Heuristic:Openai Openai agents python Sensitive Data Logging Defaults
| Knowledge Sources | |
|---|---|
| Domains | Security, Debugging |
| Last Updated | 2026-02-11 14:00 GMT |
Overview
Sensitive data is suppressed from debug logs by default but included in traces, creating a deliberate asymmetry between local logging and remote tracing.
Description
The SDK has two separate systems for recording execution data: local debug logging (Python `logging` module) and remote tracing (OpenAI trace API). These have opposite defaults for sensitive data:
- Debug logs: Suppress model and tool I/O by default (`DONT_LOG_MODEL_DATA=True`, `DONT_LOG_TOOL_DATA=True`)
- Traces: Include sensitive data by default (`OPENAI_AGENTS_TRACE_INCLUDE_SENSITIVE_DATA=true`)
This asymmetry means developers see clean logs locally while still getting full observability in the trace dashboard.
Usage
Be aware of this when:
- Debugging locally: Enable data logging by setting `OPENAI_AGENTS_DONT_LOG_MODEL_DATA=false` and `OPENAI_AGENTS_DONT_LOG_TOOL_DATA=false`
- Compliance requirements: Disable sensitive data in traces by setting `OPENAI_AGENTS_TRACE_INCLUDE_SENSITIVE_DATA=false`
- Production deployments: Traces may contain PII unless explicitly opted out
The Insight (Rule of Thumb)
- Action: For debugging, set `OPENAI_AGENTS_DONT_LOG_MODEL_DATA=false` and `OPENAI_AGENTS_DONT_LOG_TOOL_DATA=false` to see full data in logs. For compliance, set `OPENAI_AGENTS_TRACE_INCLUDE_SENSITIVE_DATA=false`.
- Value: Debug logging defaults to suppressed; trace data defaults to included.
- Trade-off: Default settings protect against accidentally leaking sensitive data to console/log files while maintaining full observability in the trace API.
Reasoning
Debug logs often end up in log files, CI output, or terminal scrollback where they can be inadvertently exposed. Traces go to a controlled, authenticated API endpoint with access controls. The different defaults reflect these different risk profiles.
Code evidence from `_debug.py:12-28`:
def _load_dont_log_model_data() -> bool:
return _debug_flag_enabled("OPENAI_AGENTS_DONT_LOG_MODEL_DATA", default=True)
def _load_dont_log_tool_data() -> bool:
return _debug_flag_enabled("OPENAI_AGENTS_DONT_LOG_TOOL_DATA", default=True)
DONT_LOG_MODEL_DATA = _load_dont_log_model_data()
"""By default we don't log LLM inputs/outputs, to prevent exposing sensitive information."""
DONT_LOG_TOOL_DATA = _load_dont_log_tool_data()
"""By default we don't log tool call inputs/outputs, to prevent exposing sensitive information."""
Trace sensitive data default from `run_config.py:30-33`:
def _default_trace_include_sensitive_data() -> bool:
val = os.getenv("OPENAI_AGENTS_TRACE_INCLUDE_SENSITIVE_DATA", "true")
return val.strip().lower() in ("1", "true", "yes", "on")