langchain-ai · mottig30 · Oct 23, 2025 · Oct 24, 2025 · Nov 5, 2025 · Nov 5, 2025
@@ -0,0 +1,56 @@
+---
+title: PlainID
+---
+
+[PlainID](https://www.plainid.com/) provides policy-based authorization (PBAC) and centralized policy enforcement. This integration allows you to enforce fine-grained access control within your LangChain applications at different stages of the LLM chain.
+
+With `langchain-plainid`, you can:
+- **Filter RAG data:** Dynamically filter documents retrieved from your vector store based on the user's permissions, ensuring they only see data they are authorized to access.
+- **Authorize prompts:** Control whether a user or tenant is allowed to *invoke* a chain or tool based on the *category* of their query.
+- **Anonymize data:** Detect and anonymize (mask or encrypt) PII or other sensitive entities in responses, based on policies defined in PlainID.
+
+## Installation
+
+First, install the partner package:
+
+<CodeGroup>
+```bash pip
+pip install langchain_plainid
+```
+</CodeGroup>
+
+## Setup
+
+Next, you need to configure the provider with credentials from your PlainID tenant. You will need your Client ID, Client Secret, and Base URL.
+
+You can set these as environment variables:
+
+<CodeGroup>
+```bash Environment Variables
+export PLAINID_CLIENT_ID="your-client-id"
+export PLAINID_CLIENT_SECRET="your-client-secret"
+export PLAINID_BASE_URL="[https://platform-product.us1.plainid.io](https://platform-product.us1.plainid.io)"
+```
+</CodeGroup>
+
+All components will automatically use these environment variables if no explicit credentials are provided during instantiation.
+
+## Usage
+
+The package provides three main components for enforcing authorization.
+
+### RAG Data Filtering
+
+The `PlainIDRetriever` wraps your existing vector store retriever. It fetches authorization filters from PlainID based on the user's identity and applies them to the vector store query. This filters out documents *before* they are passed to the LLM for context.
+
+This example assumes you have a `PlainIDPermissionsProvider` configured (e.g., via environment variables) and a `PlainIDRetrieverFilterProvider` set up.
+
+### Prompt Authorization
+
+The `PlainIDCategorizer` can be placed at the beginning of a chain to authorize the user's *intent*. It classifies the input prompt (e.g., "HR", "Finance", "Contract") and checks with PlainID if the user is permitted to ask about that category. If not authorized, it raises a `ValueError`.
+
+### PII Anonymization
+
+The `PlainIDAnonymizer` can be placed at the end of a chain to inspect the LLM's response. It uses `presidio` to detect PII entities (like "PERSON", "PHONE_NUMBER") and then consults PlainID on whether to `MASK` or `ENCRYPT` them based on defined policies.
+
+For more detailed information and full examples, refer to the [langchain_plainid PyPI page](https://pypi.org/project/langchain_plainid/).