Redaction Rules API

Manage PII redaction rules for your project. LogStitch ships with built-in patterns for common sensitive data (credit cards, SSNs, JWTs, etc.) and supports custom rules for your domain-specific needs.

List Rules#

GET/api/v1/redaction/rules

List all redaction rules for the project, including built-in patterns and any custom rules you have created.

Auth: Master key or Project key

List all rules

curl https://logstitch.io/api/v1/redaction/rules \
  -H "Authorization: Bearer mk_..."

200Success

Response

{
  "rules": [
    {
      "id": "builtin_credit_card",
      "type": "builtin",
      "name": "Credit Card Number",
      "behavior": "replace",
      "enabled": true,
      "builtin_id": "credit_card"
    },
    {
      "id": "550e8400-e29b-41d4-a716-446655440000",
      "type": "pattern",
      "name": "Internal Account ID",
      "pattern": "ACC-[0-9]{8}",
      "behavior": "mask",
      "enabled": true,
      "created_at": "2026-01-15T09:30:00.000Z"
    }
  ],
  "request_id": "req_abc123"
}

Create Rule#

POST/api/v1/redaction/rules

Create a custom redaction rule. You can define regex-based pattern rules or field-level redaction rules that target specific paths in the event payload.

Auth: Master key only

Request body

Name	Type	Required	Description
type	string	Required	"pattern" (regex match across all string fields) or "field_redact" (target specific fields by dot-path)
name	string	Required	A human-readable label for the rule (1-100 characters)
pattern	string	Optional	Regex pattern to match. Required when type is "pattern".
fields	string[]	Optional	Array of dot-path field names to redact. Required when type is "field_redact".
behavior	string	Optional	"replace" (default -- replaces with [REDACTED]), "hash" (SHA-256 hash), or "mask" (partial masking)
enabled	boolean	Optional	Whether the rule is active. Default: true

Create a pattern rule

curl -X POST https://logstitch.io/api/v1/redaction/rules \
  -H "Authorization: Bearer mk_..." \
  -H "Content-Type: application/json" \
  -d '{
    "type": "pattern",
    "name": "Internal Account ID",
    "pattern": "ACC-[0-9]{8}",
    "behavior": "mask"
  }'

201Success

Response

{
  "rule": {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "type": "pattern",
    "name": "Internal Account ID",
    "pattern": "ACC-[0-9]{8}",
    "behavior": "mask",
    "enabled": true,
    "created_at": "2026-01-15T09:30:00.000Z"
  },
  "request_id": "req_abc123"
}

Update Rule#

PUT/api/v1/redaction/rules/:id

Update an existing redaction rule. For built-in rules (IDs starting with builtin_), only behavior and enabled can be changed.

Auth: Master key only

Request body

Name	Type	Required	Description
name	string	Optional	Updated rule name
pattern	string	Optional	Updated regex pattern (custom rules only)
fields	string[]	Optional	Updated field list (custom rules only)
behavior	string	Optional	"replace", "hash", or "mask"
enabled	boolean	Optional	Enable or disable the rule

Change a built-in rule to hash behavior

curl -X PUT https://logstitch.io/api/v1/redaction/rules/builtin_credit_card \
  -H "Authorization: Bearer mk_..." \
  -H "Content-Type: application/json" \
  -d '{
    "behavior": "hash"
  }'

200Success

Response

{
  "rule": {
    "id": "builtin_credit_card",
    "type": "builtin",
    "name": "Credit Card Number",
    "behavior": "hash",
    "enabled": true,
    "builtin_id": "credit_card"
  },
  "request_id": "req_abc123"
}

Delete Rule#

DELETE/api/v1/redaction/rules/:id

Permanently delete a custom redaction rule. The rule stops being applied to newly ingested events immediately. Previously redacted events are not affected.

Auth: Master key only

Delete a custom rule

curl -X DELETE https://logstitch.io/api/v1/redaction/rules/550e8400-e29b-41d4-a716-446655440000 \
  -H "Authorization: Bearer mk_..."

200Success

Response

{
  "deleted": true,
  "request_id": "req_abc123"
}

Built-in rules cannot be deleted

Built-in rules (IDs starting with builtin_) cannot be deleted. Use the PUT endpoint to disable them by setting enabled to false.

Test Redaction#

POST/api/v1/redaction/test

Test your redaction rules against a sample event payload without persisting anything. Use this to verify your rules work as expected before ingesting real data.

Auth: Master key or Project key

Request body

Name	Type	Required	Description
event	object	Required	A sample event payload to test redaction against. Accepts any JSON object.

Test redaction rules

curl -X POST https://logstitch.io/api/v1/redaction/test \
  -H "Authorization: Bearer pk_..." \
  -H "Content-Type: application/json" \
  -d '{
    "event": {
      "action": "user.created",
      "category": "mutation",
      "actor": { "id": "user_123", "type": "user", "email": "alice@example.com" },
      "tenant_id": "acme_corp",
      "metadata": { "credit_card": "4111-1111-1111-1111" }
    }
  }'

200Success

Response

{
  "original": {
    "actor": { "email": "alice@example.com" },
    "metadata": { "credit_card": "4111-1111-1111-1111" }
  },
  "redacted": {
    "actor": { "email": "[REDACTED]" },
    "metadata": { "credit_card": "[REDACTED]" }
  },
  "metadata": {
    "was_redacted": true,
    "redacted_fields": ["actor.email", "metadata.credit_card"],
    "redacted_rules": ["builtin:email", "builtin:credit_card"],
    "rules_evaluated": 8
  },
  "request_id": "req_abc123"
}