Skip to main content
The Rehydra CLI lets you anonymize files and piped text directly from the terminal — no code required.

Installation

The CLI is published as a separate lightweight package:
Or run directly without installing globally:
The CLI requires Node.js 18+ and depends on the rehydra SDK package (installed automatically).

Commands

anonymize

Detect and replace PII in a file or stdin.
By default, the anonymize command:
  • Uses regex-only detection (no NER)
  • Runs in pseudonymize mode (saves an encrypted PII map for later rehydration)
  • Writes the PII map to .rehydra-pii-map.json
  • Generates a random encryption key and stores it in the PII map file

rehydrate

Restore original PII values from anonymized text using the saved PII map.
The encryption key is resolved in order: --key flag, REHYDRA_KEY environment variable, then the key embedded in the PII map file.

inspect

Dry-run that shows detected PII highlighted in context without anonymizing. Useful for previewing what will be detected.
Output shows the original text with PII highlighted and labeled by type using color coding.

proxy

Start a local HTTP proxy that anonymizes PII in requests to LLM APIs and rehydrates PII in responses.
Supported providers: openai, anthropic, claude (alias for anthropic)

How It Works

  1. The proxy starts immediately with regex-only detection so there’s no startup delay
  2. In the background, the NER model downloads (if needed) and loads
  3. Once NER is ready, the proxy hot-swaps to regex + NER detection — no restart required
The --ner flag defaults to quantized for the proxy command (unlike other commands which default to disabled). Pass --ner disabled to use regex-only detection.

Connecting Your Tools

The proxy prints connection instructions on startup. Here are the common setups:

API Key Injection

Use --api-key (or the LLM_API_KEY environment variable) to inject an API key into upstream requests. This is useful when your tool authenticates via OAuth but the upstream API requires an API key:
The proxy uses in-memory storage — PII maps are not persisted to disk. Each proxy session starts fresh.

setup-ner

Download the NER model ahead of time so anonymize/inspect don’t need to download on first use.

Round-Trip Example

Options Reference

Custom Tag Format

By default, placeholders use XML-style tags: <PII type="EMAIL" id="1"/>. Use --tag-open, --tag-close, and --tag-keyword to change the format:
The same flags work with rehydrate, inspect, and proxy. Use matching flags during rehydration:

Output Formats

text (default)

Returns the anonymized text as-is:

json

Structured JSON with anonymized text, entities, and stats:

ndjson

One JSON line per entity, plus a summary line — useful for streaming pipelines:

Encryption Key Management

By default, rehydra anonymize generates a random key and embeds it in the PII map file. For production use, supply your own key:
When you provide a key via --key or REHYDRA_KEY, it is not written to the PII map file, keeping it separate from the encrypted data.

Exit Codes

Next Steps

Quick Start

Use Rehydra programmatically in your app

PII Types

See all PII types the CLI can detect