Security & Privacy

Auto-redaction

The SDK redacts common credential field names in your process before any data is sent. This is best-effort defense in depth, not a substitute for keeping sensitive values out of your API responses in the first place.

Redacted fields

Headers and body fields whose key matches one of these names (case-insensitive) are replaced with [REDACTED]:

password, secret, token, authorization, api_key, x-api-key, apikey, x-auth-token, x-access-token, bearer, private_key, private-key, secret_key, secret-key

Custom field names (e.g. mySecret, auth_blob) are not matched. If your application returns sensitive data under a non-standard key, exclude it at the source.

Email masking

Fields named email, email_address, or emailaddress are partially masked: [email protected] becomes ja***@example.com.

Redaction is recursive across nested objects and arrays.

Payload signing

Each batch sent to the ingest endpoint is gzip-compressed and signed with HMAC-SHA256 using your secret key. Mismatched signatures are rejected.

Treat your secret key like a password — anyone with it can submit events on your behalf. Rotate it from your dashboard if it’s ever exposed.

Client IP extraction

The SDK reads the first available standard proxy header (CF-Connecting-IP, X-Vercel-Forwarded-For, X-Forwarded-For, X-Real-IP, etc.), falling back to the TCP peer address. If you don’t trust your proxy headers, terminate them at your edge before requests hit your application.