Guardian Layer
This page explains how to place Guardian Layer inside an application workflow.
For a high-level product introduction, start with Guardian Layer Overview. Use this page when you are ready to decide where Guardian Layer should sit in your stack.
Integration Role
Guardian Layer usually sits between sensitive user data and the systems that use that data.
In practice, you call Guardian Layer before text or documents are sent to an AI model, stored in a database, shared with another service, or displayed in a downstream workflow.
Where It Fits
A common integration flow looks like this:
- Your application receives user input.
- Your backend sends the input to Guardian Layer.
- Guardian Layer returns de-identified output.
- Your application sends the safer output to an AI model, database, review queue, or customer-facing workflow.
User input
-> Your application
-> Guardian Layer
-> De-identified output
-> AI model / storage / workflow
This keeps sensitive values from moving deeper into your stack unless they are required.
Choosing a Guardian Layer Workflow
Use the workflow that matches your input type and output goal.
| Input | Goal | Use |
|---|---|---|
| Text | Understand what may be sensitive before changing it. | Detection |
| Text | Keep the text readable with safer replacements. | Transform |
| Text | Hide sensitive values visibly. | Redact |
| File | De-identify document or tabular content. | File De-identification |
| Assistant workflow | Reduce sensitive exposure before or during AI interactions. | Guardian Layer with the application or SDK flow |
Text Workflow
For text, the typical path is:
- Start with a sample request in the Dashboard or API.
- Choose whether you need
transformorredact. - Optionally set
pii_entitiesto control which categories are processed. - Send the request from your backend.
- Use the returned output in the next step of your application.
For readable replacement output, see Transform (Proprietary).
For visible masking output, see Redact / Masking / Placeholder.
File Workflow
For files, Guardian Layer uses file-specific endpoints instead of the plain text endpoint.
Use file de-identification when users upload:
- CSV or spreadsheet-style files.
- DOCX documents.
- PDF files with extractable text.
- TXT files.
The same high-level choices still apply: you choose whether the file should be transformed or redacted, and you can limit processing to selected entity categories.
For the full file flow, see File De-identification.
Application-Level Pattern
For production applications, avoid calling Guardian Layer directly from client-side code.
Use this pattern instead:
- Store the Custodian API key securely on your backend.
- Accept user text or files from your frontend.
- Send the content from your backend to Guardian Layer.
- Return only the de-identified result to the frontend or next system.
This keeps your API key out of the browser and gives your backend control over logging, retries, user permissions, and usage limits.
Dashboard vs API vs SDK
You can interact with Guardian Layer in a few different ways.
| Method | Best for |
|---|---|
| Dashboard | Quick manual testing and product exploration. |
| API | Backend integration, automation, and production workflows. |
| Python SDK | Assistant and application workflows that use Custodian from Python. |
The Dashboard is useful for confirming behavior. The API is the main integration path for product code.
Implementation Checklist
Before using Guardian Layer in an application, confirm that you have:
- A Custodian account.
- An active plan with available credits.
- A generated API key.
- A backend place to store and use the API key.
- A clear choice between
transformandredact. - A decision about whether to process all entities or only selected categories.
- A test request that confirms the output shape your application expects.
Notes
- Guardian Layer should be treated as part of the privacy path in your product architecture.
- Use
transformwhen readability matters. - Use
redactwhen hiding sensitive values matters more than natural-looking output. - Use file endpoints for uploaded files.
- Use your backend for API calls that require your Custodian API key.