Jump to content

Connect Leeroopedia MCP: Equip your AI agents to search best practices, build plans, verify code, diagnose failures, and look up hyperparameter defaults.

Heuristic:Openai Openai agents python Sensitive Data Logging Defaults

From Leeroopedia
Knowledge Sources
Domains Security, Debugging
Last Updated 2026-02-11 14:00 GMT

Overview

Sensitive data is suppressed from debug logs by default but included in traces, creating a deliberate asymmetry between local logging and remote tracing.

Description

The SDK has two separate systems for recording execution data: local debug logging (Python `logging` module) and remote tracing (OpenAI trace API). These have opposite defaults for sensitive data:

  • Debug logs: Suppress model and tool I/O by default (`DONT_LOG_MODEL_DATA=True`, `DONT_LOG_TOOL_DATA=True`)
  • Traces: Include sensitive data by default (`OPENAI_AGENTS_TRACE_INCLUDE_SENSITIVE_DATA=true`)

This asymmetry means developers see clean logs locally while still getting full observability in the trace dashboard.

Usage

Be aware of this when:

  • Debugging locally: Enable data logging by setting `OPENAI_AGENTS_DONT_LOG_MODEL_DATA=false` and `OPENAI_AGENTS_DONT_LOG_TOOL_DATA=false`
  • Compliance requirements: Disable sensitive data in traces by setting `OPENAI_AGENTS_TRACE_INCLUDE_SENSITIVE_DATA=false`
  • Production deployments: Traces may contain PII unless explicitly opted out

The Insight (Rule of Thumb)

  • Action: For debugging, set `OPENAI_AGENTS_DONT_LOG_MODEL_DATA=false` and `OPENAI_AGENTS_DONT_LOG_TOOL_DATA=false` to see full data in logs. For compliance, set `OPENAI_AGENTS_TRACE_INCLUDE_SENSITIVE_DATA=false`.
  • Value: Debug logging defaults to suppressed; trace data defaults to included.
  • Trade-off: Default settings protect against accidentally leaking sensitive data to console/log files while maintaining full observability in the trace API.

Reasoning

Debug logs often end up in log files, CI output, or terminal scrollback where they can be inadvertently exposed. Traces go to a controlled, authenticated API endpoint with access controls. The different defaults reflect these different risk profiles.

Code evidence from `_debug.py:12-28`: 

def _load_dont_log_model_data() -> bool:
    return _debug_flag_enabled("OPENAI_AGENTS_DONT_LOG_MODEL_DATA", default=True)

def _load_dont_log_tool_data() -> bool:
    return _debug_flag_enabled("OPENAI_AGENTS_DONT_LOG_TOOL_DATA", default=True)

DONT_LOG_MODEL_DATA = _load_dont_log_model_data()
"""By default we don't log LLM inputs/outputs, to prevent exposing sensitive information."""

DONT_LOG_TOOL_DATA = _load_dont_log_tool_data()
"""By default we don't log tool call inputs/outputs, to prevent exposing sensitive information."""

Trace sensitive data default from `run_config.py:30-33`: 

def _default_trace_include_sensitive_data() -> bool:
    val = os.getenv("OPENAI_AGENTS_TRACE_INCLUDE_SENSITIVE_DATA", "true")
    return val.strip().lower() in ("1", "true", "yes", "on")

Related Pages

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment
Retrieved from "https://leeroopedia.com/index.php?title=Heuristic:Openai_Openai_agents_python_Sensitive_Data_Logging_Defaults&oldid=308"