# Choose Scan Settings

Pick content type, phase, mode, focus, profile, and data sensitivity from real product examples.

Source URL: https://trymighty.ai/docs/concepts/configs

Mighty inspects anything before your product trusts it: user input, generated output, uploads, OCR text, image evidence, PDF evidence, office documents, and agent tool output.

Start with the thing your product is about to trust. Then choose the settings that match that story.

For definitions of `focus`, AI edits, steganography, prompt injection, and related terms, see the [glossary](/docs/concepts/glossary).

## Start With The Thing You Are About To Trust

Use this table first. It shows the setting combinations that should be copied into real integrations.

| Scenario | Use these settings | Why |
| --- | --- | --- |
| User prompt before AI | `content_type=text`, `scan_phase=input`, `mode=secure`, `focus=steg` | Finds text trying to override rules, steer the model, reveal secrets, or hide unsafe instructions. |
| OCR text before automation | `content_type=text`, `scan_phase=input`, `mode=secure`, `focus=steg`, `data_sensitivity=tolerant` | OCR can expose hidden or altered text. Tolerant mode avoids blocking normal names, addresses, claim IDs, and invoice details. |
| Public AI answer | `content_type=text`, `scan_phase=output`, `mode=secure`, `focus=steg`, `profile=ai_safety`, `data_sensitivity=strict` | Checks generated output before users see leaks, unsafe text, or policy-breaking content. |
| Internal AI summary | `content_type=text`, `scan_phase=output`, `focus=steg`, `data_sensitivity=tolerant` | Lets normal business PII exist in internal notes while still catching unsafe generated output. |
| Mixed file upload | `content_type=auto`, `scan_phase=input`, `mode=secure`, `focus=steg` | Safest default before storage, OCR, indexing, or AI extraction. |
| Office document | `content_type=document`, `focus=steg` | Office/structured documents currently support hidden-content and threat inspection only. Wrong focus values return `unsupported_focus_for_content_type`. |
| Image authenticity review | `content_type=image`, `scan_phase=input`, `mode=secure`, `focus=ai` | Use when the main question is whether visual evidence looks AI-generated, AI-edited, reposted, or provenance-backed. |
| Image edit comparison | `content_type=image`, `scan_phase=input`, `mode=secure`, `focus=edits`, `reference_file=@original.jpg` | Use when you have an original/source image and need to find what changed in the submitted image. |
| Full image/PDF evidence review | `content_type=image` or `pdf`, `focus=all` | Use when hidden content, authenticity, and edit evidence all matter. |
| High-value image/PDF review | `mode=comprehensive`, `async=true`, `focus=all` | Use when latency is acceptable and the result affects money, safety, account trust, or legal review. |

## Safe Default

If you are unsure, start here:

```json
{
  "content_type": "auto",
  "scan_phase": "input",
  "mode": "secure",
  "focus": "steg",
  "profile": "balanced",
  "data_sensitivity": "standard"
}
```

This says: "A user or upstream system submitted something, Mighty should inspect it with the normal production path, and normal product policy should decide what happens next."

Change the defaults only when the workflow needs it:

- Use `data_sensitivity=tolerant` when the text normally contains names, addresses, claim IDs, policy numbers, invoice lines, or contact details.
- Use `profile=ai_safety` and `data_sensitivity=strict` for public AI output.
- Use `focus=ai`, `focus=edits`, or `focus=all` only for supported image/PDF evidence paths.
- Use `mode=comprehensive` and `async=true` for high-value image/PDF review where waiting is acceptable.

## Input Inspection

Input inspection means the material came from a user, customer, claimant, vendor, partner, upload, browser, or upstream system.

Examples:

| What came in | Settings | What Mighty looks for |
| --- | --- | --- |
| Chat prompt or form field | `content_type=text`, `scan_phase=input`, `focus=steg` | Prompt injection, content steering, secrets, unsafe instructions, and hidden text patterns. |
| Uploaded PDF, image, or document before storage | `content_type=auto`, `scan_phase=input`, `focus=steg` | Hidden content, suspicious text, visual prompt injection, unsafe file text, and parser-safe extraction risk. |
| Office document | `content_type=document`, `scan_phase=input`, `focus=steg` | Hidden content and threat inspection in structured documents. |
| Damage photo or receipt photo | `content_type=image`, `scan_phase=input`, `focus=all` | Hidden content, AI authenticity evidence, and localized edit evidence together. |
| Known image authenticity review | `content_type=image`, `scan_phase=input`, `focus=ai` | Whether the visual evidence appears AI-generated, AI-edited, reposted, provenance-backed, or visually inconsistent. |
| Original vs submitted image | `content_type=image`, `scan_phase=input`, `focus=edits`, `reference_file=@original.jpg` | What changed between the source image and the submitted image. |

