Redaction
Shield automatically detects and redacts sensitive data in logs, alerts, and dashboard reports to protect privacy and comply with regulations.
Quick Start
Enable secret redaction:
{
"redaction": {
"enabled": true,
"mode": "secrets"
}
}
Now API keys, tokens, and passwords are automatically redacted:
In outbound bot messages (prevents leaks):
Bot tries to say: "Your API key is sk-1234567890abcdef"
User receives: "Your API key is sk-123...def"
In logs and alerts:
Before: API_KEY=sk-1234567890abcdef
After: API_KEY=sk-123...def
This is your primary defense against bots accidentally leaking API keys, passwords, and other secrets to users!
Outbound Filtering + Redaction
Redaction works with outbound filtering modes:
Block Mode (Maximum Security)
{
"outboundMode": "block",
"redaction": {
"enabled": true,
"mode": "secrets"
}
}
If bot tries to leak a secret:
- Threat detected (e.g., API key in response)
- Message completely blocked
- User sees: "🛑 Message blocked by security filter"
Flag Mode (Redact & Allow)
{
"outboundMode": "flag",
"redaction": {
"enabled": true,
"mode": "secrets"
}
}
If bot tries to leak a secret:
- Threat detected
- Secret redacted in message
- User receives message with redaction: "Your key is sk-..."
- Warning logged for admin
Recommended Configuration
{
"outboundMode": "flag",
"redaction": {
"enabled": true,
"mode": "secrets"
}
}
Why flag + redaction?
- Bot can still respond (doesn't break conversation)
- Secrets are automatically masked
- Admin gets alerted
- User experience isn't disrupted
Redaction Modes
Mode: secrets
Redacts API keys, tokens, passwords, and credentials.
{
"redaction": {
"mode": "secrets"
}
}
What's redacted:
- OpenAI keys (
sk-...) - GitHub tokens (
ghp_...,github_pat_...) - AWS keys (
AKIA...) - Google API keys
- JWT tokens
- OAuth tokens
- Bearer tokens
- Private keys (PEM, SSH)
- Database passwords
- Slack tokens
- Telegram bot tokens
Mode: pii
Redacts Personally Identifiable Information.
{
"redaction": {
"mode": "pii"
}
}
What's redacted:
- Email addresses
- Phone numbers (international formats)
- Credit card numbers
- Social Security Numbers (SSN)
- IP addresses
- Physical addresses
- Names (when detected as PII)
Mode: all
Redacts both secrets AND PII.
{
"redaction": {
"mode": "all"
}
}
Most comprehensive protection. Recommended for healthcare, finance, legal.
Mode: custom
Choose exactly what to redact using includeTypes and excludeTypes.
{
"redaction": {
"mode": "custom",
"includeTypes": ["openai_keys", "emails", "phone_numbers"]
}
}
Only redacts the specified types.
Mode: off
Disable redaction completely.
{
"redaction": {
"enabled": false
}
}
Logs may contain sensitive user data and credentials. Only disable redaction in controlled environments.
Redaction Types
Secrets
| Type | Example | Redacted |
|---|---|---|
openai_keys | sk-1234567890abcdef | sk-123...def |
github_keys | ghp_a1b2c3d4e5f6g7h8 | ghp_a1b...h8 |
aws_keys | AKIAIOSFODNN7EXAMPLE | AKIA...PLE |
google_keys | AIzaSyD-abc123 | AIza...123 |
jwt_tokens | eyJhbGciOiJIUzI1... | eyJh...*** |
private_keys | -----BEGIN RSA... | ***PEM KEY*** |
slack_tokens | xoxb-1234-5678 | xoxb-*** |
telegram_tokens | 123456:ABC-DEF... | 123456:*** |
PII (Personal Information)
| Type | Example | Redacted |
|---|---|---|
emails | user@example.com | ***@***.com |
phone_numbers | +1-555-123-4567 | +1-***-***-4567 |
credit_cards | 4532 1234 5678 9010 | 4532 **** **** 9010 |
ssn | 123-45-6789 | ***-**-6789 |
ip_addresses | 192.168.1.100 | 192.168.*.* |
Smart Masking
Shield preserves enough information for debugging while protecting sensitive parts.
Configurable Masking
{
"redaction": {
"keepStart": 6,
"keepEnd": 4
}
}
Example:
- Original:
sk-1234567890abcdef keepStart: 6, keepEnd: 4→sk-123...cdefkeepStart: 8, keepEnd: 8→sk-12345...abcdefkeepStart: 0, keepEnd: 0→***
Default Values
| Data Type | Default Masking |
|---|---|
| API Keys | Keep 6 start, 4 end |
| Emails | Keep domain |
| Phone | Keep country code, last 4 |
| Credit Cards | Keep first 4, last 4 |
| IP Addresses | Keep first 2 octets |
Include/Exclude Types
Include Only Specific Types
{
"redaction": {
"mode": "custom",
"includeTypes": [
"openai_keys",
"github_keys",
"emails"
]
}
}
Only these three types are redacted. Everything else passes through.
