Frequently Asked Questions

Parse screens untrusted prompts, tool outputs, retrieved content, private disclosures, and agent-to-agent messages before an AI agent gives that text authority over tools, memory, credentials, payments, code execution, or user-visible output. It evaluates prompts across 9 risk categories, returning a 0-10 risk score with categorized flags and an auto-block policy.

Send a POST request to /v1/keys/generate with an optional {"name": "my-agent"} body. No authentication is required. The response contains your API key, which expires in 30 days. Rate limit: 5 keys per minute per IP, 100 total self-service keys. Store the key securely — it is shown only once.

Run curl -s parsethis.ai/skill > ~/.claude/skills/parse.md to install the skill file for Claude Code. The skill teaches the agent when to screen prompts (user input, tool output, forwarded messages) and how to call POST /v1/parse. On first use, the agent self-provisions an API key via POST /v1/keys/generate — no manual setup required.

Parse routes LLM analysis through OpenRouter, supporting 18+ models including DeepSeek (deepseek-chat, deepseek-r1), OpenAI GPT-4o and GPT-4o-mini, Anthropic Claude 3.5 Sonnet, Google Gemini 2.0 Flash, Mistral Large, and Meta Llama 3.1 405B. The default model is deepseek/deepseek-chat. List all available models at GET /v1/models.

Yes. Self-service API keys have a free tier with 10 requests per minute and 5 sandbox executions per hour. No credit card is required. For higher limits, use Pro, Team, or Enterprise keys; use x402 USDC payments on Base mainnet for first-call or autonomous pay-per-request access.

Prompt injection (OWASP LLM01:2025) is an attack where an adversary manipulates LLM input to override the system’s intended instructions. Direct injection embeds malicious instructions in user input; indirect injection hides them in external data sources (web pages, tool outputs, emails). NIST SP 800-228 and MITRE ATLAS classify prompt injection as a top AI security risk.

Parse uses deterministic pattern matching with 109 rules, structural risk analysis for encoded and hidden payloads, optional LLM semantic analysis when configured, and optional sandbox execution for suspicious prompts. Do not treat it as guaranteed protection; combine it with least-privilege tools and output validation.

Parse evaluates prompts across 9 risk categories: prompt_injection, jailbreak, data_exfiltration, harmful_content, system_prompt_leak, privilege_escalation, social_engineering, code_execution, indirect_injection.

Sandbox execution runs suspicious prompts in an isolated Railway container with no network access to production systems. The sandbox is HMAC-authenticated (SHA-256 signatures) and output is treated as untrusted — full pattern matching and risk analysis are applied to the sandbox response before returning results. Enable it by passing execute: true in POST /v1/parse.

Pattern matching is the fastest path and usually completes in milliseconds. Full hosted analysis may add LLM latency when semantic analysis is configured. Sandbox execution is asynchronous and can add a few seconds depending on prompt complexity. Agents should set explicit timeouts and choose fail-open or fail-closed behavior by trust boundary.

Run curl -s parsethis.ai/skill > ~/.claude/skills/parse.md to install the skill file. Claude Code reads this file and learns when to call POST /v1/parse before executing user prompts, tool outputs, or forwarded messages. The agent should store generated keys in its normal secret store, not in source control.

Yes. Parse publishes MCP tool definitions at /mcp.json and a hosted remote MCP JSON-RPC endpoint at /mcp. The minimum tools are screen_prompt, screen_output, verify_agent_trust, and get_pricing.

x402 is a pay-per-request payment protocol using USDC on Base mainnet. Call a billable REST endpoint without Authorization, read the 402 payment requirements, sign the payment, and retry with payment-signature (legacy: x-payment). Pricing details are at GET /v1/pricing.

Free tier: 10 requests per minute and 5 sandbox executions per hour. Pro: 60 requests per minute. Team: 200 requests per minute. Enterprise: custom or 1000 requests per minute by default. Key generation is limited separately to prevent abuse.

Send PUT /v1/policy with a JSON body to configure per-key screening behavior. Set autoBlockThreshold (0–10) to auto-block prompts above a risk score, and screenAllPrompts (boolean) to screen every prompt regardless of source. Retrieve current policy with GET /v1/policy, or reset to defaults with DELETE /v1/policy. Policy changes take effect immediately.

Parse is agent-first: REST API, hosted MCP endpoint, self-service API keys, output screening, agent trust verification, optional sandbox execution, and x402 pay-per-call access. Lakera Guard is a mature enterprise guardrail product. Choose based on deployment model, procurement path, data policy, and agent autonomy requirements.

Send POST /v1/parse with execute: true and an optional test_input field. The API returns a 202 Accepted response with a poll_url. The prompt runs in an isolated Railway sandbox. Poll GET /v1/parse/:id to check status — the response includes execution output, sandbox_status, and a risk analysis of the output. Agents can continue other work while polling.

A screening policy is a per-API-key configuration that controls what the agent screens and how it responds. Fields include autoBlockThreshold (risk score 0–10 above which prompts are auto-blocked), screenAllPrompts (whether to screen even trusted inputs), and source filters (user_input, tool_output, forwarded_message). Manage via GET/PUT/DELETE /v1/policy.

Sandbox output is treated as untrusted regardless of the original prompt’s risk score. After execution, the output goes through the full Parse pipeline: pattern matching against known exfiltration and injection signatures, LLM deep analysis for semantic threats, and structural risk evaluation. This prevents attacks that use sandboxed code to generate secondary payloads.

POST /v1/agent/trust/verify screens inter-agent messages for injection, social engineering, and identity spoofing. It detects when one agent tries to manipulate another by embedding hidden instructions, impersonating a different agent, or using persuasion techniques. This is critical for multi-agent frameworks like CrewAI and AutoGen where agents delegate tasks to each other.