If you're running AI workflows in n8n that touch real customer data β emails, phone numbers, account IDs, health records β that data is almost certainly reaching external LLM APIs in plain text. n8n execution history stores every node's input and output by default, which means anyone with instance access can read raw PII from your logs.
This post covers five concrete approaches, from zero-dependency quick fixes to production-grade solutions, with real tools, install instructions, and honest tradeoffs for each.
A typical n8n AI workflow looks like this:
Webhook β Pull customer record β Build prompt β OpenAI β Send response
By the time that prompt hits OpenAI, it might contain:
Summarize the support case for john.doe@company.com,
SSN 999-88-7777, account #48291, phone 555-304-8821.
Issue: {{ $json.description }}
Every field there is PII. It's going to OpenAI's infrastructure. It's sitting in your n8n execution logs. And unless you've taken specific steps to prevent it, it will keep doing that silently.
What it is: Write JavaScript in an n8n Code node to replace sensitive fields with tokens before the LLM node, then reverse it afterward.
Setup: No installation needed. Add a Code node before your LLM node.
// "Tokenize" Code node β Run Once for All Items
const map = {};
let counter = 1;
function token(value, kind) {
const t = `[${kind}_${String(counter++).padStart(3, '0')}]`;
map[t] = value;
return t;
}
const input = $input.first().json;
return [{
json: {
safe_prompt: `Summarize the case for ${token(input.email, 'EMAIL')},
account ${token(input.account_id, 'ACCT')},
phone ${token(input.phone, 'PHONE')}.
Issue: ${input.description}`,
_pii_map: map
}
}];
Then after your LLM node, a second Code node to restore values:
// "Detokenize" Code node
let response = $input.first().json.message.content;
const map = $('Tokenize').first().json._pii_map;
for (const [token, value] of Object.entries(map)) {
response = response.replaceAll(token, value);
}
return [{ json: { response } }];
What it actually covers:
What it misses:
_pii_map
still appears in execution logs if you're not carefulBest for: Prototyping. One-off workflows where you know exactly which 2β3 fields carry PII and you won't forget to update the code when the schema changes.
What it is: A native n8n node (available since v1.113.3, November 2025) that sits between your data and your LLM node. No external services required for pattern-based checks.
Setup: Update n8n to at least v1.113.3. The Guardrails node appears in the node search β no installation needed.
The node has two modes:
Check Text for Violations β scans text against selected policies and routes to a Fail
branch if anything triggers. You then decide what to do: halt the workflow, log the attempt, return a safe fallback.
Sanitize Text β redacts detected content in-place and replaces it with placeholders like [EMAIL_ADDRESS]
or [PHONE_NUMBER]
. The workflow keeps running with the cleaned text.
A typical pattern:
Webhook β Guardrails (Sanitize) β OpenAI β Response
Available guardrails include: PII detection (20+ entity types: emails, phones, credit cards, SSNs, IBANs, passports, driver's licenses, medical licenses, and country-specific formats), Secret Keys, Keywords, URLs, Custom Regex, Jailbreak detection (LLM-based), NSFW detection (LLM-based), and Topical Alignment.
For PII specifically, the Sanitize mode catches structured entities via pattern matching β no API call required, no latency added. Jailbreak and NSFW detection require a connected LLM node and add one API call per check.
What it actually covers:
What it misses:
[EMAIL_ADDRESS]
, not the original. For workflows where you need the real value restored after the LLM call, you'll need additional logic.Best for: Adding a first layer of protection to user-facing chatbots and intake workflows. Excellent for blocking jailbreaks and catching structured PII on input. Not enough on its own if your workflow composes prompts from data pulled across multiple nodes.
What it is: An open-source n8n community node (GitHub, npm) built on the Rehydra SDK. Handles both anonymization and rehydration β meaning it can restore original values after the LLM responds.
Setup:
Self-hosted n8n β Settings β Community Nodes β Install β enter n8n-nodes-rehydra
.
Or via CLI:
npm install n8n-nodes-rehydra
Three nodes in the package:
Rehydra: Anonymize β replaces detected PII with XML-style tags: <PII type="EMAIL" id="1"/>
. Supports Pseudonymize mode (reversible, default) and Anonymize mode (irreversible, for when you never need the value back). Outputs: anonymizedText
, piiMap
(encrypted), entities
.
Rehydra: Rehydrate β takes the piiMap
from a prior Anonymize step and restores original values. Requires the same encryption key.
Rehydra: Inspect β dry run mode. Returns detected entities without modifying the text. Useful for testing what would be caught before going to production.
Configuration options:
A typical workflow:
Database β Rehydra: Anonymize β Claude β Rehydra: Rehydrate β Save result
What it actually covers:
What it misses:
N8N_COMMUNITY_PACKAGES_ENABLED=true
; not available on n8n CloudBest for: Self-hosted teams who need reversible PII masking with no external service dependency, and specifically need name/organization detection beyond regex-only approaches.
What it is: An open-source PII detection and anonymization engine from Microsoft, designed for production use. You deploy it as a local service and call it from n8n via HTTP Request nodes.