For browser or API uploads, see [Scan File Uploads](/docs/integrate/file-uploads). For visual evidence, see [Damage Photo AI Fraud Review](/docs/integrate/images-ai-fraud).

## Output Inspection

Output inspection means your system generated the material: a model answer, OCR text, extraction result, AI summary, agent tool result, generated recommendation, or public response.

Scan output before users, models, tools, or workflow automation act on it.

```json
{
  "content": "Generated answer shown to a user",
  "content_type": "text",
  "scan_phase": "output",
  "mode": "secure",
  "focus": "steg",
  "profile": "ai_safety",
  "data_sensitivity": "strict"
}
```

Use the `scan_group_id` from the related input scan. That keeps the prompt, upload, OCR output, model answer, and review record connected.

| Output | Settings | Why |
| --- | --- | --- |
| Public assistant answer | `scan_phase=output`, `focus=steg`, `profile=ai_safety`, `data_sensitivity=strict` | Catches unsafe generated text, secret leakage, and policy-breaking output before users see it. |
| Internal claim or invoice summary | `scan_phase=output`, `focus=steg`, `data_sensitivity=tolerant` | Normal business PII can remain in reviewer-only notes while unsafe output still gets routed. |
| OCR text or extracted fields | `content_type=text`, `scan_phase=input`, `focus=steg`, `data_sensitivity=tolerant` | OCR output is derived, but it is still untrusted input to your automation. |
| Agent tool output | `scan_phase=output`, `focus=steg`, `profile=ai_safety` or `code_assistant` | Keeps unsafe tool results, retrieved text, and browser content out of the next model step. |

For generated responses, see [Scan Model Output](/docs/integrate/model-output). For multi-step evidence chains, see [Sessions And Scan Groups](/docs/concepts/sessions).

## Focus Modes Without Jargon

`focus` answers: what kind of risk or evidence should Mighty prioritize?

| Focus | Plain meaning | Use it for | Do not use it for |
| --- | --- | --- | --- |
| `steg` | Hidden content, prompt injection, content steering, unsafe text, OCR/document safety. | Text, OCR text, model output, mixed uploads, office documents, AI-facing uploads. | AI-authenticity-only review or pairwise image comparison. |
| `ai` | Is this visual evidence likely generated, AI-edited, reposted, or missing useful provenance? | Damage photos, receipt photos, marketplace listing images, ID or verification images, screenshot/PDF evidence where authenticity is the main question. | Text, OCR text, model output, office documents, or anything where hidden instructions could reach an AI system unless paired via `focus=all`. |
| `edits` | What changed, and where does the submitted image look manipulated? | Original vs submitted damage photos, altered labels, receipts, package photos, food photos, screenshots, and document images where visible text may have changed. | Office documents, text/OCR/model output, or general hidden-instruction safety scans. |
| `all` | Run the supported image/PDF evidence paths together at 10 SCU per image unit. | Image/PDF evidence where hidden content, authenticity, and edit evidence all matter. | Structured office documents; use `focus=steg`. |

Default value: `steg`. Focused image paths bill 4 SCU per image. `focus=all` bills 10 SCU per image unit. Deprecated aliases still exist: `standard` maps to `steg`, and `both` maps to `all`.

Office and structured documents currently support `steg` only. For `content_type=document`, `focus=ai`, `focus=edits`, `focus=all`, and deprecated `focus=both` return `400` with `code=unsupported_focus_for_content_type`.

For the technical compatibility table, see [POST /v1/scan focus compatibility](/docs/api-reference/v1-scan#focus-compatibility).

## When `focus=ai` Is Useful

Ask: "Is this visual evidence likely generated, AI-edited, reposted, or missing useful provenance?"

