Privent ships a community n8n package — n8n-nodes-privent — with six nodes plus one credential type. Drop them into any workflow to tokenize PII before it reaches an LLM, score prompt risk, audit every step, and detokenize only at trusted egress sinks. Agent handoffs are signed into the Trust Map automatically. No proxy. No code changes. Audit-only — the integration never blocks a running workflow.
Install the community package
Self-host: enable N8N_COMMUNITY_PACKAGES_ENABLED on the n8n container, then Settings → Community Nodes → install n8n-nodes-privent. n8n Cloud Pro / Enterprise uses the same UI. The Cloud Free tier does not expose community nodes.
Add the Privent API credential
Create a Privent API credential with your AGENT_SDK key (pv_live_…). The credential authenticates every Privent node via Bearer auth and selects the vault backend: In-Memory for single-worker self-host, Privent Cloud for n8n Cloud or queue-mode deployments.
Place Session → Tokenize before the LLM
Privent Session generates the sessionId / traceId and prewarms an in-memory vault. Privent Tokenize replaces detected PII / secrets — 10 kinds including EMAIL, SSN, CREDIT_CARD, IBAN, AWS_KEY, JWT, API_KEY — with deterministic [KIND_NNN] placeholders before the prompt ever reaches the LLM node.
Detokenize only at trusted egress
Privent Detokenize resolves placeholders right before an HTTP / DB sink. Strict mode hashes the sink URL into a sinkId and matches it against your trustedSinks prefix list — sinks that don't match keep the placeholder, never the cleartext value.
Audit + handoff feed the Trust Map
Privent Handoff emits an agent_handoff audit event when one agent delegates to another agent or sink. Privent Audit Event emits custom observability events. Backend evaluates handoffs against AgentDelegation rows and surfaces violations + trust-score deltas on the Trust Map.
Add Privent to your existing n8n pipeline without changing your architecture. One addition. Full graph-state visibility.
{"nodes": [{ "name": "Webhook", "type": "n8n-nodes-base.webhook" },{ "name": "Session", "type": "n8n-nodes-privent.priventSession" },{"name": "Tokenize", // PII → [KIND_NNN]"type": "n8n-nodes-privent.priventTokenize","parameters": { "sessionId": "={{$('Session').item.json.sessionId}}", "textField": "prompt" }},{ "name": "OpenAI", "type": "n8n-nodes-base.openAi" },{"name": "Detokenize", // strict egress gate"type": "n8n-nodes-privent.priventDetokenize","parameters": { "strict": true, "trustedSinks": "https://internal.acme.com" }}]}
External gateways receive only the final prompt string. Privent reads everything in context, in real time.
Tokenize replaces emails, SSNs, cards, and IBANs before any HTTP-to-OpenAI / Anthropic node fires; Detokenize restores them only at trusted internal sinks. The LLM sees [KIND_NNN] placeholders, never raw PII.
Privent Handoff emits agent_handoff events whenever a node delegates to another agent. The backend evaluates each handoff against AgentDelegation rows and flags unauthorized scope expansions on the Trust Map violation surface.
The trustedSinks comma-separated prefix list lets ops allow only internal API hosts. LLM-driven HTTP nodes that target unknown sinks keep the placeholder — the cleartext value stays in the vault.
We integrate in under 30 minutes. No orchestration changes required. Your pipelines keep running. Privent keeps watching.
