Redact Sensitive Data (Free Online Tool)
Mask secrets and PII while keeping the surrounding JSON structure intact
Paste your JSON → Get results instantly (no signup)
→ Redact sensitive values in this data and redact emails (full mask).
1{2 "name": "Alice",3 "email": "****",4 "notes": "Contact **** for details"5}Love the result?
Use this exact pipeline in your app, backend, or LLM workflow.
No setup needed. Works with curl, Node, Python.
Uses example data. For edited input, copy from the playground.
Works with:
- API responses
- Nested JSON
- Arrays & objects
Example: input → output
{ "name": "Alice", "email": "alice@example.com", "notes": "Contact alice@example.com for details"}{ "name": "Alice", "email": "****", "notes": "Contact **** for details"}Related tools
Advanced usage (optional)
Redact Sensitive Data
v1.0.0Description
Redact Sensitive Data
Mask PII and secrets in your JSON data. Detects 22 built-in patterns across personal data, financial info, government IDs, and technical secrets. Automatically scans string values and replaces matches with masked versions.
How It Works
The utility scans all string values (or targeted paths) for sensitive data patterns using regex matching. When a match is found, the value is replaced according to the selected mask style. Patterns are detected even when embedded within larger strings.
The special password-field pattern works differently — it detects sensitive key names (password, secret, token, etc.) and masks the entire value regardless of content.
Detectable Patterns
Original
| Pattern | Examples |
|---|---|
alice@example.com, user.name+tag@domain.co | |
| phone | 555-123-4567, (555) 123-4567, +1-555-123-4567 |
| credit-card | 4111-1111-1111-1234, 5500 0000 0000 5678 |
| ssn | 123-45-6789, 123 45 6789 |
| api-key | sk-..., api_key_..., long alphanumeric strings (24+ chars) |
| ip-address | 192.168.1.1, 10.0.0.1 |
| url | https://example.com/path, http://internal-api:8080 |
US PII
| Pattern | Examples | Notes |
|---|---|---|
| us-passport | 123456789 (9 digits) | Use with targetPaths to avoid false positives |
| us-drivers-license | A1234567, B123456789012 (letter + 6-12 digits) | |
| ein | 12-3456789 (Employer ID / Tax ID) | |
| date-of-birth | 1990-05-14, 05/14/1990, 14.05.1990 |
International PII
| Pattern | Examples | Notes |
|---|---|---|
| iban | GB29NWBK60161331926819, DE89370400440532013000 | |
| nhs | 943 476 5919 (UK NHS number, 10 digits) | Use with targetPaths — can overlap with phone |
| sin | 046-454-286 (Canadian Social Insurance Number) | |
| aadhaar | 2345 6789 0123 (Indian Aadhaar, 12 digits) | Use with targetPaths — can overlap with other numbers |
Technical / Secrets
| Pattern | Examples |
|---|---|
| ipv6 | 2001:0db8:85a3:0000:0000:8a2e:0370:7334 |
| mac-address | 00:1B:44:11:3A:B7, 00-1B-44-11-3A-B7 |
| jwt | eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.abc123 |
| aws-key | AKIAIOSFODNN7EXAMPLE |
| base64 | Long base64-encoded strings (40+ characters) |
| bearer-token | Bearer eyJhbGciOiJIUzI1NiJ9... |
| password-field | Masks entire value of keys named password, secret, token, auth, credential, etc. |
Mask Styles
Full
Replace the entire matched value with ****.
Partial
Keep the last 4 characters visible: ****1234.
Hash
Replace with an 8-character FNV-1a hash: e5081727. Deterministic — the same input always produces the same hash, useful for maintaining referential integrity.
Configuration
| Field | Type | Default | Description |
|---|---|---|---|
| Target Paths | path-picker | [] | Scope to specific paths (empty = all string values) |
| Patterns to Detect | multi-enum | [email, phone, credit-card, ssn] | Select which sensitive data patterns to redact |
| Mask Style | enum | full | full (*), partial (*1234), or hash (e5081727) |
| Custom Pattern | string | "" | Optional additional regex pattern to match (leave empty to skip) |
Use Cases
Compliance & Privacy
- GDPR compliance: Redact personal emails, phone numbers, and IBANs before sharing data
- PCI DSS: Mask credit card numbers in transaction logs
- HIPAA: Redact SSNs, dates of birth, and personal identifiers in medical records
Development & Testing
- Log sanitization: Clean JWTs, API keys, and bearer tokens from application logs
- Test data: Redact production data for use in test environments
- Demo preparation: Mask real customer data for product demonstrations
Data Sharing
- Internal reports: Share analytics data with sensitive fields masked
- API responses: Redact sensitive fields before returning to less-privileged clients
- Secret rotation: Identify and mask credentials using password-field detection
Configuration
| Name | Type | Default | Description |
|---|---|---|---|
| Target Paths | path-picker | [] | Scope to specific paths (empty = all string values) |
| Patterns to Detect | multi-enum | ["email","phone","credit-card","ssn"] | Select which sensitive data patterns to redact email phone credit-card ssn us-passport us-drivers-license ein date-of-birth iban nhs sin aadhaar api-key ip-address ipv6 mac-address url jwt aws-key bearer-token base64 password-field |
| Mask Style | enum | full | full: replace with ****. partial: keep last 4 chars. hash: replace with hash. full partial hash |
| Custom Pattern (regex) | string | | Optional additional regex pattern to match (leave empty to skip) |
Examples
Redact sensitive values in this data and redact emails (full mask).1{2 "name": "Alice",3 "email": "****",4 "notes": "Contact **** for details"5}API Usage
curl -X POST https://your-domain.com/api/v1/utilities/cleanup.redact \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"inputs":{"primary":{"name":"Alice","email":"alice@example.com","notes":"Contact alice@example.com for details"}},"config":{"patterns":["email"],"maskStyle":"full","customPattern":"","targetPaths":[]}}'1{2 "name": "Alice",3 "email": "****",4 "notes": "Contact **** for details"5}