The problem: agents multiply the leak surface
A single chat completion has one prompt and one response. A CrewAI crew can have eight. A researcher agent calls a model. A planner agent calls a model. A writer drafts. A critic reviews. A summarizer compresses the result. Every step gets the same user input or a derivation of it. Every step is another chance for a customer name, an API key, or a stack trace to land in OpenAI's logs.
Scrubbing input at the entrypoint of the crew is necessary but not sufficient — intermediate model outputs flow into subsequent prompts, and PII that survived one step can leak in the next.
The right place to enforce a redaction policy is in the request path of every agent's model call. That's what Grepture does.
The setup
CrewAI uses LLM wrappers (OpenAI, Anthropic, LiteLLM, custom). Point the wrapper's base URL at Grepture and every agent's calls flow through the same redaction.
from crewai import Agent, Crew, Task
from crewai.llm import LLM
import os
llm = LLM(
model="openai/gpt-4o",
base_url="https://proxy.grepture.com/v1",
api_key=os.environ["OPENAI_API_KEY"],
extra_headers={
"X-Grepture-Auth": f"Bearer {os.environ['GREPTURE_API_KEY']}",
},
)
researcher = Agent(
role="Research analyst",
goal="Surface every relevant fact about the user's question",
backstory="You read carefully and cite sources",
llm=llm,
)
writer = Agent(
role="Technical writer",
goal="Turn research into a clear answer",
backstory="You write for engineers",
llm=llm,
)
crew = Crew(
agents=[researcher, writer],
tasks=[
Task(description=user_request, agent=researcher),
Task(description="Write a final response", agent=writer),
],
)
result = crew.kickoff()
Every model call from every agent now goes through the Grepture proxy. PII is redacted, secrets are replaced with stable labels, reversible tokens carry user data through the crew without exposing it to the model.
Why reversible matters in agent workflows
If agent A passes "Sarah Chen at 742 Evergreen Terrace ordered widgets" to agent B, and you scrubbed it to "[PERSON_1] at [ADDRESS_1] ordered widgets," agent B can still reason about it. When agent C produces the final user-facing response, Grepture restores the original tokens — the user sees their own name and address, the model never did.
A naive scrubber (just delete the PII) breaks the agent chain because intermediate models lose the referential thread. Reversible tokenisation keeps the chain working.
What gets caught at every step
The same policy applies to every model call in the crew:
- PII (reversible): email, phone, SSN, credit card, IP, physical address, person names, dates of birth
- Secrets (permanent replacement): API keys, tokens, passwords, webhooks across 25+ credential families
- Provider-agnostic: if your crew mixes OpenAI for one agent and Anthropic for another, both flow through the same rules
A note on tool outputs
CrewAI agents call tools — web search, code execution, document retrieval — and the results feed back into prompts. Tool outputs are a common PII surface (a search result returns a real email address; a database lookup returns a customer record). Because Grepture sits in the request path, tool output that gets fed into the next model call is redacted the same way user input is.
The agent-platform use case
If you're building an agent platform where customers configure their own crews, the prompts are driven by end users (or their data), and you don't get to vet every one. Different surface from a chat UI, same root problem:
Migration
- Sign up at app.grepture.com.
- Change the
base_urlon theLLMinstance(s) your agents use. - Add the
X-Grepture-Authheader. - Watch the Traffic Log to confirm every agent's calls are flowing through the proxy.
Next steps
- View pricing — free for up to 1,000 requests/month
- LiteLLM integration — if your CrewAI setup uses LiteLLM for routing
- Docs