Sensitive Data Filter - Observability Span Processor
Trust: ★★★☆☆ (0.90) · 0 validations · developer_reference
Published: 2026-05-10 · Source: crawler_authoritative
Tình huống
Documentation for the Mastra SensitiveDataFilter span processor that redacts sensitive information from traces before export, targeting developers configuring observability for applications handling passwords, API keys, tokens, and other confidential data.
Insight
The SensitiveDataFilter is a span processor in @mastra/observability that scans and redacts sensitive fields from traces before export. Default sensitive fields include: password, token, secret, key, apikey, auth, authorization, bearer, bearertoken, jwt, credential, clientsecret, privatekey, refresh, and ssn. Field matching is case-insensitive and separator-agnostic (api-key, api_key, ApiKey are treated identically). The filter processes attributes, metadata, input, output, and error information within spans. It handles nested objects, arrays, and circular references safely using synchronous processing. Configuration accepts custom sensitiveFields array, redactionToken string (default ‘[REDACTED]’), and redactionStyle (‘full’ or ‘partial’). Full redaction replaces entire value; partial redaction shows first/last 3 characters but fully redacts values under 7 characters. Error recovery replaces problematic fields with {error: {processor: ‘sensitive-data-filter’}} rather than crashing.
Hành động
Import SensitiveDataFilter from @mastra/observability and add it to spanOutputProcessors array in Observability config. Default usage: new SensitiveDataFilter(). Custom configuration: new SensitiveDataFilter({sensitiveFields: [‘customField’, …], redactionToken: ‘SENSITIVE’, redactionStyle: ‘partial’}). To disable: set spanOutputProcessors to empty array []. Common use cases include healthcare (SSN, MRN, diagnosis codes) and financial services (creditCard, CVV, bankAccount, IBAN, routing numbers).
Kết quả
Sensitive field values are replaced with the configured redaction token (default ‘[REDACTED]’) before traces are exported to observability platforms, preventing confidential data from leaving the application.
Điều kiện áp dụng
Part of @mastra/observability package. Span processor for Mastra observability tracing pipeline.
Nội dung gốc (Original)
Sensitive data filter
The Sensitive Data Filter is a span processor that redacts sensitive information from your traces during the processing pipeline before export. This ensures that passwords, API keys, tokens, and other confidential data never leave your application or get stored in observability platforms.
Default configuration
The Sensitive Data Filter is included in the recommended observability configuration:
import {
Observability,
DefaultExporter,
CloudExporter,
SensitiveDataFilter,
} from '@mastra/observability'
export const mastra = new Mastra({
observability: new Observability({
configs: {
default: {
serviceName: 'mastra',
exporters: [new DefaultExporter(), new CloudExporter()],
spanOutputProcessors: [
new SensitiveDataFilter(), // Redacts sensitive fields before export
],
},
},
}),
storage: new LibSQLStore({
id: 'mastra-storage',
url: 'file:./mastra.db',
}),
})With the default configuration, the filter redacts these common sensitive field names:
passwordtokensecretkeyapikeyauthauthorizationbearerbearertokenjwtcredentialclientsecretprivatekeyrefreshssn
Note: Field matching is case-insensitive and normalizes separators. For example,
api-key,api_key, andApi Keyare all treated asapikey.
How it works
The Sensitive Data Filter processes spans before they’re sent to exporters, scanning through:
- Attributes - Span metadata and properties
- Metadata - Custom metadata attached to spans
- Input - Data sent to agents, tools, and LLMs
- Output - Responses and results
- Error Information - Stack traces and error details
When a sensitive field is detected, its value is replaced with [REDACTED] by default. The filter handles nested objects, arrays, and circular references safely.
