Skip to main content
Arzule automatically redacts sensitive information from trace payloads before they leave your system. This protects against accidental exposure of credentials, personal data, and other secrets.

Default behavior

PII redaction is enabled by default. The SDK scans all event payloads and redacts:
  • API keys and tokens
  • Passwords and secrets
  • Credit card numbers
  • Social Security Numbers (SSNs)
  • Email addresses (optional)
  • Phone numbers (optional)
Redacted values are replaced with [REDACTED].

What gets scanned

The SDK scans these fields in trace events:
  • attrs_compact - Event attributes
  • Tool call inputs and outputs
  • LLM prompts and responses
  • Error messages and stack traces

Example

Before redaction: 
{
  "event_type": "tool.call.start",
  "attrs_compact": {
    "tool_name": "SendEmail",
    "to": "[email protected]",
    "api_key": "sk-abc123secretkey456"
  }
}
After redaction: 
{
  "event_type": "tool.call.start",
  "attrs_compact": {
    "tool_name": "SendEmail",
    "to": "[email protected]",
    "api_key": "[REDACTED]"
  }
}

Configuration

import arzule_ingest

arzule_ingest.init(redact_secrets=False)
Or via environment variable: 
export ARZULE_REDACT_SECRETS=false
Disabling redaction in production is strongly discouraged. Sensitive data in traces can create compliance and security risks.

Custom patterns

Add custom redaction patterns for domain-specific secrets: 
import arzule_ingest
from arzule_ingest.redaction import add_pattern

# Add a pattern for internal IDs
add_pattern(r"internal_[a-z]+_[0-9]{8}")

arzule_ingest.init()

Redaction patterns

The SDK includes patterns for common secrets:
PatternExample Match
API keyssk-abc123..., api_key_xyz...
Bearer tokensBearer eyJhbG...
Passwordspassword, passwd, secret (in key names)
Credit cards4111-1111-1111-1111
SSNs123-45-6789
AWS keysAKIA...

Field-level exclusions

Exclude specific fields from redaction: 
import arzule_ingest

arzule_ingest.init(
    redact_exclude_fields=["user_id", "session_id"]
)
These fields will never be redacted, even if they match a pattern.

SOC2 compliance

The SDK includes SOC2 compliance features by default: 
pip install arzule-ingest
This includes:
  • Encryption at rest for local trace files
  • Enhanced audit logging
  • Stricter default redaction patterns

Verifying redaction

Test that redaction works as expected: 
from arzule_ingest.redaction import redact

test_data = {
    "api_key": "sk-secret123",
    "user_name": "John Doe"
}

result = redact(test_data)
print(result)
# {"api_key": "[REDACTED]", "user_name": "John Doe"}

Best practices

  1. Keep redaction enabled - The default redact_secrets=True is correct for almost all cases
  2. Review trace samples - Periodically check traces in your dashboard to ensure no sensitive data leaks through
  3. Add custom patterns - If your application uses custom secret formats, add patterns for them
  4. Use SOC2 mode - For regulated industries, install the [soc2] extra
  5. Separate environments - Use different projects for dev/staging/prod to avoid mixing data

Next steps

Environment Variables

Full configuration reference.

Quickstart

Start capturing traces.