Skip to main content
Rehydra detects different kinds of sensitive values through a combination of regex recognizers, optional NER, and custom patterns.

Detection Categories

Structured PII

Structured PII has recognizable formats and is usually detected with regex-based recognizers. Common examples include:
  • EMAIL
  • PHONE
  • DATE
  • IBAN
  • BIC_SWIFT
  • CREDIT_CARD
  • IP_ADDRESS
  • URL
  • ACCOUNT_NUMBER
  • TAX_ID
  • NATIONAL_ID

Contextual PII

Contextual or “soft” PII depends on meaning and surrounding text, so it uses the optional NER model. Common examples include:
  • PERSON
  • ORG
  • LOCATION
  • ADDRESS
  • DATE_OF_BIRTH

Secrets

Secrets are credentials and keys that should never leave your local environment. Detection is opt-in via the secrets configuration. Supported types:
  • API_KEY — provider-specific keys (OpenAI, Anthropic, GitHub, Stripe, Slack, and others)
  • PRIVATE_KEY — PEM-encoded private keys (RSA, EC, DSA, OpenSSH, PGP)
  • JWT — JSON Web Tokens
  • CONNECTION_STRING — database/service URIs with embedded credentials (PostgreSQL, MySQL, MongoDB, Redis, AMQP)
  • AWS_CREDENTIALS — AWS access key IDs and secret access keys
  • ENV_VAR_SECRET — secret values in .env-style KEY=VALUE lines
  • CONFIG_SECRET — secret values in JSON, YAML, or TOML config files
import { createAnonymizer } from 'rehydra';

const anonymizer = createAnonymizer({
  secrets: { enabled: true },
});

Domain-Specific Identifiers

Some teams need to protect internal identifiers that are specific to their systems. Typical examples include:
  • CASE_ID
  • CUSTOMER_ID
  • Order numbers
  • Employee IDs
  • Support ticket IDs
These are usually added through custom recognizers or policy-level custom patterns.

Where Types Come From

SourceBest forExamples
Built-in regex recognizersStable, well-formed formatsEmail, phone, date, IBAN, credit card
Optional NER modelMeaning-dependent entitiesPerson, organization, location, address
Secrets recognizers (opt-in)Credentials and keysAPI keys, JWTs, connection strings, private keys
Custom recognizersBusiness-specific identifiersCase IDs, customer IDs, proprietary formats

Type Selection and Policy

You do not have to detect every supported type on every call. Rehydra policies let you narrow detection to the types that matter for a given workflow. 
import { createAnonymizer, PIIType } from 'rehydra';

const anonymizer = createAnonymizer({
  defaultPolicy: {
    regexEnabledTypes: new Set([PIIType.EMAIL, PIIType.PHONE]),
    nerEnabledTypes: new Set([PIIType.PERSON]),
  }
});

Overlaps and Priority

Some values can match more than one detector. Rehydra resolves overlaps using the configured type priority and confidence rules so only one placeholder is emitted for a given span.

Placeholder Shape

Types appear in the placeholder output and in entity metadata: 
<PII type="EMAIL" id="1"/>
<PII type="PERSON" id="1"/>

Next Steps

Recognizers

See how Rehydra finds structured, contextual, and custom PII.

Secrets Detection

Enable detection for API keys, tokens, and credentials.

Custom Recognizers

Add your own domain-specific patterns.