Sonny Labs Docs

Welcome

Sonny Labs is the AI firewall for LLM inputs and outputs — inspect prompts and responses for prompt injection, PII, toxicity, and policy violations from a single API.

Sonny Labs is the AI firewall for LLM inputs and outputs. A single /v1/scans call inspects prompts and model responses for prompt injection, PII, toxicity, and policy violations — and returns an allow / warn / flag / block decision your application can act on. The same surface ships as a SaaS endpoint at https://api.sonnylabs.ai and as a self-hosted Helm chart that runs inside your own VPC, including air-gapped environments.

Get started

Python SDK quickstart

Install sonnylabs, mint a key, and run your first scan from Python 3.10+ in under five minutes.

TypeScript SDK quickstart

Install @sonnylabs/sdk for Node 20.19+ or any modern fetch runtime and wire up your first scan.

MCP server for agentic clients

Run @sonnylabs/mcp inside Claude Desktop, Cursor, or Claude Code so the host's agent can scan, manage keys, and scaffold integrations directly.

Scan tiers

How the `tier` option on /v1/scans selects the prompt-injection model — when to use `fast`, `accurate`, or `auto`.

REST API reference

The full /v1/* surface, rendered from the OpenAPI spec.

Error codes

Stable dot-namespaced identifiers returned in the RFC 9457 Problem envelope. Branch on these in your SDK exception handlers.

OpenAPI spec

The canonical contract for every endpoint the SDKs wrap is the REST API reference. Both SDKs regenerate their internal types from the underlying OpenAPI spec — if you need a request or response field that the SDK has not yet exposed, the shape in the spec is authoritative.

Webhooks

Coming soon. Outbound webhook delivery is not yet live; only the HMAC-SHA256 verification helpers ship today. Wire your receiver ahead of time using the verification samples below and email support@sonnylabs.ai if you want a notification when deliveries start firing.

Once outbound delivery launches, scan events (scan.allowed, scan.flagged, scan.warned, scan.blocked) will be signed with HMAC-SHA256 and POSTed to your registered receiver. Each SDK ships a verifier you can unit-test against today — see Webhooks for the signing scheme and full verification samples in Python and TypeScript.

Quickstart

Add the SonnyLabs AI firewall to your service in 5 minutes — install, scan input, block on the decision.

On this page

Get startedOpenAPI specWebhooks