Skip to main content
The LLM proxy middleware intercepts requests to LLM APIs, anonymizes PII in outgoing messages, and rehydrates PII in responses — all transparently.
The proxy module is only available in Node.js and Bun. It is not included in the browser build.

Supported Providers

Integration Methods

From simplest to most flexible:

Wrap an SDK Client

The simplest approach — wrap your existing OpenAI or Anthropic client:
Works the same way with Anthropic:

Custom Fetch

Replace the fetch function used by any SDK:

Proxy Middleware

For framework integration (Hono, Bun.serve, etc.):
Configure your LLM client to point at the proxy:

Standalone Proxy Server

Start a proxy server with one function call:

Streaming Support

All proxy methods support streaming (SSE) responses. PII is rehydrated in each streamed chunk:

Streaming Internals

PII placeholders like <PII type="EMAIL" id="1"/> can span SSE chunk boundaries. The proxy buffers incomplete tags across chunks and only rehydrates once a complete tag is available, so streaming rehydration is reliable regardless of how the upstream chunks its response. You can disable streaming rehydration if needed:

Passthrough Behavior

The proxy only intercepts POST requests with application/json content type. Everything else is forwarded unchanged:
  • Non-POST requests (GET, OPTIONS, etc.) — passed through to upstream
  • Non-JSON content types — passed through to upstream
  • Non-JSON responses — passed through with original status code
This means health checks, CORS preflight, and other non-chat requests work without interference.

Tool Call Handling

The proxy automatically anonymizes and rehydrates tool/function call arguments. If the LLM returns a tool call whose arguments contain PII placeholders, Rehydra rehydrates them before your code sees the result. This works for both non-streaming and streaming responses:
In streaming mode, tool call argument chunks are buffered per tool call index and rehydrated when the tool call completes.

Automated Tool Execution Loop

For server-side agentic workflows, the proxy can manage the full multi-round tool execution loop automatically. Provide an onToolCall callback and the proxy will:
  1. Rehydrate tool call arguments (so your function receives real PII values)
  2. Call your callback with the tool name and parsed arguments
  3. Anonymize the tool result before sending it back to the LLM
  4. Repeat until the LLM responds with no tool calls, or maxToolRounds is reached
The automated tool loop only works with non-streaming requests. For streaming tool calls, handle the tool loop manually using the rehydrated arguments from each streamed response.

PII System Instruction

When PII is detected in an outgoing request, the proxy automatically injects a system instruction telling the LLM to preserve PII placeholder tags in its response. This prevents the model from inventing replacement values. The instruction is injected as an OpenAI system message or an Anthropic system field, depending on the provider. You can customize this behavior with the systemInstruction config option:

Session Management

Use getSessionId to associate requests with sessions. This enables consistent entity IDs and cross-request rehydration:

Error Handling

When the proxy encounters an error, it returns a JSON response with the following shape:

Next Steps

Streaming

Stream-level anonymization for chunked text

Proxy API Reference

Complete proxy API documentation