Skip to main content

How guardrails work

Every guarded chat completion runs through two enforcement stages. Either can allow, block, or fail safely.

request → request-side guardrails → model → response-side guardrails → response
│ │
└── block → 403 └── block → 403

Request-side

Runs before any model call. Decides whether the request should reach the requested model at all. If blocked, the model is never called — 403 Forbidden with type: guardrail_error.

Response-side

Runs after the model has produced a completed response. Decides whether that response can be returned. If blocked, the model call did happen but the completed response is discarded — 403 Forbidden with type: guardrail_error.

Token usage on response-side blocks is still counted — the model did the work.

Fail-closed

If a required guardrail step cannot complete safely on a request, the platform refuses to execute rather than continuing with reduced protection: 503 Service Unavailable with code: guardrail_unavailable. Retry with backoff.

Streaming completions and structured tool-call outputs are subject to request-side checks but not to response-side checks in MLP1 — tokens are returned as they arrive and cannot be retroactively blocked mid-stream.