-side incoming guardrail: Only allow requests to list_* and get_* tools. Block create_*, update_*, and delete_* tools.

Filter sensitive data

Prevent an MCP server from returning personally identifiable information to a public-facing application:

  • Server-side outgoing guardrail: Redact email addresses, phone numbers, and social security numbers from responses.

Content restrictions

Prevent an agent from making requests that include prohibited content:

  • Client-side outgoing guardrail: Block requests containing financial advice, medical diagnoses, or legal recommendations.

Guardrails vs policies

Guardrails and policies serve different purposes:

Guardrails Policies
What Content of communication Mechanics of communication
Examples Block PII, restrict tool access Rate limits, geo-restrictions
Scope Semantic analysis Operational parameters

Both work together. A request might pass policy checks (within rate limits, from an approved region) but fail guardrail checks (requesting prohibited data).

Next steps