Docs

Trust, Governance & Security · 09.09

Secret Redaction in Logs & Transcripts

Key-name and value-pattern redaction that masks vault values, API keys, and JWTs out of logs, transcripts, and the realtime event bus.

Secret redaction

Two independent strategies, so a secret can't hide behind an innocent key

An agent streams its reasoning and tool input/output into logs and the realtime event bus constantly — a naive log line can leak a vault value, an Authorization header, or an *_API_KEY environment value into a place it was never meant to live: a shipped log file, the database, a channel message a human actually reads. Two strategies catch this independently. Key-name redaction masks a field wholesale purely because its key looks secret — authorization, api_key, token, password, secret, credential, cookie — regardless of what the value actually contains. Value-pattern redaction catches the opposite case: a string matching a known secret shape (a Bearer token, a provider key prefix like sk- or ghp_ or xox…, a long base64 blob, a JWT) gets masked even when it's sitting under a completely innocent-looking key name.

Continue