Skip to main content
Rehydra can detect secrets and credentials embedded in text, config files, and environment variables. Secrets detection is opt-in — enable it when your workflow handles content that may contain credentials.

Enable Secrets Detection

import { createAnonymizer } from 'rehydra';

const anonymizer = createAnonymizer({
  secrets: { enabled: true },
});
await anonymizer.initialize();

const result = await anonymizer.anonymize(
  'Connect with postgres://admin:s3cret@db.internal:5432/app'
);
// "Connect with <PII type="CONNECTION_STRING" id="1"/>"

What Gets Detected

Provider-specific key patterns including:
  • OpenAIsk-proj-*, sk-*
  • Anthropicsk-ant-*
  • GitHub — PATs (ghp_*), OAuth (ghu_*), App tokens (ghs_*)
  • Stripesk_live_*, sk_test_*, rk_*
  • Slackxoxb-*, xoxp-*, xoxa-*, xoxs-*
  • SendGridSG.*.*
  • TwilioSK followed by 32 hex characters
  • Mailgunkey- followed by 32 hex characters
PEM-encoded private key blocks with BEGIN/END markers. Supports RSA, EC, DSA, OpenSSH, PGP, and encrypted variants.
Three-segment base64url tokens starting with eyJ. Validates that the decoded header contains an alg field.
Database and service URIs with embedded credentials:
  • PostgreSQL — postgres://user:pass@host/db
  • MySQL / MariaDB — mysql://user:pass@host/db
  • MongoDB — mongodb+srv://user:pass@host/db
  • Redis — redis://:pass@host:port
  • AMQP — amqp://user:pass@host:port
Placeholder passwords like changeme or password are ignored.
  • Access key IDs with the AKIA prefix (high confidence)
  • Secret access keys when AWS-related context keywords are present (context-dependent)
Secret values in .env-style lines like API_KEY=sk-abc123. The recognizer checks whether the key name suggests a secret (e.g., names containing password, secret, token, api_key, etc.) and filters out placeholder values.
Secret values in JSON, YAML, and TOML configuration files. Uses the same key name heuristics as the environment variable recognizer.
{ "database_password": "s3cret-value" }

api_secret: sk-live-abc123

Scanning .env Files

Point Rehydra at your .env files so it can learn the exact secret values and detect them anywhere in the text — even outside of KEY=VALUE context: 
const anonymizer = createAnonymizer({
  secrets: {
    enabled: true,
    envFiles: ['.env', '.env.local'],
  },
});
This parses the files, extracts the values, and registers a literal value recognizer that matches those exact strings with maximum confidence.

Explicit Redact Values

If you know specific values that should always be redacted, pass them directly: 
const anonymizer = createAnonymizer({
  secrets: {
    enabled: true,
    redactValues: ['my-production-api-key', 'db-password-here'],
  },
});

Custom Key Name Patterns

The built-in key name heuristic covers common names like password, secret, token, api_key, connection_string, and about 30 others. To extend it: 
const anonymizer = createAnonymizer({
  secrets: {
    enabled: true,
    secretKeyPatterns: [
      /^INTERNAL_.*_KEY$/i,
      /^MY_APP_SECRET_/i,
    ],
  },
});
These extra patterns apply to ENV_VAR_SECRET and CONFIG_SECRET detection.

Minimum Value Length

Short values like "yes" or "0" are skipped by default. Adjust the threshold if needed: 
const anonymizer = createAnonymizer({
  secrets: {
    enabled: true,
    minValueLength: 8, // default is 4
  },
});

Full Configuration Reference

interface SecretsConfig {
  enabled: boolean;              // Enable secrets detection
  envFiles?: string[];           // .env file paths to parse
  redactValues?: string[];       // Explicit values to always redact
  secretKeyPatterns?: RegExp[];  // Additional key name patterns
  minValueLength?: number;       // Minimum value length (default: 4)
}

Next Steps

PII Types

See all supported PII categories.

Custom Recognizers

Add your own domain-specific patterns.