Setup:
Deploy with Docker:
docker pull mcr.microsoft.com/presidio-analyzer
docker pull mcr.microsoft.com/presidio-anonymizer
docker run -d -p 5001:3000 mcr.microsoft.com/presidio-analyzer
docker run -d -p 5002:3000 mcr.microsoft.com/presidio-anonymizer
In n8n, add an HTTP Request node:
POST http://localhost:5001/analyze
Body: {
"text": "{{ $json.prompt }}",
"language": "en"
}
This returns detected entities with positions. Send those to the anonymizer:
POST http://localhost:5002/anonymize
Body: {
"text": "{{ $json.prompt }}",
"analyzer_results": "{{ $json.analyzerResults }}"
}
Presidio supports 50+ entity types, custom recognizers, and multiple anonymization operators (replace, redact, hash, encrypt, mask). It's the basis for many enterprise PII pipelines and supports English and a growing list of other languages.
What it actually covers:
What it misses:
Best for: Teams with existing DevOps capacity who want maximum control over entity detection, custom recognizers for industry-specific PII, and no dependency on third-party SaaS.
What it is: A native n8n community package (npm, privent.ai) that runs inside your workflow graph β not as an external proxy. 2,000+ installs on npm.
The architectural difference from everything above: Privent nodes read node input/output JSON and cross-node data movement directly, the same way any other n8n node does. It sees what accumulated across your entire workflow before the prompt is composed, not just the final text field you point at.
Setup:
Self-hosted:
N8N_COMMUNITY_PACKAGES_ENABLED=true
Then Settings β Community Nodes β Install β n8n-nodes-privent
.
n8n Cloud Pro/Enterprise: same UI path β no environment variable needed.
Create a Privent API credential with your pv_live_β¦
key (vault backend is configured automatically based on your deployment type).
Six nodes in the package:
Privent Session β generates a sessionId
and prewarms the in-memory vault. Keeps token mappings consistent when the same value appears across multiple nodes in one session.
Privent Tokenize β replaces detected sensitive data with deterministic [KIND_NNN]
placeholders. Detects 10 categories: EMAIL, SSN, CREDIT_CARD, IBAN, AWS_KEY, JWT, API_KEY, and more. The detection engine (ACARS) evaluates six weighted signals simultaneously β entity sensitivity, semantic risk, contextual amplification, destination risk, behavioral velocity, and policy overrides β rather than pattern-matching alone.
Privent Detokenize β resolves placeholders back to real values, but only at sinks you declare as trusted. With strict: true
, it hashes the downstream sink URL and checks it against your trustedSinks
prefix list. An HTTP node targeting an unknown endpoint keeps the placeholder β the cleartext value stays in the vault regardless of what downstream logic does.
Privent Risk Check β scores the prompt before it reaches the model, with the full ACARS breakdown per execution.
Privent Handoff β emits agent_handoff
audit events when one agent delegates to another. Flags unauthorized scope expansions.
Privent Audit Event β emits custom observability events into the Privent dashboard.
A typical workflow:
Webhook β [your nodes] β Session β Tokenize β OpenAI β Detokenize β Response
The workflow JSON:
{
"nodes": [
{ "name": "Webhook", "type": "n8n-nodes-base.webhook" },
{ "name": "Session", "type": "n8n-nodes-privent.priventSession" },
{
"name": "Tokenize",
"type": "n8n-nodes-privent.priventTokenize",
"parameters": {
"sessionId": "={{ $('Session').item.json.sessionId }}",
"textField": "prompt"
}
},
{ "name": "OpenAI", "type": "n8n-nodes-base.openAi" },
{
"name": "Detokenize",
"type": "n8n-nodes-privent.priventDetokenize",
"parameters": {
"strict": true,
"trustedSinks": "https://internal.yourcompany.com"
}
}
]
}
What it actually covers:
What it requires:
Deployment options: Privent Cloud (managed, API key), Dedicated (isolated environment), or fully on-prem (detection engine, rules, and AI models all run inside your network β nothing leaves).
Best for: Production workflows handling real customer data across multiple nodes, multi-agent architectures where data moves between agents, healthcare (HIPAA) and financial (GDPR, CCPA) environments, or any setup where you need to know exactly what left your infrastructure and where it went.
| Code Node | n8n Guardrails | Rehydra | Presidio | Privent | |
|---|---|---|---|---|---|
| Installation | None | None | Community node | Docker service | Community node |
| Detokenization | Manual | β redact-only | β | β (custom) | β |
| Detects names/orgs | β | β οΈ limited | β (NER mode) | β | β |
| Implicit/semantic PII | β | β | β | β | β |
| Cross-node visibility | β | β | β | β | β |
| Egress gating | β | β | β | β | β |
| Audit trail | β | β | β | β | β |
| Works on n8n Cloud | β | β | β | β | β (Pro+) |
| External service req. | β | β | β | Docker | API key |
| On-prem option | β | β | β | β | β |
Start with n8n Guardrails if you're on n8n Cloud or want zero configuration overhead and your main concern is protecting user-submitted input on a chatbot or intake form. It's already there, costs nothing to set up, and catches the most common cases.
Add Rehydra if you need reversible anonymization on self-hosted n8n and can't send detection to an external service. The local NER model handles names and organizations that regex-only approaches miss.
Use Presidio if you have DevOps capacity, need 50+ entity types or custom recognizers for industry-specific PII, and want maximum control over anonymization strategy.
Use Privent if your workflow composes prompts from data pulled across multiple nodes, you're running multi-agent flows, or you need an audit trail that shows you exactly what left your infrastructure. The graph-state visibility gap is real β other approaches protect the field you point them at; Privent watches the entire execution.
What approach are you using in production? Curious especially about edge cases with multi-node workflows β drop it in the comments.