Skip to main content
This guide explains how to use TrueFoundry’s built-in Metadata Validation guardrail to enforce that requests carry the metadata your organization requires, with the values you expect.

What is Metadata Validation?

Metadata Validation is a built-in TrueFoundry guardrail that checks the custom metadata sent with a request against a set of rules you define. It runs directly within the AI Gateway without requiring external API calls, providing fast and cost-effective validation. Metadata is passed to the gateway using the X-TFY-METADATA header (see Log Custom Metadata). This guardrail lets you require that certain keys are always present, constrain their values to a regex pattern or a fixed list, and optionally reject any keys you have not explicitly allowed.
Metadata Validation only runs on the LLM Input hook (beforeRequestHook). When attached to any other hook (LLM Output, MCP Pre Tool, MCP Post Tool), it passes through without performing any checks.

Key Features

  1. Required Keys: Ensure specific metadata keys are always present in the request.
  2. Value Constraints: Validate a key’s value against a regex pattern or restrict it to a fixed set of allowed values.
  3. Unknown Key Control: Optionally reject any metadata key that is not explicitly declared in your rules.

Adding Metadata Validation Guardrail

To add Metadata Validation to your TrueFoundry setup, follow these steps:
1

Navigate to Guardrails

Go to the AI Gateway dashboard and navigate to the Guardrails section.
2

Create or Select a Guardrails Group

Create a new guardrails group or select an existing one where you want to add the Metadata Validation guardrail.
3

Add Metadata Validation Integration

Click on Add Guardrail and select Metadata Validation from the TrueFoundry Guardrails section.
4

Configure the Guardrail

Fill in the configuration form with your desired settings (see Configuration Options below). Toggle Allow unknown keys and add a rule for each metadata key you want to enforce.
Metadata Validation configuration form showing per-key rules with the Is key required toggle, Value should be among the ones defined here toggle, and Regex or Allowed Values constraints

Configure Metadata Validation with per-key rules

5

Save the Configuration

Click Save to add the guardrail to your group.

Configuration Options

See Guardrails Overview for details on Operation Modes and Enforcing Strategy.

Key Rules

Each entry under Keys maps a metadata key name to a rule. There are two kinds of rules:

Key must exist

Only the presence of the key is checked — any value passes. Once configured, the key must be present in the request metadata.

Value must match

Validates the key’s value, with an optional requirement that the key be present: The value constraint is one of:

How It Works

When a request reaches the LLM Input hook, the guardrail evaluates the request metadata as follows:
  1. If Allow unknown keys is off, every metadata key that is not declared in your rules raises an unknown_key violation. Keys injected by the gateway itself (for example subject, subjectType, tfy_agent_name, and any default gateway metadata) are exempt from this check.
  2. For each declared key rule:
    • Key must exist: a missing key raises a missing_required violation.
    • Value must match (required): a missing key raises a missing_required violation.
    • Value must match (regex): if the key is present, its value must match the pattern, otherwise a pattern_mismatch violation is raised. An invalid regex pattern raises an invalid_regex_pattern violation.
    • Value must match (allowed values): if the key is present, its value must be in the allowed set, otherwise a value_not_allowed violation is raised.
  3. If any violations are found, the verdict fails. The response handling then depends on the configured Enforcing Strategy.

Violation Reasons

Examples

Consider a guardrail with Allow unknown keys turned off and the following key rules:
  • environment — Value must match, allowed values: prod, staging, dev
  • customer_id — Value must match, regex: ^cust_[0-9]+$
  • team — Key must exist
Metadata:
Result: Allowed — all keys are present and valid, and no unknown keys are sent.
Metadata:
Result: Blocked — team:missing_required (the team key is missing).
Metadata:
Result: Blocked — environment:value_not_allowed (production is not in [prod, staging, dev]).
Metadata:
Result: Blocked — customer_id:pattern_mismatch (12345 does not match ^cust_[0-9]+$).
Metadata:
Result: Blocked — debug:unknown_key (the debug key is not declared and unknown keys are not allowed).

Sending Metadata

Metadata is sent using the X-TFY-METADATA header as a JSON object of string key-value pairs:
See Log Custom Metadata for how to attach metadata using the OpenAI, LangChain, and Node.js SDKs.

