Skip to main content

Parameters

See plugin common configurations for configuration options available to all plugins.

This plugin supports referencing sensitive parameter values from environment variables using the env:// prefix, or from a secret manager, such as HashiCorp Vault’s KV secrets engine, using the secret:// prefix. For more information, see environment variables in plugin and secrets.

  • api_key

    string

    required

    vaild vaule:

    non-empty

    API key used to authenticate to the Lakera Guard API. It is sent as a Bearer token in the Authorization header.

  • lakera_endpoint

    string

    default: https://api.lakera.ai/v2/guard

    URL of the Lakera Guard v2 endpoint. Set this to point at a self-hosted or regional Lakera Guard deployment.

  • project_id

    string

    Lakera project ID whose policy (detectors and thresholds) should be applied to the scan.

  • direction

    string

    default: input

    vaild vaule:

    input, output, or both

    Which traffic to scan. With input, only the request prompt is scanned. With output, only the LLM response is scanned, including streaming responses. With both, both are scanned.

  • action

    string

    default: block

    vaild vaule:

    block or alert

    How to handle a flagged verdict. With block, the request or response is denied. With alert, the traffic is passed through and the verdict is only logged, which is useful for evaluating a policy before enforcing it.

  • deny_code

    integer

    default: 200

    vaild vaule:

    between 200 and 599 inclusive

    HTTP status code returned when blocking flagged traffic. The default 200 returns a provider-compatible completion whose content is the failure message, so SDK clients handle it gracefully. Set a 4xx value to surface the block as an HTTP error instead.

  • request_failure_message

    string

    default: Request blocked by Lakera Guard

    Message returned in the deny response when the request prompt is flagged.

  • response_failure_message

    string

    default: Response blocked by Lakera Guard

    Message returned in the deny response when the LLM response is flagged.

  • reveal_failure_categories

    boolean

    default: false

    If true, append the flagged detector categories (and their confidence levels) to the failure message.

  • fail_open

    boolean

    default: false

    Behavior when the call to the Lakera Guard API fails or times out. If false, the traffic is blocked (fail closed). If true, the traffic is allowed (fail open).

  • fail_mode

    string

    default: skip

    vaild vaule:

    skip, warn, or error

    Behavior when the request format is not recognized as AI traffic, for example when the route does not also configure ai-proxy or ai-proxy-multi. With skip, the request is passed through unchecked. With warn, the request is passed through and a warning is logged. With error, the request is rejected with HTTP 500.

  • timeout

    integer

    default: 5000

    vaild vaule:

    greater than or equal to 1

    Timeout in milliseconds for the request to the Lakera Guard API.

  • ssl_verify

    boolean

    default: true

    If true, verify the TLS certificate of the Lakera Guard endpoint.

API7.ai Logo

The digital world is connected by APIs,
API7.ai exists to make APIs more efficient, reliable, and secure.

Sign up for API7 newsletter

Product

API7 Gateway
API7 AI Gateway
API7 API Portal

Learn

API Gateway Guide
Plugin Hub
API Gateway Comparison
Customers

Resources

API Gateway Docs
Blog
Demo Hub
APISIX vs Kong

Company

About
Contact
Compliance Standards
Partners
Terms & Privacy
SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2026. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the Apache Software Foundation