> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rehydra.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Secrets Detection

> Detect API keys, tokens, connection strings, and other credentials

Rehydra can detect secrets and credentials embedded in text, config files, and environment variables. Secrets detection is **opt-in** — enable it when your workflow handles content that may contain credentials.

## Enable Secrets Detection

```typescript theme={null}
import { createAnonymizer } from 'rehydra';

const anonymizer = createAnonymizer({
  secrets: { enabled: true },
});
await anonymizer.initialize();

const result = await anonymizer.anonymize(
  'Connect with postgres://admin:s3cret@db.internal:5432/app'
);
// "Connect with <PII type="CONNECTION_STRING" id="1"/>"
```

## What Gets Detected

<AccordionGroup>
  <Accordion title="API Keys (API_KEY)">
    Provider-specific key patterns including:

    * **OpenAI** — `sk-proj-*`, `sk-*`
    * **Anthropic** — `sk-ant-*`
    * **GitHub** — PATs (`ghp_*`), OAuth (`ghu_*`), App tokens (`ghs_*`)
    * **Stripe** — `sk_live_*`, `sk_test_*`, `rk_*`
    * **Slack** — `xoxb-*`, `xoxp-*`, `xoxa-*`, `xoxs-*`
    * **SendGrid** — `SG.*.*`
    * **Twilio** — `SK` followed by 32 hex characters
    * **Mailgun** — `key-` followed by 32 hex characters
  </Accordion>

  <Accordion title="Private Keys (PRIVATE_KEY)">
    PEM-encoded private key blocks with `BEGIN`/`END` markers. Supports RSA, EC, DSA, OpenSSH, PGP, and encrypted variants.
  </Accordion>

  <Accordion title="JSON Web Tokens (JWT)">
    Three-segment base64url tokens starting with `eyJ`. Validates that the decoded header contains an `alg` field.
  </Accordion>

  <Accordion title="Connection Strings (CONNECTION_STRING)">
    Database and service URIs with embedded credentials:

    * PostgreSQL — `postgres://user:pass@host/db`
    * MySQL / MariaDB — `mysql://user:pass@host/db`
    * MongoDB — `mongodb+srv://user:pass@host/db`
    * Redis — `redis://:pass@host:port`
    * AMQP — `amqp://user:pass@host:port`

    Placeholder passwords like `changeme` or `password` are ignored.
  </Accordion>

  <Accordion title="AWS Credentials (AWS_CREDENTIALS)">
    * Access key IDs with the `AKIA` prefix (high confidence)
    * Secret access keys when AWS-related context keywords are present (context-dependent)
  </Accordion>

  <Accordion title="Environment Variable Secrets (ENV_VAR_SECRET)">
    Secret values in `.env`-style lines like `API_KEY=sk-abc123`. The recognizer checks whether the key name suggests a secret (e.g., names containing `password`, `secret`, `token`, `api_key`, etc.) and filters out placeholder values.
  </Accordion>

  <Accordion title="Config File Secrets (CONFIG_SECRET)">
    Secret values in JSON, YAML, and TOML configuration files. Uses the same key name heuristics as the environment variable recognizer.

    ```json theme={null}
    { "database_password": "s3cret-value" }
    ```

    ```yaml theme={null}
    api_secret: sk-live-abc123
    ```
  </Accordion>
</AccordionGroup>

## Scanning .env Files

Point Rehydra at your `.env` files so it can learn the exact secret values and detect them anywhere in the text — even outside of `KEY=VALUE` context:

```typescript theme={null}
const anonymizer = createAnonymizer({
  secrets: {
    enabled: true,
    envFiles: ['.env', '.env.local'],
  },
});
```

This parses the files, extracts the values, and registers a literal value recognizer that matches those exact strings with maximum confidence.

## Explicit Redact Values

If you know specific values that should always be redacted, pass them directly:

```typescript theme={null}
const anonymizer = createAnonymizer({
  secrets: {
    enabled: true,
    redactValues: ['my-production-api-key', 'db-password-here'],
  },
});
```

## Custom Key Name Patterns

The built-in key name heuristic covers common names like `password`, `secret`, `token`, `api_key`, `connection_string`, and about 30 others. To extend it:

```typescript theme={null}
const anonymizer = createAnonymizer({
  secrets: {
    enabled: true,
    secretKeyPatterns: [
      /^INTERNAL_.*_KEY$/i,
      /^MY_APP_SECRET_/i,
    ],
  },
});
```

These extra patterns apply to `ENV_VAR_SECRET` and `CONFIG_SECRET` detection.

## Minimum Value Length

Short values like `"yes"` or `"0"` are skipped by default. Adjust the threshold if needed:

```typescript theme={null}
const anonymizer = createAnonymizer({
  secrets: {
    enabled: true,
    minValueLength: 8, // default is 4
  },
});
```

## Full Configuration Reference

```typescript theme={null}
interface SecretsConfig {
  enabled: boolean;              // Enable secrets detection
  envFiles?: string[];           // .env file paths to parse
  redactValues?: string[];       // Explicit values to always redact
  secretKeyPatterns?: RegExp[];  // Additional key name patterns
  minValueLength?: number;       // Minimum value length (default: 4)
}
```

## Next Steps

<CardGroup cols={2}>
  <Card title="PII Types" icon="shield" href="/concepts/pii-types">
    See all supported PII categories.
  </Card>

  <Card title="Custom Recognizers" icon="code" href="/guides/custom-recognizers">
    Add your own domain-specific patterns.
  </Card>
</CardGroup>