Use `focus=ai` when authenticity is the main question and you already know the material is image/PDF evidence.

```bash
curl -X POST https://gateway.trymighty.ai/v1/scan \
  -H "Authorization: Bearer $MIGHTY_API_KEY" \
  -F "file=@./receipt-photo.jpg" \
  -F "content_type=image" \
  -F "scan_phase=input" \
  -F "mode=secure" \
  -F "focus=ai" \
  -F "profile=strict"
```

This is review evidence, not proof of fraud. Use `focus=all` instead when the same image/PDF may also contain hidden instructions or unsafe text.

## When `focus=edits` Is Useful

Ask: "What changed, and where does the submitted image look manipulated?"

The best path is to send a source image with `reference_file`.

```bash
curl -X POST https://gateway.trymighty.ai/v1/scan \
  -H "Authorization: Bearer $MIGHTY_API_KEY" \
  -F "file=@./submitted-damage-photo.jpg" \
  -F "reference_file=@./original-damage-photo.jpg" \
  -F "content_type=image" \
  -F "scan_phase=input" \
  -F "mode=secure" \
  -F "focus=edits" \
  -F "profile=strict"
```

Without a reference image, Mighty can only return conservative hints. Use `focus=all` when you also need hidden-content or AI-authenticity review.

## Mode, Profile, And Data Sensitivity

These settings are separate from focus.

| Setting | Plain question | Default | Change it when |
| --- | --- | --- | --- |
| `mode` | How deep should Mighty look? | `secure` | Use `fast` for low-risk low-latency text. Use `comprehensive` for high-value image/PDF review and async scans. |
| `profile` | How strict is this workflow? | `balanced` | Use `strict` for regulated, financial, legal, insurance, healthcare, or high-value workflows. Use `ai_safety` for public AI output. |
| `data_sensitivity` | Should normal PII be expected? | `standard` | Use `tolerant` for claims, invoices, healthcare, identity, or support workflows. Use `strict` for public output, secrets, and credentials. |

Mode is not tolerance. `mode` changes how deep the inspection goes. `profile`, `data_sensitivity`, and your routing policy decide how strict the product is after Mighty returns a result. See [Modes And Tolerance](/docs/concepts/modes-tolerance).

## Content Types

`content_type` answers: what kind of thing is this?

| Value | Use when |
| --- | --- |
| `auto` | Your server does not know the type yet, or the upload route accepts mixed files. |
| `text` | Chat text, form fields, OCR text, extracted fields, model output, tool output, notes, or transcripts. |
| `image` | Damage photos, ID images, receipt photos, screenshots, marketplace images, or visual evidence. |
| `pdf` | PDF claim packets, invoices, estimates, forms, statements, or evidence packets. |
| `document` | Office or structured documents such as DOCX, XLSX, PPTX, CSV, Markdown, JSON, XML, HTML, RTF, and similar business files. |

If a PDF contains images, still send it as `pdf`. If an OCR system extracted text from a PDF, scan that extracted text as `content_type=text` and reuse the same `scan_group_id`.

## IDs And Review

Store these fields so your reviewers and logs can explain what happened:

| Field | Use it for |
| --- | --- |
| `request_id` | One unique request. Use it for retries and logs. |
| `scan_id` | The exact Mighty result. Use it for audit and async polling. |
| `scan_group_id` | Connect original input, OCR text, model output, image evidence, and review for one item. |
| `session_id` | Connect the wider chat, claim, case, batch, or agent run. |

Route results in product language:

| Action | Product route |
| --- | --- |
| `ALLOW` | Continue. Store IDs. |
| `WARN` | Review, add friction, constrain the model/tool path, or request more evidence. |
| `BLOCK` | Stop the workflow, or show `redacted_output` when Mighty returns it and your policy allows it. |

## Common Wrong Choices

- Using `focus=all` for normal text, OCR text, or model output. Use `focus=steg`.
- Using `focus=ai` as a fraud verdict. Mighty flags review evidence; your business process decides fraud.
- Using `focus=edits` without explaining reference vs no-reference review. Use `reference_file` when you have the source image.
- Using `focus=ai`, `focus=edits`, or `focus=all` on `content_type=document`. Structured documents support `focus=steg` only.
- Using `mode=fast` because a workflow should be tolerant. Use `data_sensitivity=tolerant` for expected PII.
- Scanning only OCR text when the original file is available. Scan the file first, then scan extracted text with the same `scan_group_id`.