Installation
The CLI is published as a separate lightweight package:The CLI requires Node.js 18+ and depends on the
rehydra SDK package (installed automatically).Commands
anonymize
Detect and replace PII in a file or stdin.- Uses regex-only detection (no NER)
- Runs in
pseudonymizemode (saves an encrypted PII map for later rehydration) - Writes the PII map to
.rehydra-pii-map.json - Generates a random encryption key and stores it in the PII map file
rehydrate
Restore original PII values from anonymized text using the saved PII map.--key flag, REHYDRA_KEY environment variable, then the key embedded in the PII map file.
inspect
Dry-run that shows detected PII highlighted in context without anonymizing. Useful for previewing what will be detected.proxy
Start a local HTTP proxy that anonymizes PII in requests to LLM APIs and rehydrates PII in responses.openai, anthropic, claude (alias for anthropic)
How It Works
- The proxy starts immediately with regex-only detection so there’s no startup delay
- In the background, the NER model downloads (if needed) and loads
- Once NER is ready, the proxy hot-swaps to regex + NER detection — no restart required
--ner flag defaults to quantized for the proxy command (unlike other commands which default to disabled). Pass --ner disabled to use regex-only detection.
Connecting Your Tools
The proxy prints connection instructions on startup. Here are the common setups:API Key Injection
Use--api-key (or the LLM_API_KEY environment variable) to inject an API key into upstream requests. This is useful when your tool authenticates via OAuth but the upstream API requires an API key:
The proxy uses in-memory storage — PII maps are not persisted to disk. Each proxy session starts fresh.
setup-ner
Download the NER model ahead of time so anonymize/inspect don’t need to download on first use.Round-Trip Example
Options Reference
Custom Tag Format
By default, placeholders use XML-style tags:<PII type="EMAIL" id="1"/>. Use --tag-open, --tag-close, and --tag-keyword to change the format:
rehydrate, inspect, and proxy. Use matching flags during rehydration:
Output Formats
text (default)
Returns the anonymized text as-is:json
Structured JSON with anonymized text, entities, and stats:ndjson
One JSON line per entity, plus a summary line — useful for streaming pipelines:Encryption Key Management
By default,rehydra anonymize generates a random key and embeds it in the PII map file. For production use, supply your own key:
--key or REHYDRA_KEY, it is not written to the PII map file, keeping it separate from the encrypted data.
Exit Codes
Next Steps
Quick Start
Use Rehydra programmatically in your app
PII Types
See all PII types the CLI can detect