Detect and MASK personally identifiable information in a document (PDF or image). USE THIS WHEN you need to know what PII a document contains, or to get a redacted copy before forwarding / logging / passing it to another model. Two layers: a deterministic regex+checksum pass for structured identi...
AI agents call redact_pii to retrieve information from OpenWarrant without modifying anything — typically the context-gathering step in research, monitoring, and reporting workflows, before the agent takes action elsewhere.
| Parameter | Type | Required | Description |
|---|---|---|---|
url | object | — | |
filename | string | — | |
bytes_b64 | object | — | |
max_pages | object | — |
Parameters from the server's own tool schema.
This is fundamentally a Read operation: the tool queries/analyzes document content to extract information (PII detection) and produces a derivative output (redacted copy) without modifying the original or causing irreversible side effects. While it processes sensitive data, the core action is inspection and non-destructive redaction.
From the tool's definition Tool DETECTS and MASKS PII in documents; description states 'get a redacted copy' and uses vision model to identify names, addresses, dates of birth, phone numbers, signatures.
Risk signalsAccepts file system path (filename) · Accepts URL/endpoint input (url)
Attacks that exploit this kind of access
Detect and MASK personally identifiable information in a document (PDF or image). USE THIS WHEN you need to know what PII a document contains, or to get a redacted copy before forwarding / logging / passing it to another model. Two layers: a deterministic regex+checksum pass for structured identifiers (emails, payment cards, SSN, PAN, ABN) and a vision model for the unstructured PII — names, addresses, dates of birth, phone numbers, and photo/signature presence. Provide the document ONE way: url (a public http(s) link, fetched server-side) or bytes_b64 (inline base64, plus filename). max_pages caps how many pages are read (default a few; ceiling 10). Returns {pii_found, by_type, items[] (type, masked preview, method), redacted_text, has_photo, has_signature}. Values are MASKED in the response — the raw PII is never returned. DETECTION coverage, not a guarantee: it may miss PII or over-flag, so review before relying on it for compliance. The document is never stored. It is categorised as a Read tool in the OpenWarrant MCP Server, which means it retrieves data without modifying state.
redact_pii accepts 4 parameters: url, filename, bytes_b64, max_pages. The full parameter table on this page comes from the server's own tool schema.
Register the OpenWarrant MCP server in PolicyLayer and add a rule for redact_pii: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches OpenWarrant. Nothing to install.
redact_pii is a Read tool with low risk. Read-only tools are generally safe to allow by default.
Yes. Add a rate_limit block to the redact_pii rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for redact_pii. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
redact_pii is provided by the OpenWarrant MCP server (https://www.stipple.sh/mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Every MCP server has a record like this.
Type a name, get the same breakdown: verified identity, auth posture, risk grade, capabilities, recommended policy.
Teams ship this data inside their own products. See what a licence covers →