PII Types
A2A v1 Personally Identifiable Information (PII) Detector Policy
Policy Name |
A2A v1 PII Detector |
Summary |
Detects personally identifiable information (PII) in A2A v1 requests |
Category |
A2A |
First Omni Gateway version available |
v1.13.0 |
Returned Status Codes |
403: Forbidden: PII detected and action is set to Reject |
Summary
The A2A v1 PII Detector policy detects personally identifiable information (PII) in A2A v1.0 agent requests across all three transport protocols: JSON-RPC, HTTP+JSON, and gRPC. This policy scans the message content of SendMessage and SendStreamingMessage requests for configured PII patterns and can either reject the request, log the detection, or log and mask the sensitive data.
The policy scans only the text parts of message content (Part::Text entries in message.parts[]). File references (Part::File) and structured data (Part::Data) are not scanned. Read-only methods like GetTask, ListTasks, and agent card requests pass through without inspection.
When PII is detected and the action is set to Reject, the policy returns an appropriate error response in the request’s transport protocol format. A policy violation is always reported when PII is detected, regardless of the configured action.
| This policy is designed for A2A v1.0 traffic only. For pre-v1.0 A2A traffic, use the A2A PII Detector Policy. |
Configuring Policy Parameters
Managed Omni Gateway and Omni Gateway Connected Mode
When you apply the policy from the UI, the following parameters are displayed:
| Element | Description | Required | Default |
|---|---|---|---|
Array that defines the types of PII to detect. You can select multiple PII types. Supported values are |
Yes |
None |
|
Custom PII Patterns |
Optional array of custom regex patterns for detecting additional PII types beyond the built-in ones. Each pattern requires a |
No |
Empty array |
Action |
Action to take when PII is detected. Supported values are:
|
No |
|
PII Types
When you configure an A2A v1 PII Detector policy, you can choose which types of PII to detect.
This table describes the types of PII this policy can detect:
| PII Type | Description |
|---|---|
Standard email addresses such as |
|
US SSN |
United States Social Security Numbers (SSNs) in the standard format: |
Credit Card |
Credit card numbers in the form of four groups of four digits, separated by optional spaces or hyphens. Examples: |
Phone Number |
United States phone numbers in various formats, with or without country code, parentheses, spaces, hyphens, or dots. Examples: |
Custom PII Patterns
In addition to the built-in PII types, you can define custom patterns to detect organization-specific sensitive data. Each custom pattern consists of:
-
Pattern Name: A descriptive name to identify this PII pattern in detection results
-
Regex Pattern: A regular expression pattern to match the sensitive data
Custom patterns are evaluated alongside the built-in PII types.
How This Policy Works
The A2A v1 PII Detector policy scans A2A v1.0 requests for PII across all three transport protocols: JSON-RPC, HTTP+JSON, and gRPC.
Request Scanning
The policy scans only these A2A v1.0 methods:
-
SendMessage -
SendStreamingMessage
For each request, the policy inspects params.message.parts[] and scans only Part::Text entries. File references (Part::File) and structured data (Part::Data) are not scanned.
Read-only methods such as GetTask, ListTasks, and agent card requests pass through without inspection. Non-A2A traffic also passes through unchanged.
The policy stops scanning at the first PII detection and applies the configured action to the entire request.
Based on the configured action:
-
Reject: Blocks the request and returns an error response in the transport’s format. The upstream agent never receives the request.
-
Log: Forwards the request unchanged and logs findings with actual PII values.
-
Log and mask: Forwards the request unchanged and logs findings with masked values. Masking preserves some characters (for example, email domains, last digits of SSNs) while obscuring sensitive portions.
| The Log and Log and mask actions forward the request with raw PII to the upstream agent. Only Reject prevents PII from reaching the agent. |
Response on Reject
When the policy blocks a request (action set to Reject), it returns an error response in the format appropriate for the transport protocol.
JSON-RPC Transport
HTTP 403 with a JSON-RPC 2.0 error response:
{
"jsonrpc": "2.0",
"id": null,
"error": {
"code": -32600,
"message": "Request contains PII data: US SSN: 123-45-6789",
"data": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"domain": "a2a-protocol.org",
"reason": "FORBIDDEN",
"metadata": {
"detail": "Request contains PII data: US SSN: 123-45-6789"
}
}
]
}
}
The error code -32600 maps to the A2A v1.0 FORBIDDEN reason code.
