Skip to main content
Security and observability settings control PII detection, API exposure, file upload policies, and cross-channel session behavior.

PII Protection

The PII Protection page configures PII detection patterns, redaction strategies, and consumer access controls for this project. Navigation: ProjectSettingsPII Protection Global Settings
SettingDescriptionDefault
PII DetectionScan agent inputs for PII using active patterns.Enabled
PII Output RedactionApply redaction to agent outputs before delivery to consumers.Disabled
Credential, secret, and high-risk token scrubbing stays active for logs, traces, session history, and normal API responses even when you disable configurable PII detection.

Built-in Patterns

Built-in patterns use pre-configured, optimized detection logic. You can adjust redaction, per-consumer access, and enabled state for each pattern. Only disable high-risk patterns if you have a documented reason and understand the compliance impact.
PatternTagDescription
Email AddressEmailDetects email addresses in text.
Phone NumberPhoneDetects phone numbers (US and international formats).
Social Security NumberSSNDetects US Social Security Numbers (XXX-XX-XXXX).
Credit Card NumberCredit CardDetects credit/debit card numbers (Visa, MC, Amex, etc.).
IP AddressIP AddressDetects IPv4 and IPv6 addresses.
Click Configure next to any pattern to adjust its redaction strategy, consumer access rules, and enabled state.

Custom Patterns

Click Add Pattern to define organization-specific PII detection rules. The Create PII Pattern dialog includes the following sections: Basics
FieldDescription
NameA unique name for the pattern (for example, US Social Security Number). Required.
DescriptionOptional description of what the pattern detects.
EnabledToggle to activate or deactivate the pattern.
Detection
FieldDescription
Regex PatternThe regular expression that matches sensitive data. Required.
PII TypeClassification of the PII type (Custom or a predefined category).
Validator ExpressionOptional secondary regex to post-filter matches. The system keeps only matches that pass this regex.
Redaction Strategy
OptionDescription
Predefined LabelReplace matched text with a configurable label (default: [REDACTED_<TYPE>]).
MaskedReplace matched text with placeholder characters.
RandomReplace matched text with random characters.
When you select Predefined Label, configure the Redaction Label field to customize the replacement text. Consumer Access
FieldDescription
Default Render ModeHow PII appears by default: Redacted, Tokenized, or Original.
Per-Consumer OverridesClick Add Consumer to set render mode overrides for specific consumers.
LLM consumers can’t receive original plaintext. The system stores a saved LLM override of Original as Tokenized, and an Original default adds an explicit LLM Tokenized override.
Live Test Enter sample text in the Sample Text field to test pattern detection before saving. The test runs the regex pattern and validator expression against the input and shows matches with the configured redaction applied.

Public API Access

The Public API Access page configures which APIs end-users can access when authenticating through their organization’s identity provider (Azure AD, Okta, Google). Navigation: ProjectSettingsPublic API Access

Query API

Toggle the Query API to allow authenticated end-users to query agents through the public API endpoint. When you enable it, the following configuration fields appear:
FieldDescription
Identity Providers (Auth Profiles)Select one or more OIDC-compatible auth profiles (OAuth 2.0 App or Azure AD). End-users authenticate through their organization’s IdP.
Allowed Email DomainsComma-separated list of email domains that can authenticate. Leave empty to allow all domains.
Allowed Origins (CORS)Comma-separated list of browser origins allowed to make API calls.
Allowed Redirect URIs (OAuth Flow)Comma-separated full URIs where OAuth redirect responses can go. Exact match only — no wildcards.
Session and Rate Limits
FieldDescriptionDefault
Session Token TTL (seconds)How long search session tokens remain valid (60–3600 seconds).900 (15 min)
Per User (req/min)Maximum API requests per user per minute.
Per Project (req/min)Maximum API requests per project per minute.

Attachments

The Attachment Settings page configures file upload behavior for this project. Navigation: ProjectSettingsAttachments General
SettingDescriptionDefault
Enable AttachmentsAllow file uploads in chat sessions.Enabled (inherited)
Upload Limits
SettingDescriptionDefault
Maximum File SizeMaximum file size per upload.20 MB
Allowed File TypesMIME types permitted for upload (maximum 50).18 types (see below)
Default allowed file types include image/jpeg, image/png, image/gif, image/webp, application/pdf, text/markdown, text/plain, text/csv, application/json, application/msword, application/vnd.openxmlformats-officedocument.wordprocessingml.document, application/vnd.ms-excel, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet, audio/mpeg, audio/wav, audio/webm, video/mp4, and video/webm. To add a custom MIME type, enter it in the Add MIME type field and click the add button. To remove an allowed type, click the × next to it. Processing
SettingDescriptionDefault
PII PolicyHow the system handles PII detected in attachments.Redact
Default Processing ModeHow the system processes newly uploaded files.Full
Info
SettingDescriptionDefault
Max Files Per SessionMaximum number of files per session (read-only).100
Click Save Changes to apply.

Omnichannel

The Omnichannel page configures cross-channel session continuity. Navigation: ProjectSettingsOmnichannel Omnichannel settings allow users who start a conversation on one channel to continue it on another without losing context. Conversation Recall
SettingDescriptionDefault
Enable cross-channel recallAllow sessions to transfer across channels.Disabled
Maximum messages to recallNumber of messages the platform carries over to the new channel.20
Maximum age (days)How old a conversation can be and still qualify for recall.30
Allowed channels Lists all supported channels (web, voice, sms, whatsapp, email, slack, teams) with toggles for cross-channel recall participation. Identity Requirements
SettingDescriptionDefault
Require identity verificationWhether the system requires identity verification for cross-channel recall.Enabled
Minimum identity tierThe minimum identity verification tier required to recall sessions.2 - Verified
Consent
SettingDescriptionDefault
Require explicit consentWhether the user must explicitly consent before cross-channel recall.Enabled
Live Transcript Sync Configure real-time transcript synchronization settings for cross-channel sessions. Click Save Settings to apply changes.
If you see a “Failed to save settings” error, verify that your role has write permissions for project settings.