loads

loads(
  text: str,
  *,
  allowed_objects: Iterable[AllowedObject] | Literal

View source on GitHub

additional_import_mappings

ignore_unserializable_fields

Parameters

Name	Type	Description
`text`*	`str`	The string to load.
`allowed_objects`	`Iterable[AllowedObject] \| Literal['all', 'core', 'messages'] \| None`	Default:`None` Allowlist of classes that can be deserialized. Explicit list of classes (recommended for untrusted input): only those specific classes are allowed. `'messages'`: chat-message classes only. Safe for untrusted input. `'core'` (current default): unsafe with untrusted manifests. Classes defined in the serialization mappings under `langchain_core`. `'all'`: unsafe with untrusted manifests. Every class in the serialization mappings, including partner chat models and LLMs and their constructor kwargs. See `langchain_core.load.mapping` for the full list. `[]`: Disallow all deserialization (will raise on any object).
`secrets_map`	`dict[str, str] \| None`	Default:`None`
`valid_namespaces`	`list[str] \| None`	Default:`None`
`secrets_from_env`	`bool`	Default:`False`
`additional_import_mappings`	`dict[tuple[str, ...], tuple[str, ...]] \| None`	Default:`None`
`ignore_unserializable_fields`	`bool`	Default:`False`
`init_validator`	`InitValidator \| None`	Default:`default_init_validator`

Revive a LangChain class from a JSON string.

Equivalent to load(json.loads(text)).

Only classes in the allowlist can be instantiated. The default allowlist includes core LangChain types (messages, prompts, documents, etc.). See langchain_core.load.mapping for the full list.

Do not use with untrusted input

A serialized payload may carry constructor kwargs that affect runtime behavior (custom base_url, headers, model name, etc.), so it should be treated as executable configuration rather than plain text. For example, deserializing a model whose base_url points at an attacker-controlled host can result in Server-Side Request Forgery (SSRF); this is expected behavior, since loads() faithfully reconstructs the configuration in the manifest. If the source is untrusted, avoid calling loads() on it; if you must, pass allowed_objects='messages' or an explicit list of message classes. See the module-level threat model for details.

A map of secrets to load.

Only include the specific secrets the serialized object requires. If a secret is not found in the map, it will be loaded from the environment if secrets_from_env is True.

Additional namespaces (modules) to allow during deserialization, beyond the default trusted namespaces.

Whether to load secrets from the environment.

A crafted payload can name arbitrary environment variables in its secret fields, so enabling this on untrusted data can leak sensitive values. Keep this False (the default) unless the serialized data is fully trusted.

A dictionary of additional namespace mappings.

You can use this to override default mappings or add new mappings.

When allowed_objects is None (using defaults), paths from these mappings are also added to the allowed class paths.

Whether to ignore unserializable fields.

Optional callable to validate kwargs before instantiation.

If provided, this function is called with (class_path, kwargs) where class_path is the class path tuple and kwargs is the kwargs dict. The validator should raise an exception if the object should not be deserialized, otherwise return None.

Defaults to default_init_validator which blocks jinja2 templates.

LangChain Assistant

Menu

loads

Parameters