Skip to main content
Rehydra is a privacy layer for working with sensitive text and secrets. It helps you detect protected values locally, replace them with safe placeholders, and restore them when you need the originals again.

SDK

Build privacy-preserving applications in Node.js, Bun, or the browser.

CLI Tool

Anonymize, inspect, and rehydrate text directly from the terminal.

OpenCode Plugin

Prevent coding agents from leaking PII and secrets to LLMs.

Three Ways to Use Rehydra

SDK

Use the rehydra package when you want privacy controls inside your application.
  • Detect structured PII such as emails, phone numbers, credit cards, IPs, and URLs
  • Add optional NER-based detection for names, organizations, and locations
  • Encrypt original values for later rehydration
  • Integrate with apps, services, agents, proxies, and streaming workflows

CLI Tool

Use @rehydra/cli when you want to work with files or piped text without writing code.
  • Anonymize text from files or stdin
  • Inspect what would be detected before changing anything
  • Rehydrate text using a saved encrypted PII map
  • Fit Rehydra into shell scripts and local workflows

OpenCode Plugin

Use @rehydra/opencode when you want OpenCode to automatically scrub PII and secrets before they are sent to an LLM.
  • Auto-detect PII (emails, phones, credit cards) and secrets (API keys, JWTs, connection strings) in all messages
  • Optionally scan .env files to catch exact secret values anywhere in text
  • Restore original values before local tool execution
  • Add privacy protection to agent workflows with minimal setup

How Rehydra Works

1

Detect locally

Rehydra identifies sensitive values on your machine before they leave your environment.
2

Replace safely

It swaps originals for stable placeholders that downstream systems can handle safely.
3

Restore when needed

Rehydra can decrypt and rehydrate the original values in the right local context.

What You Can Protect

Structured PII

Emails, phone numbers, IBANs, credit cards, IP addresses, URLs, and more.

Soft PII

Names, organizations, and locations with the optional NER model.

Secrets

API keys, tokens, connection strings, and other environment-based credentials.

Encrypted Mappings

Original values are stored in encrypted form for later restoration.

Start Here

Choose a Product

Start with the SDK, CLI, or OpenCode plugin.

Installation

See install commands for each environment and package.

CLI Guide

Learn the terminal workflow and available commands.

OpenCode Plugin Guide

Set up automatic PII and secret scrubbing for OpenCode.