Detection Categories
Structured PII
Structured PII has recognizable formats and is usually detected with regex-based recognizers. Common examples include:EMAILPHONEDATEIBANBIC_SWIFTCREDIT_CARDIP_ADDRESSURLACCOUNT_NUMBERTAX_IDNATIONAL_ID
Contextual PII
Contextual or “soft” PII depends on meaning and surrounding text, so it uses the optional NER model. Common examples include:PERSONORGLOCATIONADDRESSDATE_OF_BIRTH
Secrets
Secrets are credentials and keys that should never leave your local environment. Detection is opt-in via thesecrets configuration.
Supported types:
API_KEY— provider-specific keys (OpenAI, Anthropic, GitHub, Stripe, Slack, and others)PRIVATE_KEY— PEM-encoded private keys (RSA, EC, DSA, OpenSSH, PGP)JWT— JSON Web TokensCONNECTION_STRING— database/service URIs with embedded credentials (PostgreSQL, MySQL, MongoDB, Redis, AMQP)AWS_CREDENTIALS— AWS access key IDs and secret access keysENV_VAR_SECRET— secret values in.env-styleKEY=VALUElinesCONFIG_SECRET— secret values in JSON, YAML, or TOML config files
Domain-Specific Identifiers
Some teams need to protect internal identifiers that are specific to their systems. Typical examples include:CASE_IDCUSTOMER_ID- Order numbers
- Employee IDs
- Support ticket IDs
Where Types Come From
Type Selection and Policy
You do not have to detect every supported type on every call. Rehydra policies let you narrow detection to the types that matter for a given workflow.Overlaps and Priority
Some values can match more than one detector. Rehydra resolves overlaps using the configured type priority and confidence rules so only one placeholder is emitted for a given span.Placeholder Shape
Types appear in the placeholder output and in entity metadata:Next Steps
Recognizers
See how Rehydra finds structured, contextual, and custom PII.
Secrets Detection
Enable detection for API keys, tokens, and credentials.
Custom Recognizers
Add your own domain-specific patterns.