Skip to content
z4j docs

Redaction

What gets redacted

Section titled “What gets redacted”
  • Field names matching common secret names: password, secret, token, api_key, authorization, cookie, session, ssn, credit_card, cc_number, cvv, pin.
  • String values matching known patterns: bearer tokens (Bearer <40+ chars>), JWTs (3-segment dot-separated base64), AWS access keys (AKIA[0-9A-Z]{16}), GitHub PATs (ghp_[A-Za-z0-9]{36}), Stripe keys (sk_live_*, pk_live_*).
  • Email addresses reduced to <email> by default.
  • Long strings are length-tagged: <str len=142>.
  • Binary / bytes → <bytes len=N>.

Where it runs

Section titled “Where it runs”

In the agent process, before the event leaves the host. The brain never sees unredacted values. This is critical - it means even a compromised brain can’t exfiltrate your secrets from historical events (because they were never sent).

Customization

Section titled “Customization”

Per-project overrides in redaction_overrides:

{
  "redaction_overrides": {
    "field_names": ["internal_token", "my_secret_field"],
    "patterns": ["^user-[0-9a-f]{8}-secret-[0-9a-f]{16}$"]
  }
}

Overrides are additive to the built-in rules, never subtractive.

What is NOT redacted

Section titled “What is NOT redacted”
  • Task names (email.send vs email.send_welcome) - operator metadata, not secrets.
  • Queue names, routing keys.
  • Error class names (ValueError, MyDomainError).
  • Error messages - be careful here. An error message that contains a secret (e.g., “invalid API key: sk_live_abc123”) will be redacted via pattern match, but custom exception types that interpolate secrets into their message are your risk.

Traceback redaction

Section titled “Traceback redaction”

Tracebacks are redacted line-by-line with the same rules. Stack frames show file/line/function but local variables are scrubbed to field-name matches only.

Size limits

Section titled “Size limits”
  • Single argument value: 64 KiB max. Truncated above.
  • Total event payload: 2 MiB max. Truncated above.

These caps prevent a pathological task from blowing up the redactor or the wire.

Field name collisions

Section titled “Field name collisions”

A kwarg called password_hint is redacted (matches prefix password). If you have a legitimate non-secret field with a secret-sounding name, rename or add a negative-match override.

Disable entirely

Section titled “Disable entirely”

Not supported by design. z4j doesn’t ship a disable_redaction=true. If your workload has no secrets and you want the raw values in events, you’re using the wrong tool.