PII Redaction

LogStitch automatically scans events for sensitive data before storage. Redaction is applied during ingestion — original PII never reaches the database.

How It Works#

Every event passes through the redaction engine before storage. The engine:

Evaluates all enabled rules (built-in + custom)
Scans string values across actor, target, context, metadata, and changes
Applies the configured behavior ( replace, hash, or mask)
Records which fields were redacted and which rules matched

Built-in Patterns#

LogStitch ships with eight built-in patterns. Five are enabled by default. You can toggle any pattern on or off and change its redaction behavior.

ID	Pattern Name	Default Enabled	Description
credit_card	Credit Card Number	Yes	Matches 13-19 digit card numbers. Masks to `**--**-1234`
ssn	Social Security Number	Yes	Matches XXX-XX-XXXX format. Masks to `*--1234`
email	Email Address	No	Standard email addresses
phone	Phone Number	No	US phone numbers with optional country code
ipv4	IPv4 Address	No	Dotted-quad IP addresses
jwt	JWT Token	Yes	JSON Web Tokens ( `eyJ...` pattern)
bearer_token	Bearer / API Token	Yes	Bearer tokens and long API keys
aws_key	AWS Access Key	Yes	AWS access key IDs ( `AKIA...` pattern)

Custom Rules#

You can define your own redaction rules in addition to the built-in patterns. LogStitch supports two types of custom rules.

Pattern Rules#

Pattern rules use a regular expression to match sensitive content anywhere in scanned fields. Use them when you need to catch a specific format like an internal account number or custom token.

Create a pattern rule

curl -X POST https://logstitch.io/api/v1/redaction/rules \
  -H "Authorization: Bearer mk_..." \
  -H "Content-Type: application/json" \
  -d '{
    "type": "pattern",
    "name": "Internal Account ID",
    "pattern": "ACCT-[0-9]{8}",
    "behavior": "replace",
    "enabled": true
  }'

Field Redact Rules#

Field redact rules target a specific dot-path field and redact its entire value. Use them when a field always contains sensitive data regardless of format.

Create a field redact rule

curl -X POST https://logstitch.io/api/v1/redaction/rules \
  -H "Authorization: Bearer mk_..." \
  -H "Content-Type: application/json" \
  -d '{
    "type": "field_redact",
    "name": "Redact actor email",
    "fields": ["actor.email"],
    "behavior": "hash",
    "enabled": true
  }'

Redaction Behaviors#

Each rule can use one of three redaction behaviors:

replace — Replace matched content with [REDACTED]. This is the default behavior.
hash — Replace with a SHA-256 hash of the matched content. Useful when you need to correlate redacted values without exposing the original.
mask — Replace with a partially masked version that preserves enough structure for identification (e.g. ****-****-****-1234 for credit cards).

Testing Rules#

Use the redaction test endpoint to preview how your rules will be applied without persisting any data. This is useful for validating custom rules before enabling them in production.

Test redaction rules

curl -X POST https://logstitch.io/api/v1/redaction/test \
  -H "Authorization: Bearer mk_..." \
  -H "Content-Type: application/json" \
  -d '{
    "event": {
      "action": "user.updated",
      "category": "mutation",
      "actor": {
        "id": "user_123",
        "type": "user",
        "email": "alice@example.com"
      },
      "tenant_id": "acme_corp",
      "metadata": {
        "credit_card": "4111-1111-1111-1234",
        "ssn": "123-45-6789"
      }
    }
  }'

200Redaction preview

Response

{
  "original": {
    "action": "user.updated",
    "category": "mutation",
    "actor": {
      "id": "user_123",
      "type": "user",
      "email": "alice@example.com"
    },
    "tenant_id": "acme_corp",
    "metadata": {
      "credit_card": "4111-1111-1111-1234",
      "ssn": "123-45-6789"
    }
  },
  "redacted": {
    "action": "user.updated",
    "category": "mutation",
    "actor": {
      "id": "user_123",
      "type": "user",
      "email": "alice@example.com"
    },
    "tenant_id": "acme_corp",
    "metadata": {
      "credit_card": "****-****-****-1234",
      "ssn": "***-**-6789"
    }
  },
  "metadata": {
    "was_redacted": true,
    "redacted_fields": [
      "metadata.credit_card",
      "metadata.ssn"
    ],
    "redacted_rules": [
      "builtin:credit_card",
      "builtin:ssn"
    ],
    "rules_evaluated": 5
  },
  "request_id": "req_01JKP..."
}

Managing Built-in Rules#

Built-in rules cannot be deleted, but you can disable them or change their redaction behavior. Use the PUT endpoint with the rule's built-in ID.

Disable a built-in rule

curl -X PUT https://logstitch.io/api/v1/redaction/rules/builtin_email \
  -H "Authorization: Bearer mk_..." \
  -H "Content-Type: application/json" \
  -d '{
    "enabled": false
  }'

Change behavior to hash

curl -X PUT https://logstitch.io/api/v1/redaction/rules/builtin_credit_card \
  -H "Authorization: Bearer mk_..." \
  -H "Content-Type: application/json" \
  -d '{
    "behavior": "hash"
  }'

Redaction metadata

Redacted events include redacted_fields and redacted_rules arrays in the response, so you always know what was changed and why.