See exactly what the model receives
from pyveil import Channel, Veil
veil = Veil.high(
secret=b"tenant-secret",
scope="tenant/session",
)
safe = veil.redact_data(
messages,
channel=Channel.PROMPT_INPUT,
)
response = call_llm(safe.data)
Email alice@example.com
API key sk-proj-...
-> pyveil
Email [EMAIL:a3d2b564c825]
API key [API_KEY:38ded98a17e7]
Recipes people actually need
OpenAI, verified without a key
Inspect the exact redacted Responses API input and run a real SDK contract test without network usage.
Read →Claude, verified without a key
Redact Messages API content and verify its serialized request locally without consuming Claude credits.
Read →Ollama, local and memory-aware
Run a tested 4B model on a 16GB Mac and inspect the exact redacted prompt before local inference.
Read →Azure OpenAI, end to end
Load env or YAML, inspect the exact redacted prompt, then call the Azure v1 Responses API.
Read →Known names and domain IDs
Redact values your application already knows plus narrow customer, account, or project identifier patterns.
Read →Tool-call guard
Block auth headers, API keys, JWTs, private keys, and query secrets before model-controlled tools execute.
Read →MCP resource wrapper
Redact files, records, logs, and API payloads before returning MCP resource content to an agent.
Read →Memory write filter
Redact sensitive values before embedding and persisting long-lived agent memory.
Read →Logging filter
Attach a standard logging filter so records are redacted before handlers and external sinks.
Read →CLI preflight
Scan or redact files in local scripts and CI without adding runtime dependencies to your application.
Read →Guides for the question you are solving
Python LLM PII redaction
Protect prompts, provider payloads, tool calls, memory, and async web applications at the final local boundary.
Read the guide →MCP PII redaction
Redact tool results and resources, and block credentials before model-controlled MCP tools execute.
Read the guide →pyveil vs Presidio and DLP
Choose between a local boundary filter, NER, a guardrail suite, and enterprise DLP without inflated claims.
Compare approaches →Demo
The package keeps core behavior local, deterministic, and small: no network calls, no unmasking API, no third-party core dependency.