Overview
Guardrails are safety mechanisms that pause agent execution when:- The agent needs sensitive information (credentials, payment details)
- The agent is uncertain and requires human guidance
- The agent encounters content that requires human verification
- The agent detects potential policy violations
Detecting Guardrails
Guardrails are detected differently depending on your integration method.REST API (Polling)
When polling a task endpoint, a guardrail appears as:WebSocket (Real-Time)
With WebSocket connections, you receive immediate notifications:Responding to Guardrails
Once a guardrail triggers, respond with the requested information or guidance. ThenewState: "resume" parameter tells the agent to continue execution from the exact point where the guardrail paused—it doesn’t restart the task.
| Parameter | Type | Required | Description |
|---|---|---|---|
actionType | string | Yes | Must be "guardrail" |
prompt | string | Yes | Your response to the agent |
newState | string | Yes | "resume" to continue, "stop" to cancel |
Routing Guardrails to a Chat User
Polling and WebSocket both assume something on your side is watching the session when a guardrail triggers. For unattended workloads — scheduled triggers, long-running CI jobs, MCP tasks kicked off from another tool — that isn’t always the case. As a fallback, a guardrail can be delivered to a chat user connected to the session’s environment, and their reply is forwarded back to the session.How it works
When a session raises a guardrail, the platform first checks whether you’re actively handling it (polling responses or a live WebSocket subscription on the session). If you are, the prompt reaches you the usual way and nothing else happens. If no one is actively watching, the platform looks for a chat user (Telegram, WhatsApp, Slack, Discord, or Teams) connected to the same environment. If one is available, the guardrail prompt is sent to them in chat. Their reply is forwarded to the session exactly like a regular guardrail response —resume to continue or stop to cancel.
Whoever answers first wins. If your API caller and a chat user both respond at the same time, only the first reply reaches the session.
Choosing a reach-out mode
Chat reach-out is controlled per session by thereachOutMode parameter. It takes one of three values, and defaults to "guardrail_only":
| Value | Behavior |
|---|---|
"off" | No proactive chat messages. Guardrails and results stay on the API/WebSocket channel only. |
"guardrail_only" | Default. The bot pings the chat user only when the session hits a guardrail (CAPTCHA, 2FA, verification, login, etc.). |
"full" | The bot pings on guardrails and also delivers the task result to chat when the task completes. |
"reachOutMode": "off" at session creation:
reachOutMode is set at session creation and applies for the lifetime of the session. There is no way to change it later — start a new session if you need different behavior.
When to set reachOutMode to "off"
- Sensitive sessions. Anything involving private credentials, financial data, or personal information you don’t want surfaced through chat.
- Shared environments. When multiple people use the same environment but only your code should handle guardrails for this session.
- Deterministic flows. Automations that must respond programmatically — turning chat routing off ensures the prompt always waits for your API call instead of being answered by someone else first.
When to use "full"
Use "full" for unattended automations where a human on chat should also receive the task result — for example, a scheduled run kicked off via MCP or REST with no live client polling. When the session completes, the chat user is sent the task result in addition to (not instead of) the normal API/webhook delivery. The chat fan-out only fires when the caller is offline (no live WebSocket subscriber on the session).
Common Guardrail Scenarios
1. Login Credentials
Guardrail:2. Payment Information
Guardrail:3. Ambiguous Instructions
Guardrail:4. Verification Needed
Guardrail:5. CAPTCHA Detection
Guardrail:6. Content Verification
Guardrail:Automated Guardrail Handling
For predictable guardrails (like login credentials), implement automated handling:Pattern 1: Credential Manager
Pattern 2: Rule-Based Handler
Pattern 3: Async Handler with Timeout
Best Practices
1. Never Hardcode Sensitive Data
Don’t put credentials directly in code:2. Implement Timeouts
Always set timeouts for human intervention:3. Log All Guardrails
Track guardrail occurrences for debugging and improvement:4. Provide Clear Responses
Be specific in your guardrail responses:Related Guides
Related Guides