ValueError
guardrails.guard.ValueError: LLM API key not configured
Stack trace
ValueError: LLM API key not configured. Expected environment variable not found or is empty. Set your LLM provider credentials before calling guard(data, llm_api_key=...) or via environment variables (OPENAI_API_KEY, ANTHROPIC_API_KEY, etc.)
Why it happens
Guardrails Guard uses LLMs internally for certain validators (like semantic similarity checks or instruction-following validation). When guard.validate() or guard(data) calls these validators, it needs an LLM API key to make requests. If no key is provided explicitly as a parameter and no environment variable is set, Guard raises this error. This commonly happens when deploying to a new environment where credentials aren't passed or when using Guard in a CI/CD pipeline without credential injection.
Detection
Add logging before guard(data) calls to verify that api_key environment variables are set: `print(os.environ.get('OPENAI_API_KEY', 'NOT SET'))`. Alternatively, catch ValueError and check the error message for 'API key' substring: this prevents silent failures in production.
Causes & fixes
OPENAI_API_KEY environment variable is not set when using OpenAI validators
Export OPENAI_API_KEY before running your script: `export OPENAI_API_KEY='sk-...'` or set it in .env and load with python-dotenv: `from dotenv import load_dotenv; load_dotenv()`
ANTHROPIC_API_KEY environment variable is not set when using Anthropic validators
Export ANTHROPIC_API_KEY before running: `export ANTHROPIC_API_KEY='sk-ant-...'` or load from .env file using python-dotenv
Guard initialized with LLM-based validators but no llm_api_key parameter passed to guard.validate() call
Pass llm_api_key explicitly: `guard.validate(data, llm_api_key=os.environ['OPENAI_API_KEY'])` or use guard.use_llm(llm_api_key=...) when setting up validators
Deploying to Docker/Kubernetes without mounting secrets or passing env vars to container
Mount secrets via Docker: `-e OPENAI_API_KEY=$OPENAI_API_KEY` or use Kubernetes secrets: `env: [{ name: OPENAI_API_KEY, valueFrom: { secretKeyRef: { name: llm-secrets, key: openai-key } } }]`
Code: broken vs fixed
from guardrails import Guard
from guardrails.hub import ToxicLanguage
import os
# API key NOT set in environment
if 'OPENAI_API_KEY' in os.environ:
del os.environ['OPENAI_API_KEY'] # Simulate missing key
guard = Guard().use(ToxicLanguage, on_fail='exception')
data = 'Please validate this text for toxic content'
result = guard.validate(data) # ❌ Raises ValueError: LLM API key not configuredfrom guardrails import Guard
from guardrails.hub import ToxicLanguage
import os
# ✅ FIXED: Set API key from environment or .env file
if 'OPENAI_API_KEY' not in os.environ:
# Option 1: Load from .env file using python-dotenv
from dotenv import load_dotenv
load_dotenv() # Loads OPENAI_API_KEY from .env
# Option 2: Or set it explicitly (NOT recommended for production)
# os.environ['OPENAI_API_KEY'] = 'sk-...'
guard = Guard().use(ToxicLanguage, on_fail='exception')
data = 'Please validate this text for toxic content'
# Pass the API key explicitly to validate (most reliable pattern)
result = guard.validate(data, llm_api_key=os.environ['OPENAI_API_KEY'])
print(f'Validation passed: {result.validation_passed}')Workaround
If you can't set environment variables in your current environment, pass the API key directly as a parameter to every guard.validate() call: `guard.validate(data, llm_api_key='sk-...')`. Alternatively, use only validators that don't require LLM calls (e.g., regex, length validators) and avoid semantic validators. Extract the sensitive validators into a separate Guard instance that only runs when credentials are available.
Prevention
Use a credential management system (AWS Secrets Manager, HashiCorp Vault, or Azure Key Vault) to inject API keys at runtime instead of relying on environment variables. For CI/CD, use GitHub Actions Secrets or GitLab CI Variables to safely pass credentials. Always validate that required environment variables exist before initializing Guard: `assert os.environ.get('OPENAI_API_KEY'), 'OPENAI_API_KEY not set'`. In containerized deployments, use init scripts to verify all required env vars are present before starting the application.