Skip to main content
Rehydra detects different kinds of sensitive values through a combination of regex recognizers, optional NER, and custom patterns.

Detection Categories

Structured PII

Structured PII has recognizable formats and is usually detected with regex-based recognizers. Common examples include:
  • EMAIL
  • PHONE
  • DATE
  • IBAN
  • BIC_SWIFT
  • CREDIT_CARD
  • IP_ADDRESS
  • URL
  • ACCOUNT_NUMBER
  • TAX_ID
  • NATIONAL_ID

Contextual PII

Contextual or “soft” PII depends on meaning and surrounding text, so it uses the optional NER model. Common examples include:
  • PERSON
  • ORG
  • LOCATION
  • ADDRESS
  • DATE_OF_BIRTH

Secrets

Secrets are credentials and keys that should never leave your local environment. Detection is opt-in via the secrets configuration. Supported types:
  • API_KEY — provider-specific keys (OpenAI, Anthropic, GitHub, Stripe, Slack, and others)
  • PRIVATE_KEY — PEM-encoded private keys (RSA, EC, DSA, OpenSSH, PGP)
  • JWT — JSON Web Tokens
  • CONNECTION_STRING — database/service URIs with embedded credentials (PostgreSQL, MySQL, MongoDB, Redis, AMQP)
  • AWS_CREDENTIALS — AWS access key IDs and secret access keys
  • ENV_VAR_SECRET — secret values in .env-style KEY=VALUE lines
  • CONFIG_SECRET — secret values in JSON, YAML, or TOML config files

Domain-Specific Identifiers

Some teams need to protect internal identifiers that are specific to their systems. Typical examples include:
  • CASE_ID
  • CUSTOMER_ID
  • Order numbers
  • Employee IDs
  • Support ticket IDs
These are usually added through custom recognizers or policy-level custom patterns.

Where Types Come From

Type Selection and Policy

You do not have to detect every supported type on every call. Rehydra policies let you narrow detection to the types that matter for a given workflow.

Overlaps and Priority

Some values can match more than one detector. Rehydra resolves overlaps using the configured type priority and confidence rules so only one placeholder is emitted for a given span.

Placeholder Shape

Types appear in the placeholder output and in entity metadata:

Next Steps

Recognizers

See how Rehydra finds structured, contextual, and custom PII.

Secrets Detection

Enable detection for API keys, tokens, and credentials.

Custom Recognizers

Add your own domain-specific patterns.