Use Cases

Example use cases

When you run more than one gateway against the same control plane — for example a dev gateway and a prod gateway — you may want to lock down the prod gateway so only production applications can call it, and a dev application that points at it is rejected.You can enforce this with Metadata Validation, without changing any application code, by combining two pieces of metadata the gateway already provides:
  • The caller’s environment comes from virtual account tags. Tagging a virtual account with env: prod means every request made with that account’s token carries env: prod.
  • The gateway’s environment comes from default gateway metadata. Each gateway stamps every request that passes through it with its own value, for example tfy_gateway_region: PROD.
A guardrail rule then matches on the gateway’s stamp (tfy_gateway_region) and applies a Metadata Validation guardrail that requires the caller’s env to be the matching value. Because the rule only fires on the gateway whose stamp it matches, the prod-environment guardrail runs only on the prod gateway:
1

Tag each virtual account with its environment

Add a tag to every virtual account: set env: prod on the accounts used by production applications and env: dev on the ones used by dev applications. These tags are injected as metadata on every request made with that account’s token.
2

Stamp each gateway with its environment

Set DEFAULT_GATEWAY_METADATA on each gateway plane so it tags every request that passes through it. On the prod gateway plane’s values file:
On the dev gateway plane’s values file:
3

Create a Metadata Validation guardrail for the production environment

Add a Metadata Validation guardrail (for example gateway-checker) with a single key rule:
  • Key Name: env
  • Is key required?: on
  • Value should be among the ones defined here: on, with Allowed Values: prod
Set the Enforcing Strategy to Enforce so non-matching requests are blocked. This guardrail blocks any request whose env is not prod.
Update Guardrails form for a Metadata Validation guardrail named gateway-checker, with Operation set to Validate, Enforcing Strategy set to Enforce, and a key rule requiring the env key with allowed value prod

Metadata Validation guardrail requiring env=prod

4

Apply it with a rule that matches the production gateway

Create a guardrail rule under AI Gateway → Guardrails → Policies that runs gateway-checker on the LLM Input hook only when the request carries the prod gateway’s stamp. In the rule builder, add a WITH METADATA condition of tfy_gateway_region = PROD, set APPLY ON HOOKS → LLM Input to the gateway-checker guardrail, and optionally set a Custom Error Message such as This gateway can only be accessed from prod env.
Edit Guardrail Rule form named prod-gateway-check with a WITH METADATA condition of tfy_gateway_region equal to PROD, the gateway-checker guardrail applied on the LLM Input hook, and a custom error message reading This gateway can only be accessed from prod env

Guardrail rule applying gateway-checker only when tfy_gateway_region is PROD

The equivalent GitOps configuration is:
The rule fires only on requests stamped tfy_gateway_region: PROD — that is, requests reaching the prod gateway — so a dev application (env: dev) calling the prod gateway is rejected, while it is unaffected on the dev gateway.
5

Verify the behavior

Send a request with env: prod in its metadata through the prod gateway — it passes. Send one with any other env value (or none) and it is blocked with your custom error message.
AI Gateway playground showing a blocked response with the message This gateway can only be accessed from prod env

A request without env=prod is blocked on the prod gateway

Only the prod gateway is pinned. Production traffic comes from applications using virtual accounts, whose env: prod tag is injected automatically — so requiring it on the prod gateway is safe. The dev gateway is intentionally left open: developers typically access it interactively with Personal Access Tokens (PATs), which do not carry the virtual account’s env tag. Enforcing the same guardrail on the dev gateway would block those legitimate users.
This assumes every production virtual account is tagged with env: prod. With Is key required? on, a request that reaches the prod gateway without that tag is blocked. Tag all production virtual accounts first, and consider starting the guardrail in Audit mode to confirm legitimate traffic passes before switching to Enforce.
To guarantee every request can be attributed in analytics and cost reports, require the metadata keys your finance and platform teams group by — for example team and cost_center — so no request reaches a model without them.
1

Create a Metadata Validation guardrail with the required keys

Add a Metadata Validation guardrail (for example cost-attribution) with one rule per key:
  • Key Name: teamIs key required?: on (Key must exist)
  • Key Name: cost_centerIs key required?: on, Value should be among the ones defined here: on, Regex: ^cc-[0-9]{4}$
Set the Enforcing Strategy to Enforce. Requests missing team, or with a cost_center that does not match the format, are rejected before reaching the model.
2

Apply it to all requests on the LLM Input hook

Add a guardrail rule with an empty when block so it applies to every request:
Combine this with automatic metadata injection — tag virtual accounts and teams so team and cost_center are added without any client-side changes — and the guardrail simply confirms they are always present.
Metadata Validation runs only on the LLM Input hook. Attaching it to other hooks has no effect.

Best Practices

Start with the Audit enforcing strategy to observe metadata violations in Request Traces before switching to Enforce. This helps you confirm that callers are already sending the metadata your rules expect.
All metadata values are compared as strings, and allowed-value matching is case-sensitive. Make sure your allowed values and regex patterns account for the exact casing and format your applications send.