Install n8n-nodes-privent, configure the Privent API credential, and run a four-node tokenize → score → detokenize chain end-to-end.
Drop Privent into your n8n workflow to tokenize PII and secrets before they reach an LLM, then detokenize at trusted egress.
Confirm you have a compatible n8n instance and an active Privent AGENT_SDK key.
Pick the path that matches your hosting model. All three result in the same set of nodes loaded into the editor.
Start n8n with community packages enabled, then install the package from the editor.
docker run -d --name n8n \ -p 5678:5678 \ -e N8N_COMMUNITY_PACKAGES_ENABLED=true \ -e N8N_COMMUNITY_PACKAGES_ALLOW_TOOL_USAGE=true \ -v ~/.n8n:/home/node/.n8n \ n8nio/n8n:latest
Cloud-managed installs follow the same UI flow, no infrastructure changes required.
Install the package directly into the n8n custom-extensions directory when the editor cannot reach npm.
mkdir -p ~/.n8n/nodes cd ~/.n8n/nodes npm init -y npm install n8n-nodes-privent N8N_CUSTOM_EXTENSIONS=~/.n8n/nodes n8n start
Create a Privent API credential in n8n so every Privent node authenticates against your organization.
A six-node chain that opens a session, tokenizes the prompt, scores its risk, detokenizes at trusted egress, and audits every handoff.
Generates a session ID and trace ID, prewarms an in-memory vault for the run, and emits a session_open audit event. Place this immediately after your trigger; every downstream Privent node reads its sessionId from here.
Scans the configured text field with 10 regex detectors plus an optional ML pass, then replaces every detection with a deterministic [KIND_NNN] placeholder. Returns the tokenized text, the entity list, and a per-prompt risk score.
Standalone scoring node. Use it as a tool input for AI Agents, or as a Switch source to route HIGH/CRITICAL prompts into a human-review branch. The risk score is also embedded in the Tokenize output, so this node is optional.
Resolves [KIND_NNN] tokens back to the original values right before a trusted egress sink (HTTP Request, database, internal API). In strict mode, the node hashes the sink URL into a sinkId and matches it against the trustedSinks prefix list; non-matching sinks keep the placeholder.
Emits an agent_handoff audit event whenever one agent delegates to another agent or to an external sink. Reason enum: delegation · subgraph_call · tool_invocation · webhook_trigger · other. These events feed the Trust Map graph and the delegation violation surface.
Drop anywhere in the workflow to emit a custom observability event (llm_call cost, tool_invocation, error). Same audit pipeline as the rest of the nodes: no branching logic, just structured signal.
Input "Hi, my email is alice@acme.com and SSN is 123-45-6789. Card: 4111-1111-1111-1111." After Tokenize "Hi, my email is [EMAIL_001] and SSN is [SSN_001]. Card: [CREDIT_CARD_001]." After Detokenize at egress "Hi, my email is alice@acme.com and SSN is 123-45-6789. Card: 4111-1111-1111-1111."
Confirm the integration is wired correctly and your traffic is reaching real Privent ML, not the local fallback.
Use a string with mixed entities such as "alice@acme.com / 123-45-6789 / 4111-1111-1111-1111". Execute the workflow once via the manual trigger.
The text field should contain [EMAIL_NNN], [SSN_NNN], and [CREDIT_CARD_NNN] placeholders. The privent.entities array should list the three detections with confidence > 0.8.
On the Risk Check node output, the privent.model field must NOT equal fallback. A real model identifier means traffic reached Privent Cloud and the auth chain is healthy.
The Detokenize node output text should match the original prompt byte-for-byte. Any drift indicates a session ID mismatch or a vault lookup miss.
Common issues and how to resolve them.
The package was published to npm but never installed on this n8n instance. Open Settings → Community Nodes and install n8n-nodes-privent. Self-host docker also requires N8N_COMMUNITY_PACKAGES_ENABLED=true at boot.
The AGENT_SDK key is missing, malformed, or revoked. Confirm the key is active in the Privent dashboard and that it is an AGENT_SDK key; extension keys are scoped differently and will fail here.
Inspect the Risk Check node output for privent.model: 'fallback'. When fallback fires, the SDK couldn't reach api.privent.ai or the per-host circuit breaker is OPEN. Confirm api.privent.ai is reachable from the n8n host and that the AGENT_SDK key is still active. The score stays usable (defaults to risk_score: 0, LOW); the integration is audit-only and never blocks the workflow.
The session ID at Detokenize does not match the one used at Tokenize. Re-check the Session ID expression: both nodes should reference {{$('Privent Session').item.json.sessionId}}.
In queue mode, in-memory vaults are scoped per worker. Switch the credential's Vault Backend to Privent Cloud so token state is shared across workers.
Add --ignore-scripts --omit=optional to the npm install when running the manual install path. The n8n image already bundles isolated-vm; community packages don't need to rebuild it.