Custom configuration
You can customize which fields are redacted and how redaction displays:
import { SensitiveDataFilter, DefaultExporter, Observability } from '@mastra/observability'
export const mastra = new Mastra({
observability: new Observability({
configs: {
production: {
serviceName: 'my-service',
exporters: [new DefaultExporter()],
spanOutputProcessors: [
new SensitiveDataFilter({
// Add custom sensitive fields
sensitiveFields: [
// Default fields
'password',
'token',
'secret',
'key',
'apikey',
// Custom fields for your application
'creditCard',
'bankAccount',
'routingNumber',
'email',
'phoneNumber',
'dateOfBirth',
],
// Custom redaction token
redactionToken: '***SENSITIVE***',
// Redaction style
redactionStyle: 'full', // or 'partial'
}),
],
},
},
}),
})Redaction styles
The filter supports two redaction styles:
Full Redaction (Default)
Replaces the entire value with a fixed token:
// Before
{
"apiKey": "sk-abc123xyz789def456",
"userId": "user_12345"
}
// After
{
"apiKey": "[REDACTED]",
"userId": "user_12345"
}Partial Redaction
Shows the first and last 3 characters, useful for debugging without exposing full values:
new SensitiveDataFilter({
redactionStyle: 'partial',
})// Before
{
"apiKey": "sk-abc123xyz789def456",
"creditCard": "4111111111111111"
}
// After
{
"apiKey": "sk-…456",
"creditCard": "411…111"
}Values shorter than 7 characters are fully redacted to prevent information leakage.
Field matching rules
The filter uses intelligent field matching:
-
Case-Insensitive:
APIKey,apikey, andApiKeyare all matched -
Separator-Agnostic:
api-key,api_key, andapiKeyare treated identically -
Exact Matching: After normalization, fields must match exactly
tokenmatchestoken,Token,TOKENtokendoesn’t matchpromptTokensortokenCount
Nested object handling
The filter recursively processes nested structures:
// Before
{
"user": {
"id": "12345",
"credentials": {
"password": "SuperSecret123!",
"apiKey": "sk-production-key"
}
},
"config": {
"auth": {
"jwt": "eyJhbGciOiJIUzI1NiIs..."
}
}
}
// After
{
"user": {
"id": "12345",
"credentials": {
"password": "[REDACTED]",
"apiKey": "[REDACTED]"
}
},
"config": {
"auth": {
"jwt": "[REDACTED]"
}
}
}Performance considerations
The Sensitive Data Filter is designed to be lightweight and efficient:
- Synchronous Processing: No async operations, minimal latency impact
- Circular Reference Handling: Safely handles complex object graphs
- Error Recovery: If filtering fails, the field is replaced with an error marker rather than crashing
Disabling the filter
If you need to disable sensitive data filtering (not recommended for production):
export const mastra = new Mastra({
observability: new Observability({
configs: {
debug: {
serviceName: 'debug-service',
spanOutputProcessors: [], // No processors, including no SensitiveDataFilter
exporters: [new DefaultExporter()],
},
},
}),
})Warning: Only disable sensitive data filtering in controlled environments. Never disable it when sending traces to external services or shared storage.
Common use cases
Healthcare Applications
new SensitiveDataFilter({
sensitiveFields: [
// HIPAA-related fields
'ssn',
'socialSecurityNumber',
'medicalRecordNumber',
'mrn',
'healthInsuranceNumber',
'diagnosisCode',
'icd10',
'prescription',
'medication',
],
})Financial Services
new SensitiveDataFilter({
sensitiveFields: [
// PCI compliance fields
'creditCard',
'ccNumber',
'cardNumber',
'cvv',
'cvc',
'securityCode',
'expirationDate',
'expiry',
'bankAccount',
'accountNumber',
'routingNumber',
'iban',
'swift',
],
})Error handling
If the filter encounters an error while processing a field, it replaces the field with a safe error marker:
{
"problematicField": {
"error": {
"processor": "sensitive-data-filter"
}
}
}This ensures that processing errors don’t prevent traces from being exported or cause application crashes.
Related
Liên kết
- Nền tảng: Dev Framework · Mastra
- Nguồn: https://mastra.ai/docs/observability/tracing/processors/sensitive-data-filter
Xem thêm: