Redact Sensitive Data in Logs
Mask log lines before writing them so sensitive data is never stored in application logs, with optional unmasking for authorized debugging.
curl -X PUT https://protecto-trial.protecto.ai/api/vault/mask \
-H "Authorization: Bearer YOUR_AUTH_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"mask": [
{
"value": "[AUTH] User John Doe (john.doe@example.com) failed login on 15/8/2010 from IP 10.2.4.9"
}
]
}'
import requests
log_line = "[AUTH] User John Doe (john.doe@example.com) failed login on 15/8/2010 from IP 10.2.4.9"
response = requests.put(
"https://protecto-trial.protecto.ai/api/vault/mask",
headers={
"Authorization": "Bearer YOUR_AUTH_TOKEN",
"Content-Type": "application/json"
},
json={"mask": [{"value": log_line}]}
)
masked = response.json()["data"][0]["token_value"]
{
"data": [
{
"value": "[AUTH] User John Doe (john.doe@example.com) failed login on 15/8/2010 from IP 10.2.4.9",
"token_value": "[AUTH] User <PERSON>VJYe 03W</PERSON> (<EMAIL>0gN3SkjL@0ffM3CDS</EMAIL>) failed login on <DATE>5Fd890</DATE> from IP 10.2.4.9"
}
],
"success": true,
"error": {
"message": ""
}
}
curl -X PUT https://protecto-trial.protecto.ai/api/vault/unmask \
-H "Authorization: Bearer YOUR_AUTH_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"unmask": [
{
"token_value": "[AUTH] User <PERSON>VJYe 03W</PERSON> (<EMAIL>0gN3SkjL@0ffM3CDS</EMAIL>) failed login on <DATE>5Fd890</DATE> from IP 10.2.4.9"
}
]
}'
response = requests.put(
"https://protecto-trial.protecto.ai/api/vault/unmask",
headers={
"Authorization": "Bearer YOUR_AUTH_TOKEN",
"Content-Type": "application/json"
},
json={
"unmask": [
{"token_value": "[AUTH] User <PERSON>VJYe 03W</PERSON> (<EMAIL>0gN3SkjL@0ffM3CDS</EMAIL>) failed login on <DATE>5Fd890</DATE> from IP 10.2.4.9"}
]
}
)
{
"data": [
{
"value": "[AUTH] User John Doe (john.doe@example.com) failed login on 15/8/2010 from IP 10.2.4.9",
"token_value": "[AUTH] User <PERSON>VJYe 03W</PERSON> (<EMAIL>0gN3SkjL@0ffM3CDS</EMAIL>) failed login on <DATE>5Fd890</DATE> from IP 10.2.4.9"
}
],
"success": true,
"error": {
"message": ""
}
}
What this solves
Application logs often contain sensitive data without anyone intending to put it there. Typical examples include:
- Authentication logs
- Error messages with user context
- Audit events
- Debug statements
Once written, logs are hard to clean up. This pattern shows you how to mask sensitive data before it is ever written to logs.
How it works
| Step | What happens | API |
|---|---|---|
| 1 | Detect and mask sensitive data in log message | Mask API (Auto-Detect) |
| 2 | Write masked log message | Your logging system |
| 3 | Unmask for authorized investigation (optional) | Unmask API |
Auto-detect and mask the log line
Before writing to your logging system, send the raw log line to Protecto. Auto-Detect and Mask handles free-form log messages without requiring you to specify entity types.
Write only the token_value to your logging system — never the original value.
Write the masked log entry
Write the token_value string to your logging system exactly as returned.
Benefits:
- Logs remain readable — entity tags preserve context
- Sensitive values are never stored in plain text
- Tokens are deterministic, so the same person produces the same token across all log entries
Protecto is not involved after this step.
Unmask logs for debugging (optional)
If an authorized user needs to inspect original values during an investigation, unmask the stored log entry on demand.
When to use this pattern
Use this approach when:
- Writing authentication or access logs
- Emitting audit or compliance logs
- Logging errors or failures that include user context
- Storing application events with personal data
Key takeaways:
- Mask before writing logs — retrofit is far harder
- Auto-detect works best for free-form log lines
- Masked logs remain readable and useful for operations
- Restrict unmasking to authorized personnel only
Last updated 3 weeks ago
Built with Documentation.AI