Firewall API Overview
Overview
Section titled “Overview”The Firewall API allows you to create content filtering rules that block, mask, or warn about sensitive content in requests and responses. Firewall rules help protect your applications by preventing sensitive data from being processed or returned.
What are Firewall Rules?
Section titled “What are Firewall Rules?”Firewall rules let you define patterns that, when matched, trigger specific actions:
- Block - Reject the entire request/response (returns 422 error)
- Mask - Replace matched content with a replacement string
- Warn - Allow the request but add a warning to the response
Rule Evaluation
Section titled “Rule Evaluation”Rules are evaluated in priority order (highest first):
- Rules with higher priority values execute first
- Rules apply to either prompts (input) or responses (output)
- Only enabled rules are evaluated (
is_enabled: true) - Firewall rules are evaluated after routing rules in the pipeline
Base Endpoint
Section titled “Base Endpoint”https://api.tokenrouter.io/v1/firewall-rulesAuthentication
Section titled “Authentication”All Firewall API endpoints require authentication using your TokenRouter API key:
Authorization: Bearer tr_your_api_keyCommon Operations
Section titled “Common Operations”| Operation | Method | Endpoint |
|---|---|---|
| List all rules | GET | /v1/firewall-rules |
| Get single rule | GET | /v1/firewall-rules/{id} |
| Create rule | POST | /v1/firewall-rules |
| Update rule | PATCH | /v1/firewall-rules/{id} |
| Delete rule | DELETE | /v1/firewall-rules/{id} |
Rule Structure
Section titled “Rule Structure”Core Fields
Section titled “Core Fields”{ "name": "Block Credit Cards", "priority": 100, "is_enabled": true, "scope": "prompt", "type": "regex", "pattern": "\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}", "action": "block", "replacement": null}prompt- Apply rule to user input before sending to LLMresponse- Apply rule to LLM output before returning to user
substring- Case-insensitive substring matchingregex- Regular expression pattern matching (PCRE-compatible)
Action
Section titled “Action”block- Reject request/response with 422 errormask- Replace matched content withreplacementstring (default:[redacted])warn- Add warning to response metadata but allow request
Quick Start Examples
Section titled “Quick Start Examples”Block Sensitive Keywords
Section titled “Block Sensitive Keywords”import Tokenrouter from 'tokenrouter';
const client = new Tokenrouter({ apiKey: process.env.TOKENROUTER_API_KEY});
const rule = await client.firewallRules.create({ name: 'Block Sensitive Keywords', priority: 100, is_enabled: true, scope: 'prompt', type: 'regex', pattern: '(password|ssn|credit.card)', action: 'block'});from tokenrouter import Tokenrouter
client = Tokenrouter( api_key=os.getenv("TOKENROUTER_API_KEY"))
rule = client.firewall_rules.create( name="Block Sensitive Keywords", priority=100, is_enabled=True, scope="prompt", type="regex", pattern=r"(password|ssn|credit\.card)", action="block")curl https://api.tokenrouter.io/v1/firewall-rules \ -H "Content-Type: application/json" \ -H "Authorization: Bearer tr_..." \ -d '{ "name": "Block Sensitive Keywords", "priority": 100, "is_enabled": true, "scope": "prompt", "type": "regex", "pattern": "(password|ssn|credit\\.card)", "action": "block" }'Mask Email Addresses
Section titled “Mask Email Addresses”const rule = await client.firewallRules.create({ name: 'Mask Email Addresses', priority: 50, is_enabled: true, scope: 'response', type: 'regex', pattern: '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}', action: 'mask', replacement: '[EMAIL_REDACTED]'});rule = client.firewall_rules.create( name="Mask Email Addresses", priority=50, is_enabled=True, scope="response", type="regex", pattern=r"[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}", action="mask", replacement="[EMAIL_REDACTED]")curl https://api.tokenrouter.io/v1/firewall-rules \ -H "Content-Type: application/json" \ -H "Authorization: Bearer tr_..." \ -d '{ "name": "Mask Email Addresses", "priority": 50, "is_enabled": true, "scope": "response", "type": "regex", "pattern": "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}", "action": "mask", "replacement": "[EMAIL_REDACTED]" }'Warn on Profanity
Section titled “Warn on Profanity”const rule = await client.firewallRules.create({ name: 'Warn on Profanity', priority: 30, is_enabled: true, scope: 'response', type: 'substring', pattern: 'badword', action: 'warn'});rule = client.firewall_rules.create( name="Warn on Profanity", priority=30, is_enabled=True, scope="response", type="substring", pattern="badword", action="warn")curl https://api.tokenrouter.io/v1/firewall-rules \ -H "Content-Type: application/json" \ -H "Authorization: Bearer tr_..." \ -d '{ "name": "Warn on Profanity", "priority": 30, "is_enabled": true, "scope": "response", "type": "substring", "pattern": "badword", "action": "warn" }'How Rules Are Applied
Section titled “How Rules Are Applied”When a firewall rule matches:
Block Action
Section titled “Block Action”{ "error": { "message": "Request blocked by firewall rule \"Block Sensitive Keywords\"", "type": "routing_error", "http_status": 422, "meta": { "rule_id": 123 } }}Mask Action
Section titled “Mask Action”Input: "My email is john@example.com"
Output: "My email is [EMAIL_REDACTED]"
Warn Action
Section titled “Warn Action”{ "metadata": { "warnings": ["Profanity detected in response"], "applied_rules": ["Warn on Profanity"] }}Response Metadata
Section titled “Response Metadata”When firewall rules are applied, the response includes metadata:
{ "metadata": { "applied_rules": ["Mask Email Addresses"], "warnings": [] }}Common Use Cases
Section titled “Common Use Cases”| Use Case | Scope | Type | Action |
|---|---|---|---|
| Block credit card numbers | prompt | regex | block |
| Mask SSNs in responses | response | regex | mask |
| Block API keys | prompt | regex | block |
| Redact names | response | substring | mask |
| Warn about profanity | response | substring | warn |
| Block SQL injection | prompt | regex | block |