Secret redaction

Every time a hook runs, Cloudhooks captures what your code logs—payloads, API responses,console.logoutput. That output often contains data that was never meant to be stored: authorization headers, access tokens, customer email addresses, internal API keys.

Secret redaction automatically masks sensitive values in your logs before they are written, so raw credentials never appear in your run history.

Note: Redaction applies only to log output. Payloads are stored as-is and are unaffected.

What is always masked

Certain field names are masked in every run, regardless of your configuration. These include common credential-related keys like:

  • Authorization
  • token
  • access_token
  • refresh_token
  • api_key
  • client_secret
  • password
  • cookie
  • x-api-key
  • jwt

If any of these appear as a key in a logged object—at any nesting depth—their value is replaced with [redacted].

Environment variable values

In production runs, the values of your environment variables are masked wherever they appear in log output. This means an API key or database URL stored as an environment variable will never appear in plain text in your run history, even if your hook accidentally logs it.

Test runs are different. In test mode, environment variable values are shown in plain text. This is intentional—when debugging a hook, you need to confirm which value is active or verify that a hook-level override is taking effect. Use test runs whenever you need that visibility.

Configuring custom redaction keys

Beyond the built-in defaults, you can tell Cloudhooks to mask additional fields by name. Navigate to Settings → Log redaction keys and add the field names you want masked.

There are two forms:

Simple name

Masks that field anywhere in a logged object, regardless of where it appears in the structure.

email

A log entry like:

{ customer: { email: "alice@example.com", id: 123 } }

becomes:

{ customer: { email: "[redacted]", id: 123 } }

Dot-notation path

Masks only the field at a specific location. Useful when a common field name like phone should only be redacted in a particular context.

customer.phone

This masks customer.phone but leaves a phone field at the top level, or under a different parent, untouched.

Note: Key matching is case-insensitive—Email, email, and EMAIL all match the same rule.

Limitations

  • Payloads are not redacted. Redaction applies to log output, not to the event payload that triggered the hook.
  • Short values are not masked. Values fewer than 8 characters are not masked by value-based matching. This prevents common short strings from being incorrectly censored across all log output.
  • Value-based masking is best-effort. Key-based masking (field names you configure and the built-in list) is exact. Value-based masking (environment variable values, Shopify access tokens) scans log strings for the literal value—if your code transforms the value before logging, the transformed form may not be caught.