how-to-guide

How to Enable and Configure Tracing Sensitive Data Exclusion in openai-agents-python

April 17, 2026 openai/openai-agents-python ↗

You can exclude sensitive data from traces in openai-agents-python by setting the OPENAI_AGENTS_TRACE_INCLUDE_SENSITIVE_DATA environment variable to false or by explicitly setting trace_include_sensitive_data=False in your RunConfig.

The openai-agents-python SDK provides granular control over tracing sensitive data exclusion, allowing you to prevent tool inputs, LLM outputs, and audio blobs from being recorded in trace spans while maintaining observability. This is essential for production environments handling PII or sensitive business logic.

Understanding Tracing Sensitive Data Exclusion

Tracing sensitive data exclusion refers to the SDK's ability to redact potentially sensitive information from OpenTelemetry-compatible trace spans. When enabled, the system creates trace spans for monitoring and debugging but strips the actual payload data—such as tool arguments, model outputs, and audio content—replacing them with empty placeholders or metadata-only records.

The implementation spans three architectural layers: environment configuration, run-time configuration objects, and the internal model tracing interface that translates high-level settings into concrete span behaviors.

Configuration Levels for Sensitive Data Exclusion

Environment Variable Configuration

The most common approach for production deployments uses the OPENAI_AGENTS_TRACE_INCLUDE_SENSITIVE_DATA environment variable. When the SDK initializes a RunConfig object, it calls _default_trace_include_sensitive_data() in src/agents/run_config.py to read this variable:


# src/agents/run_config.py lines 38-42

def _default_trace_include_sensitive_data() -> bool:
    val = os.environ.get("OPENAI_AGENTS_TRACE_INCLUDE_SENSITIVE_DATA", "true")
    return val.lower() not in ("0", "false", "no", "off")

By default, if the variable is unset or set to truthy values ("1", "true", "yes", "on"), sensitive data is included in traces. To exclude sensitive data globally, set:

export OPENAI_AGENTS_TRACE_INCLUDE_SENSITIVE_DATA=false

Run-Time Configuration with RunConfig

For granular control, you can override the environment default when constructing a RunConfig. The trace_include_sensitive_data field accepts a boolean that takes precedence over the environment variable for that specific run:

from agents.run_config import RunConfig

# Explicitly exclude sensitive data for this configuration

config = RunConfig(trace_include_sensitive_data=False)

# Or accept the environment default

config_default = RunConfig()  # Uses OPENAI_AGENTS_TRACE_INCLUDE_SENSITIVE_DATA

The field definition in src/agents/run_config.py (lines 93-99) uses a default factory to ensure the environment is checked at instantiation time, not import time.

Model-Level Tracing Behavior

The SDK translates the high-level trace_include_sensitive_data flag into concrete ModelTracing enum values used by model implementations. In src/agents/tracing/model_tracing.py, the get_model_tracing_impl() function maps the run configuration to one of three states:


# src/agents/tracing/model_tracing.py lines 6-14

def get_model_tracing_impl(
    tracing_disabled: bool,
    trace_include_sensitive_data: bool
) -> ModelTracing:
    if tracing_disabled:
        return ModelTracing.DISABLED
    if trace_include_sensitive_data:
        return ModelTracing.ENABLED
    return ModelTracing.ENABLED_WITHOUT_DATA

DISABLED: No tracing occurs (spans are not created).
ENABLED: Full tracing with tool inputs, outputs, and LLM data.
ENABLED_WITHOUT_DATA: Spans are created for observability, but payloads are redacted.

Setting trace_include_sensitive_data=False results in ENABLED_WITHOUT_DATA, preserving your trace structure and timing information while ensuring sensitive data never leaves your environment.

Practical Implementation Examples

Global Opt-Out via Environment Variable

For CI pipelines or production deployments where you want a global policy against recording sensitive data, configure the environment before your Python process starts:


# .env or shell export

export OPENAI_AGENTS_TRACE_INCLUDE_SENSITIVE_DATA=false

python my_agent_app.py

This approach requires no code changes and ensures all RunConfig instances default to excluding sensitive payloads.

Per-Run Sensitive Data Exclusion

When you need tracing for debugging but must redact sensitive information for specific agent runs, instantiate RunConfig explicitly:

from agents import Agent, Runner
from agents.run_config import RunConfig

async def run_privacy_sensitive_agent():
    agent = Agent(
        name="Medical Advisor",
        # ... other config

    )
    
    # Exclude sensitive data for this specific run

    config = RunConfig(
        trace_include_sensitive_data=False,
        # ... other trace settings

    )
    
    result = await Runner.run(
        agent,
        input="Patient has symptoms...",
        run_config=config
    )
    return result

This pattern allows you to maintain full observability for internal tools while ensuring compliance when handling regulated data.

Disabling Tracing Entirely

For high-throughput batch processing where even redacted spans introduce unacceptable overhead, disable tracing completely:

from agents.tracing import set_tracing_disabled

# Disable tracing globally for this process

set_tracing_disabled(True)

# All subsequent Runner calls will produce no spans

Alternatively, use the RunConfig parameter:

config = RunConfig(tracing_disabled=True)

This is distinct from sensitive data exclusion—tracing_disabled prevents span creation entirely, while trace_include_sensitive_data=False creates spans without payloads.

Summary

Environment variable: Set OPENAI_AGENTS_TRACE_INCLUDE_SENSITIVE_DATA=false to globally exclude sensitive data from all traces.
RunConfig field: Set trace_include_sensitive_data=False when constructing RunConfig for per-run control.
Model Tracing: The SDK maps these settings to ModelTracing.ENABLED_WITHOUT_DATA, which creates spans but redacts tool inputs, outputs, and LLM data.
Complete disable: Use tracing_disabled=True or set_tracing_disabled() to stop span creation entirely, which is different from redaction.

Frequently Asked Questions

What is the default behavior for sensitive data in openai-agents-python tracing?

By default, sensitive data is included in traces. The _default_trace_include_sensitive_data() function in src/agents/run_config.py checks the OPENAI_AGENTS_TRACE_INCLUDE_SENSITIVE_DATA environment variable and defaults to True if the variable is unset or set to a truthy value like "1", "true", "yes", or "on".

Does setting trace_include_sensitive_data=False disable tracing completely?

No, setting trace_include_sensitive_data=False does not disable tracing. It changes the ModelTracing state to ENABLED_WITHOUT_DATA, meaning the SDK still creates spans and sends them to your trace exporter, but the payloads (tool inputs, outputs, and LLM data) are redacted. To disable tracing entirely, you must set tracing_disabled=True in RunConfig or call set_tracing_disabled(True).

How do I verify that sensitive data exclusion is working in my application?

You can verify sensitive data exclusion by inspecting the trace spans in your OpenTelemetry backend or by adding a custom span processor. When trace_include_sensitive_data=False, spans will be present but the input and output attributes on tool spans and generation spans will be empty or omitted. You can also check the ModelTracing state programmatically by inspecting agents.tracing.model_tracing.get_model_tracing_impl() with your current configuration flags.

Can I disable tracing for high-throughput batch processing jobs?

Yes, you can completely disable tracing for high-throughput scenarios to eliminate the overhead of span creation and export. Call set_tracing_disabled(True) from agents.tracing at the start of your batch job, or instantiate RunConfig with tracing_disabled=True. This is distinct from sensitive data exclusion—it prevents any spans from being created, whereas trace_include_sensitive_data=False would still create spans but without payload data.

Have a question about this repo?

These articles cover the highlights, but your codebase questions are specific. Give your agent direct access to the source. Share this with your agent to get started:

Share the following with your agent to get started:

curl -s "https://instagit.com/install.md"

Add to your MCP client configuration:

{
  "mcpServers": {
    "instagit": {
      "command": "npx",
      "args": ["-y", "instagit@latest"]
    }
  }
}

Ask your agent:

"Use Instagit MCP to understand how openai/openai-agents-python works."

Works with

Claude Codex Cursor VS Code OpenClaw Any MCP Client

Maintain an open-source project? Get it listed too →

How to Enable and Configure Tracing Sensitive Data Exclusion in **openai-agents-python**