Exclude Specific Types
{
"redaction": {
"mode": "all",
"excludeTypes": [
"ip_addresses",
"phone_numbers"
]
}
}
Redacts everything EXCEPT IP addresses and phone numbers.
Custom Patterns
Add your own redaction patterns using regex:
{
"redaction": {
"customPatterns": [
{
"name": "employee_id",
"pattern": "EMP-\\d{6}",
"replacement": "EMP-***",
"description": "Company employee IDs"
},
{
"name": "internal_token",
"pattern": "MYAPP_[A-Z0-9]{32}",
"replacement": "MYAPP_***",
"description": "Internal app tokens"
}
]
}
}
Example:
- Original:
Employee EMP-123456 accessed system - Redacted:
Employee EMP-*** accessed system
Where Redaction Applies
✅ Outbound Bot Messages
Most important: Redacts secrets in bot responses before sending to users.
Example:
Bot attempts to say: "Your API key is sk-1234567890abcdef"
User receives: "Your API key is sk-***...***"
This is the PRIMARY purpose - preventing your bot from accidentally leaking secrets!
✅ Logs and Alerts
- Security logs on disk
- Dashboard alerts
- Backend API submissions
- Email notifications
- Webhook payloads
- Exported data
Example log entry:
[2026-02-04 14:32:15] Message: "My token is sk-***...***"
⚠️ NOT Redacted (Intentional)
Inbound user messages (real-time):
- Bot sees full message to process correctly
- Only logs/alerts are redacted
- Threat detection needs full context
Why? The bot must see the full message to:
- Understand user intent
- Detect if it's a secret being leaked
- Respond appropriately
But if the user's message contains secrets, those ARE redacted in logs.
Compliance Use Cases
GDPR Compliance
{
"redaction": {
"enabled": true,
"mode": "all",
"includeTypes": [
"emails",
"phone_numbers",
"ip_addresses",
"credit_cards"
]
}
}
Redacts all PII from logs for European users.
HIPAA Compliance (Healthcare)
{
"redaction": {
"enabled": true,
"mode": "all",
"customPatterns": [
{
"name": "medical_record",
"pattern": "MRN-\\d{8}",
"replacement": "MRN-***"
},
{
"name": "patient_id",
"pattern": "PT-\\d{6}",
"replacement": "PT-***"
}
]
}
}
PCI-DSS (Payment Cards)
{
"redaction": {
"enabled": true,
"includeTypes": [
"credit_cards",
"cvv_codes"
],
"keepStart": 4,
"keepEnd": 4
}
}
Performance Impact
Redaction is fast:
- Latency: < 1ms per message
- CPU: Negligible
- Memory: ~5 MB for regex patterns
No noticeable impact on message processing speed.
Testing Redaction
Test what gets redacted:
Via Dashboard
- Go to dashboard.securecheck.io
- Click "Alerts"
- View a recent alert
- Check if sensitive data is masked
Via Logs
grep "Alert" ~/.securecheck/shield/logs/security-*.log
Look for redacted values (e.g., sk-123...def).
Via Shield Command
/shield test sk-1234567890abcdef was leaked
Check if the key is masked in the response.
Troubleshooting
Data Not Being Redacted
Problem: Still seeing secrets in logs
Solutions:
- Verify
enabled: true - Check correct
modeis set - Restart OpenClaw after config change
- Test with
/shield validate
Over-Redaction
Problem: Too much data being masked
Solutions:
- Use
custommode with specificincludeTypes - Add to
excludeTypes - Adjust
keepStart/keepEndto show more
Custom Pattern Not Working
Problem: Custom regex not matching
Solutions:
- Test regex at regex101.com
- Escape special characters:
\\.,\\(,\\) - Check logs for regex errors
- Validate JSON syntax
Best Practices
- Start with
secretsmode - Catches most sensitive data - Add custom patterns for proprietary identifiers
- Test thoroughly before production
- Keep enough context for debugging (don't mask everything)
- Document patterns with clear descriptions
- Regular audits of logs to ensure redaction works
Complete Example
{
"redaction": {
"enabled": true,
"mode": "all",
"// Masking": "",
"keepStart": 6,
"keepEnd": 4,
"// Exclusions": "",
"excludeTypes": ["ip_addresses"],
"// Custom Patterns": "",
"customPatterns": [
{
"name": "api_key",
"pattern": "MYAPP-[A-Z0-9]{32}",
"replacement": "MYAPP-***",
"description": "Internal API keys"
},
{
"name": "order_id",
"pattern": "ORD-\\d{10}",
"replacement": "ORD-***",
"description": "Order numbers"
}
]
}
}
Next Steps
- Notifications - Control where redacted alerts go
- Dashboard - View redacted alerts online
- Advanced Settings - Performance tuning