Datakit values can carry arbitrary content, including Vault secrets, authentication headers, personally identifiable information (PII), response bodies, and transformed values.
Datakit applies redaction and sanitization rules based on the source of the node’s input.
Tracing values are sanitized on the data plane before being transmitted to Konnect.
The same custom masking rules you configure for general Debugger payload capture also apply to Datakit tracing events.
Any value that comes from a Vault secret is always replaced with ********, regardless of other sanitization rules.
If a node’s output is derived from a Vault-resolved value, the entire output is redacted.
When a Datakit value is a headers map (a structured map of header name-value pairs), it’s sanitized using header-name rules.
The following headers are masked by default:
authorization
api-key
x-api-key
x-consumer-username
x-consumer-custom-id
x-consumer-id
x-credential-identifier
Header context is lost when a value passes through a transformation node like jq, json_to_xml, or xml_to_json.
After transformation, the value no longer carries header context and is sanitized using body rules instead.
String values are sanitized using body rules (regex or JSONPath).
Structured values (maps and objects) are sanitized using body rules with JSONPath expressions applied to the structure.
When a node’s output is assembled from individual field-level inputs, each field is sanitized independently according to the rules that apply to its source.
The sanitization applied to a node’s tracing event values depends on the node type and the source of its inputs. In summary:
- Values that come from request data use sanitizer rules configured for request data.
- Values that come from response data use sanitizer rules configured for response data.
- Values that combine request and response data can use both request and response sanitizer rules.
The following table breaks down sanitization behavior by node:
|
Node type
|
Input or output
|
Sanitization applied
|
request
|
Headers
|
Header-name rules
|
request
|
Body, query parameters
|
Body rules
|
response
|
All values
|
Based on connected inputs
|
service_request
|
All values
|
Based on connected inputs
|
service_response
|
All values
|
Based on connected inputs
|
vault
|
Output
|
Always ******** (vault-derived)
|
call
|
Output headers
|
Response header-name rules
|
call
|
Output body
|
Response body rules
|
static
|
Output
|
Only if the value matches a configured rule
|
property GET
|
Output
|
Only if the value matches a configured rule
|
property SET
|
Output
|
Based on input values
|
jq
|
Output
|
Body rules (header context lost after transformation)
|
json_to_xml
|
Output
|
Body rules (header context lost after transformation)
|
xml_to_json
|
Output
|
Body rules (header context lost after transformation)
|
jwt_decode
|
Input JWT
|
Always redacted
|
jwt_decode
|
JWT signature
|
Always redacted
|
jwt_decode
|
JWT header and payload claims
|
Body rules
|
jwt_verify
|
Input token and key
|
Always redacted
|
jwt_verify
|
Output claims and header
|
Body rules
|
jwt_sign
|
Input key
|
Always redacted
|
jwt_sign
|
Output token
|
Always redacted
|
jwt_sign
|
Input claims and headers
|
Body rules
|
cache GET
|
Output
|
Only if the value matches a configured rule
|
cache SET
|
Cached data
|
Based on input data source
|
cache SET
|
Generated values
|
Body rules
|
branch
|
Routing values
|
Body rules
|
exit
|
Response body
|
Based on input sources
|
exit
|
Response headers
|
Based on input sources
|