HTTP+JSON Transport
HTTP 403 with a Google RPC Status error response:
{
"error": {
"code": 403,
"message": "Request contains PII data: US SSN: 123-45-6789",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"domain": "a2a-protocol.org",
"reason": "FORBIDDEN",
"metadata": {
"detail": "Request contains PII data: US SSN: 123-45-6789"
}
}
]
}
}
Examples
Basic Configuration
This example shows a basic configuration that detects US SSNs and credit card numbers, and rejects requests containing PII:
apiVersion: gateway.mulesoft.com/v1alpha1
kind: PolicyBinding
metadata:
name: a2a-v1-pii-detector
spec:
targetRef:
kind: ApiInstance
name: my-a2a-v1-agent
policyRef:
name: a-two-a-v1-pii-detector-flex
config:
entities:
- US SSN
- Credit Card
action: Reject
Configuration with Custom Patterns
This example shows a configuration that detects email addresses along with a custom pattern for internal project codes. The policy logs detections and masks the sensitive data:
apiVersion: gateway.mulesoft.com/v1alpha1
kind: PolicyBinding
metadata:
name: a2a-v1-pii-detector-custom
spec:
targetRef:
kind: ApiInstance
name: my-a2a-v1-agent
policyRef:
name: a-two-a-v1-pii-detector-flex
config:
entities:
- Email
customPatterns:
- name: Internal Project Code
pattern: 'PROJ-[A-Z0-9]{6}'
- name: Employee ID
pattern: 'EMP-\d{5}'
action: Log and mask
Logging Examples
This example shows an A2A v1 request containing multiple PII types and the corresponding log output for different action configurations.
Sample request:
{
"jsonrpc": "2.0",
"method": "SendMessage",
"params": {
"message": {
"parts": [
{
"kind": "text",
"text": "Contact me at john.doe@example.com or call (555) 123-4567. My SSN is 123-45-6789."
}
]
}
}
}
-
Log
-
Log and mask
-
Reject
When the action is set to Log, the policy logs detected PII with the actual values:
[accessLog] Request: `Contact me at john.doe@example.com or call (555) 123-4567. My SSN is 123-45-6789.` has sensitive data: [
{
"pii_type": "Email",
"value": "john.doe@example.com",
"start": 14,
"end": 34
},
{
"pii_type": "Phone Number",
"value": "(555) 123-4567",
"start": 43,
"end": 57
},
{
"pii_type": "US SSN",
"value": "123-45-6789",
"start": 70,
"end": 81
}
]
When the action is set to Log and mask, the policy logs detected PII with masked values:
[accessLog] Request: `Contact me at ********@example.com or call (***) ***-4567. My SSN is ***-**-6789.` has sensitive data: [
{
"pii_type": "Email",
"masked_value": "********@example.com",
"start": 14,
"end": 34
},
{
"pii_type": "Phone Number",
"masked_value": "(***) ***-4567",
"start": 43,
"end": 57
},
{
"pii_type": "US SSN",
"masked_value": "***-**-6789",
"start": 70,
"end": 81
}
]
When the action is set to Reject, the policy blocks the request and returns an error response in the transport’s format. The upstream agent never receives the original request containing PII.
For this JSON-RPC request, the response would be:
{
"jsonrpc": "2.0",
"id": null,
"error": {
"code": -32600,
"message": "Request contains PII data: US SSN: 123-45-6789",
"data": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"domain": "a2a-protocol.org",
"reason": "FORBIDDEN",
"metadata": {
"detail": "Request contains PII data: US SSN: 123-45-6789"
}
}
]
}
}
A policy violation is reported for monitoring purposes.
Custom Pattern Example
This example shows detection of a custom AWS Access Key pattern in a request:
{
"jsonrpc": "2.0",
"method": "SendMessage",
"params": {
"message": {
"parts": [
{
"kind": "text",
"text": "Use this AWS key: AKIAIOSFODNN7EXAMPLE for deployment"
}
]
}
}
}
With a custom pattern configured (name: AWS Access Key, pattern: AKIA[0-9A-Z]{16}), the policy logs:
[accessLog] Request: `Use this AWS key: AKIAIOSFODNN7EXAMPLE for deployment` has sensitive data: [
{
"pii_type": "AWS Access Key",
"value": "AKIAIOSFODNN7EXAMPLE",
"start": 18,
"end": 38
}
]
Edge Cases
The policy passes through these requests without scanning:
-
Non-A2A traffic
-
A2A methods other than
SendMessageandSendStreamingMessage(such asGetTask,ListTasks, agent card requests) -
Requests with missing or malformed
params -
Message parts with types other than
Part::Text(Part::FileandPart::Dataare not scanned) -
Empty text parts
If a regex engine error occurs while scanning a text part, the error is logged and that part is skipped, but remaining parts continue to be scanned.
Compliance and Data Flow
This table shows where raw PII values appear based on the configured action.
| Action | Request Body on Wire | Access Log |
|---|---|---|
Reject |
Blocked (error response; raw PII values may appear in error message) |
No log emitted on reject |
Log |
Forwarded unchanged (raw PII flows upstream) |
Raw |
Log and mask |
Forwarded unchanged (raw PII flows upstream) |
Masked |
| The Log and mask action only masks the access log, not the request body. Raw PII still flows to the upstream agent when using Log or Log and mask actions. Only Reject prevents PII from reaching the agent. |
| The A2A v1 PII Detector policy scans requests only. It does not scan responses. For pre-v1.0 A2A traffic that requires both request and response scanning, use the A2A PII Detector Policy. |
See Also
-
A2A PII Detector Policy (for pre-v1.0 A2A traffic)



