Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.promptguard.co/llms.txt

Use this file to discover all available pages before exploring further.

PromptGuard ties each request back to the human (or service) that triggered it via the X-End-User header. Once present, every downstream feature — usage analytics, geographic rollups, access lists, abuse investigation — is automatically scoped to that identifier.

How to set it

Pass X-End-User on every outbound LLM call. The value is opaque to PromptGuard; it can be a UUID, a hashed email, an internal user id, anything stable per-customer. 
client = OpenAI(
    api_key=os.environ["PROMPTGUARD_KEY"],
    base_url="https://api.promptguard.co/api/v1/proxy",
    default_headers={"X-End-User": current_user.id},
)

const client = new OpenAI({
  apiKey: process.env.PROMPTGUARD_KEY,
  baseURL: "https://api.promptguard.co/api/v1/proxy",
  defaultHeaders: { "X-End-User": currentUser.id },
});

curl -X POST https://api.promptguard.co/api/v1/guard \
  -H "X-API-Key: pg_live_..." \
  -H "X-End-User: customer-42" \
  -H "Content-Type: application/json" \
  -d '{"messages":[{"role":"user","content":"..."}]}'
Don’t put PII in this header. Hash it. The value is logged into every security_events row and exposed in the dashboard — exactly the place you don’t want raw email addresses.

What it unlocks

End-Users page

Dashboard → End Users rolls up every value of X-End-User you’ve ever sent: total events, flagged events, flag rate, last seen, computed risk band (low / medium / high).

Per-end-user blocking

A single rule on the Allow & Block lists page rejects every future request from one customer, without having to redeploy your app.

Cost attribution

Combined with token logging, the dashboard shows you “this end-user cost $X this period”. Used to chase noisy free-tier users before they break your unit economics.

Risk scoring

The risk band is computed from flagged_events / total_events over the last 30 days. ≥ 50% flag rate → high; ≥ 10% → medium; otherwise low. Queryable via the API for upstream alerting.

API: list end-users

curl -H "Authorization: Bearer $TOKEN" \
  "https://api.promptguard.co/dashboard/end-users?days=30"
Returns the same data the End Users page renders. Pair this with your CRM to flag accounts that are stress-testing your guardrails, and with your billing to surface overage candidates.

What about anonymous traffic?

If the request doesn’t carry X-End-User, the row’s end_user_id is NULL. The End Users page silently skips it and the per-end-user rules can’t fire on it. Set the header on every request, even for anonymous users — at minimum, send a per-session UUID. The dashboard becomes useless without it.