Data Pylva needs
Pylva uses operational cost data:customer_idandstep_name.- Provider and model.
- Token counts, latency, and status.
- Metric and metric value for non-LLM usage.
- Pricing configuration.
- Rules, alerts, and webhook delivery settings.
- Invoice records and customer portal settings.
Data Pylva does not need
Do not send:- Prompts or completions.
- Raw messages or chat transcripts.
- Raw tool arguments, tool inputs, or tool outputs.
- Emails, phone numbers, or raw customer names when an opaque ID is available.
- API keys, provider credentials, authorization headers, or request bodies.
- Private customer content in metadata, step names, metric names, labels, or support messages.
API keys
API keys are scoped by key type: Agent SDK key, Admin API key, or Data import key. Plaintext keys are shown once when created. Pylva stores one-way verification hashes for API keys, not the plaintext key. Put keys in a backend secret store and rotate or revoke them if exposed. Use Admin API keys sparingly because they can mutate elevated project settings. Never expose any Pylva key in browser code, mobile apps, prompts, completions, logs, telemetry metadata, or support messages. See API keys for key types and endpoint families.Webhook security
Webhook delivery uses signed requests. Receivers should verify the raw request body withX-Pylva-Signature, X-Pylva-Timestamp, and the signing secret shown when the webhook is created or rotated.
Save webhook signing secrets immediately and store them in your receiver’s secret store. See Alert Delivery And Webhooks for verification examples.
Support diagnostics
When sharing diagnostics, include:- Request IDs.
- Batch IDs.
- SDK version.
- Timestamp.
- Non-sensitive customer ID.