Skip to main content
Rehydra can detect secrets and credentials embedded in text, config files, and environment variables. Secrets detection is opt-in — enable it when your workflow handles content that may contain credentials.

Enable Secrets Detection

What Gets Detected

Provider-specific key patterns including:
  • OpenAIsk-proj-*, sk-*
  • Anthropicsk-ant-*
  • GitHub — PATs (ghp_*), OAuth (ghu_*), App tokens (ghs_*)
  • Stripesk_live_*, sk_test_*, rk_*
  • Slackxoxb-*, xoxp-*, xoxa-*, xoxs-*
  • SendGridSG.*.*
  • TwilioSK followed by 32 hex characters
  • Mailgunkey- followed by 32 hex characters
PEM-encoded private key blocks with BEGIN/END markers. Supports RSA, EC, DSA, OpenSSH, PGP, and encrypted variants.
Three-segment base64url tokens starting with eyJ. Validates that the decoded header contains an alg field.
Database and service URIs with embedded credentials:
  • PostgreSQL — postgres://user:pass@host/db
  • MySQL / MariaDB — mysql://user:pass@host/db
  • MongoDB — mongodb+srv://user:pass@host/db
  • Redis — redis://:pass@host:port
  • AMQP — amqp://user:pass@host:port
Placeholder passwords like changeme or password are ignored.
  • Access key IDs with the AKIA prefix (high confidence)
  • Secret access keys when AWS-related context keywords are present (context-dependent)
Secret values in .env-style lines like API_KEY=sk-abc123. The recognizer checks whether the key name suggests a secret (e.g., names containing password, secret, token, api_key, etc.) and filters out placeholder values.
Secret values in JSON, YAML, and TOML configuration files. Uses the same key name heuristics as the environment variable recognizer.

Scanning .env Files

Point Rehydra at your .env files so it can learn the exact secret values and detect them anywhere in the text — even outside of KEY=VALUE context:
This parses the files, extracts the values, and registers a literal value recognizer that matches those exact strings with maximum confidence.

Explicit Redact Values

If you know specific values that should always be redacted, pass them directly:

Custom Key Name Patterns

The built-in key name heuristic covers common names like password, secret, token, api_key, connection_string, and about 30 others. To extend it:
These extra patterns apply to ENV_VAR_SECRET and CONFIG_SECRET detection.

Minimum Value Length

Short values like "yes" or "0" are skipped by default. Adjust the threshold if needed:

Full Configuration Reference

Next Steps

PII Types

See all supported PII categories.

Custom Recognizers

Add your own domain-specific patterns.