Load module helps with serialization and deserialization.
Import an attribute from a module located in a package.
This utility function is used in custom __getattr__ methods within __init__.py
files to dynamically import attributes.
Return a dict representation of an object.
Return a JSON string representation of an object.
Revive a LangChain class from a JSON string.
Equivalent to load(json.loads(text)).
Only classes in the allowlist can be instantiated. The default allowlist
includes core LangChain types (messages, prompts, documents, etc.). See
langchain_core.load.mapping for the full list.
A serialized payload may carry constructor kwargs that affect runtime
behavior (custom base_url, headers, model name, etc.), so it should be
treated as executable configuration rather than plain text. If the
source is untrusted, avoid calling loads() on it; if you must, pass
allowed_objects='messages' or an explicit list of message classes.
See the module-level threat model for details.
Serializable base class.
This class is used to serialize objects to JSON.
It relies on the following methods and properties:
is_lc_serializable: Is this class serializable?
By design, even if a class inherits from Serializable, it is not serializable
by default. This is to prevent accidental serialization of objects that should
not be serialized.
get_lc_namespace: Get the namespace of the LangChain object.
During deserialization, this namespace is used to identify the correct class to instantiate.
Please see the Reviver class in langchain_core.load.load for more details.
During deserialization an additional mapping is handle classes that have moved or been renamed across package versions.
lc_secrets: A map of constructor argument names to secret ids.
lc_attributes: List of additional attribute names that should be included
as part of the serialized representation.
Load LangChain objects from JSON strings or objects.
Each Serializable LangChain object has a unique identifier (its "class path"), which
is a list of strings representing the module path and class name. For example:
AIMessage -> ["langchain_core", "messages", "ai", "AIMessage"]ChatPromptTemplate -> ["langchain_core", "prompts", "chat", "ChatPromptTemplate"]When deserializing, the class path from the JSON 'id' field is checked against an
allowlist. If the class is not in the allowlist, deserialization raises a ValueError.
A serialized LangChain payload crosses a trust boundary because the manifest
may contain serialized objects and configuration that affect runtime behavior.
For example, a payload can configure a chat model with a custom base_url,
custom headers, a different model name, or other constructor arguments. These
are supported features, but they also mean the payload contents should be
treated as executable configuration rather than plain text.
Concretely, deserialization instantiates Python objects, so any constructor
(__init__) or validator on an allowed class can run during load(). A
crafted payload that is allowed to reach an unintended class — or an intended
class with attacker-controlled kwargs — could cause network calls, file
operations, or environment-variable access while the object is being built.
If the source is untrusted, avoid calling load() / loads() on it. If
you must, restrict allowed_objects to types that do not execute logic
during init — allowed_objects='messages' (or an explicit list of
message classes) is the safe choice. Keep secrets_from_env=False.
The allowed_objects parameter controls which classes can be deserialized:
'messages': chat-message classes only (e.g. AIMessage,
HumanMessage). Safe for untrusted input.'core' (current default) — unsafe with untrusted manifests.
Classes defined in the serialization mappings under langchain_core
(messages, documents, prompts, etc.).'all' — unsafe with untrusted manifests. Every class in the
serialization mappings, including partner chat models and LLMs and their
constructor kwargs (endpoint URLs, headers, model names, etc.).Deserialization calls __init__ on allowed classes. If those classes perform
side effects during initialization (network calls, file operations, etc.),
those side effects will occur. The allowlist prevents instantiation of
classes outside the allowlist, but does not sandbox the allowed classes
themselves or constrain their constructor kwargs.
Import paths are also validated against trusted namespaces before any module is imported.
allowed_objects possible. For untrusted input,
pass an explicit list of classes or 'messages'. 'core' and 'all'
are unsafe with untrusted manifests — only use them when the source
serves the entire payload, including its configuration.secrets_from_env set to False (the default). If you must use it,
ensure the serialized data comes from a fully trusted source, as a crafted
payload can read arbitrary environment variables.secrets_map, include only the specific secrets that the
serialized object requires.During serialization, plain dicts that contain an 'lc' key are escaped by wrapping
them: {"__lc_escaped__": {...}}. During deserialization, escaped dicts are unwrapped
and returned as plain dicts, NOT instantiated as LC objects.
This is an allowlist approach: only dicts explicitly produced by
Serializable.to_json() (which are NOT escaped) are treated as LC objects;
everything else is user data.
Even if an attacker's payload includes __lc_escaped__ wrappers, it will be unwrapped
to plain dicts and NOT instantiated as malicious objects.
from langchain_core.load import load
from langchain_core.prompts import ChatPromptTemplate
from langchain_core.messages import AIMessage, HumanMessage
# Use default allowlist (classes from mappings) - recommended
obj = load(data)
# Allow only specific classes (most restrictive)
obj = load(
data,
allowed_objects=[
ChatPromptTemplate,
AIMessage,
HumanMessage,
],
)Serializable base class.
Init validators for deserialization security.
This module contains extra validators that are called during deserialization, ex. to prevent security issues such as SSRF attacks.
Each validator is a callable matching the InitValidator protocol: it takes a
class path tuple and kwargs dict, returns None on success, and raises
ValueError if the deserialization should be blocked.
Serialize LangChain objects to JSON.
Provides dumps (to JSON string) and dumpd (to dict) for serializing
Serializable objects.
During serialization, plain dicts (user data) that contain an 'lc' key are escaped
by wrapping them: {"__lc_escaped__": {...original...}}. This prevents injection
attacks where malicious data could trick the deserializer into instantiating
arbitrary classes. The escape marker is removed during deserialization.
This is an allowlist approach: only dicts explicitly produced by
Serializable.to_json() are treated as LC objects; everything else is escaped if it
could be confused with the LC format.
Serialization mapping.
This file contains a mapping between the lc_namespace path for a given
subclass that implements from Serializable to the namespace
where that class is actually located.
This mapping helps maintain the ability to serialize and deserialize well-known LangChain objects even if they are moved around in the codebase across different LangChain versions.
For example, the code for the AIMessage class is located in
langchain_core.messages.ai.AIMessage. This message is associated with the
lc_namespace of ["langchain", "schema", "messages", "AIMessage"],
because this code was originally in langchain.schema.messages.AIMessage.
The mapping allows us to deserialize an AIMessage created with an older
version of LangChain where the code was in a different location.