Skip to main content

General & Authentication

Q1: What are the essential first steps to perform a scan?

A: To perform any scan, you need two fundamental pieces of information:
  1. An API Key for Authentication: You must provide a valid API key to authenticate your requests. You can generate and manage your keys from the Argus dashboard.
  2. A Policy to Define the Rules: You must tell Argus what to scan for. A policy defines the specific risks (e.g., toxicity, PII) and the action to take (BLOCK or FLAG) if a risk is detected.

Q2: Where do I find my API Keys?

A: You can generate, manage, and revoke your API keys from the “API Keys” section of your Argus dashboard.

Q3: Why is using an environment variable for the API key recommended?

A: Storing the API key in an environment variable (export ARGUS_API_KEY="...") prevents you from accidentally committing sensitive credentials to version control systems like Git. It is a critical security best practice.

Q4: I’m getting a 401 ArgusAuthenticationError. What should I do?

A: This means your API key is invalid or not being sent correctly. Please check the following:
  1. Verify the key is copied correctly from your Argus dashboard, with no extra spaces or characters.
  2. Ensure the key has not been revoked.
  3. Confirm that your application is correctly loading the key from the environment variable or configuration file.

Policies & Scanning

**Q5: How do **Action.BLOCK**and ** Action.FLAGdiffer in practice?

A: They dictate your application’s control flow.
  • Action.BLOCK results in a Verdict.BLOCKED. This is for high-risk threats. Your code should immediately stop the request and not send the text to the LLM.
  • Action.FLAG results in a Verdict.FLAGGED. This is for monitoring low-risk issues. Your code should allow the request to proceed to the LLM but can also log the event for later review (e.g., for business intelligence).

Q6: Can I check for multiple policies in a single API call?

A: Yes. The Policy object is a dictionary that can hold configurations for as many PolicyName enums as you need. All active policies in the dictionary will be evaluated in a single, efficient API call.

Q7: What is the InteractionType(PROMPT vs. RESPONSE) used for?

A: InteractionType provides essential context to the Argus detection models. Some risks are more likely or manifest differently in user prompts versus LLM responses. Providing the correct type can lead to more accurate scan results. For example, SYSTEM_PROMPT_LEAK is primarily relevant for a RESPONSE, while PROMPT_INJECTION is only relevant for a PROMPT.

**Q8: My scan passedbut I expected it to be ** blocked. Why?

A: This can happen for a few reasons. Please check them in this order:
  1. Policy Configuration: Double-check your Policy object. Is the action correctly set to Action.BLOCK? If you are using a policy that requires a list (e.g., BANNED_TOPICS), ensure the items in the topics list are spelled correctly and cover the test case.
  2. Mismatched Policy Scope and Scan Method: This is a very common issue. Some policies are prompt-only (e.g., UNSAFE_PROMPT) and others are response-only (e.g., UNSAFE_RESPONSE). If you include a response-only policy but call check_prompt(), that specific policy will be ignored for the scan. Please refer to the Policy Scope Reference table in Section 5.5 to ensure the policy you are testing applies to the scan method you are calling.
  3. Detection Threshold: Our models are tuned for high precision, but some inputs may fall just below the detection threshold. If you have a clear example of an input that you believe should be blocked but isn’t, please contact our support team with the request_id and the input text. We use this feedback to continuously improve our models.

Q9: Can I create a policy that blocks toxicity but only flags PII?

A: Absolutely. This is a primary use case. Simply define both in your policy object with their respective actions. 
my_policy = {
    PolicyName.TOXICITY: {"action": Action.BLOCK},
    PolicyName.PII_DETECTION: {"action": Action.FLAG}
}

**Q10: What does the **strict=Falseparameter do and when should I use it?

A: strict=False changes the client’s behavior for specific client-side validation errors. For example, if you enable BANNED_TOPICS but provide an empty topics list, strict=True (the default) will raise an ArgusValueError, while strict=False will only issue a UserWarning. It can be useful for quick prototyping but is not recommended for production, as it can hide policy misconfigurations.

Platform Features (Assets & Sessions)

**Q11: I’m a Platform user. Do I still need to create **Policyobjects in my code?

A: No, and you generally shouldn’t. The primary benefit of the platform is managing policies in the UI. Your code should be as simple as possible: 
# The policy is pulled from the UI for 'asset-123'
platform_client = ArgusClient.create(api_key="rsk_...", asset_id="asset-123", save=True)
result = platform_client.check_prompt("Some text...")

**Q12: When should I use **set_asset_id()**vs. passing ** asset_idin the scan call?

A: It depends on your application’s architecture.
  • Use set_asset_id() when a client instance is dedicated to a single application or environment.
  • Pass asset_id in the scan call (e.g., check_prompt(..., asset_id=...)) when a single client acts as a gateway for multiple different applications. This override pattern is more flexible for multi-tenant systems.

Q13: What makes a good session_id?

A: A good session_id should be unique to each distinct conversation. A common pattern is to generate a UUID at the start of a user’s interaction and store it with their session state. Using a static user ID is not recommended, as it would group all of that user’s conversations over time into a single, confusing session.

Q14: If save=False, is any information about the scan sent to Argus?

A: The scan is performed, but no permanent record of the request or its outcome is stored in your analytics database on the Argus platform. The call is ephemeral. This is useful for developer testing or for handling extremely sensitive data that you do not want logged, even in a secure environment.

**Q15: What happens if I use save=Truebut don’t provide an ** asset_id?

A: The SDK will raise an ArgusValueError before making the API call. Data can only be saved when it can be associated with a specific asset in your account.

Error Handling & Debugging

Q16: I’m getting an ArgusPermissionError(HTTP 403). What does it mean?

A: This means your API key is valid but does not have permission for the requested action. The most common cause is using a Free-tier Playground Key (sk_) to access a Platform-tier feature like asset_id or save=True.

Q17: I got a 404 ArgusNotFoundError. What’s the most likely cause?

A: This almost always means the asset_id you provided in the client configuration or a specific call does not exist in your Argus account. Please verify the ID in your Argus dashboard.

Q18: The API is returning a 5xx ArgusInternalServerError. What should I do?

A: This indicates a problem on the Argus servers. It is not an error in your code. The best practice is to retry the request with an exponential backoff strategy. If the problem persists for an extended period, please contact our support team.

Performance & Best Practices

**Q19: What is the best way to manage the **ArgusClientinstance in a web application (e.g., Flask, Django)?

A: It is highly recommended to create a **single, long-lived **ArgusClientinstance when your application starts and reuse it across all subsequent requests. The underlying HTTP client is thread-safe and designed for concurrent use. Do not create a new client for every incoming API request, as this will add significant overhead from repeated authentication and connection setup. 
# In your application's startup file (e.g., app.py)
app = Flask(__name__)
argus_guard = ArgusClient.create(api_key=os.environ.get("ARGUS_API_KEY"))

@app.route('/check', methods=['POST'])
def check_text():
    # Reuse the global client instance
    result = argus_guard.check_prompt(request.json['prompt'])
    return jsonify(result)

# Remember to handle client.close() on application shutdown if possible.

Q20: Can I use policies from the UI and also from my code at the same time?

A: Yes, this is a core feature for Platform users. The client uses the policy from the Argus UI (associated with your asset_id) by default. If you pass a policy object to a scan method (e.g., check_prompt), it will temporarily override the UI policy for that single request only. The client’s default policy remains unchanged for subsequent calls.