HookbaseDocs
GuideAPI ReferenceIntegrationsUse CasesCLIMCP
Getting StartedSDK ReferencePortal ComponentsAPI Reference
Get Started

Getting Started

IntroductionQuick StartBest PracticesPipeline Architecture

Core Concepts

SourcesDestinationsRoutes

Advanced Features

TransformsAI TransformsFiltersSchemasDeduplicationCustom DomainsTunnelsCron JobsScheduled Sends

Enterprise Security

OverviewCircuit BreakerFailover DestinationsIP FilteringStatic IP DeliveryNotification ChannelsObservability ExportField EncryptionRedaction PoliciesAudit Logs

Kubernetes

Operator GuideCRD ReferenceHelm Chart

Operations

Plans & LimitsProduction ReadinessTroubleshootingTestingComparison
DocsReceiveGuideRedaction Policies

Redaction Policies

Redaction policies remove or mask sensitive fields in webhook payloads before they hit Hookbase storage, your destinations, or both. Unlike Field Encryption — which is reversible — redaction is one-way: the original value is gone for good. That's what unlocks HIPAA, PCI, and similar use cases where regulators treat encrypted-at-rest sensitive data as still in scope.

Available on Pro and Business plans.

How it fits

FeatureStorageReversibilityUse when
Field EncryptionAES-256 ciphertextReversible (decrypted at delivery)You need the value at the destination but want it encrypted at rest.
Redaction (this page)Stripped or maskedOne-wayThe value should never exist in Hookbase or never leave it for a specific destination.

Scopes

Each policy declares a scope:

ScopeWhen it runsWhat it protects
storageAt ingest, before R2 + database writeHookbase never sees the original value after ingest. Replays send the redacted form.
deliveryIn the delivery worker, before each outbound requestHookbase keeps the original for replay/debugging, but downstream destinations only see the redacted form.
both (default)Both of the aboveMaximum protection. Recommended starting point.

Rule shape

A policy contains up to 50 rules. Each rule has a match and an action:

Match types

TypeValueExample
field_nameA key name. Matches at any depth.ssn, password, api_key
pathDotted path with optional [n] indices. Leading $. is allowed.user.ssn, payments[0].card_number
regex_valueJS regex source. Tested against string values, not keys.\d{3}-\d{2}-\d{4} (SSN-like)
headerHeader name, case-insensitive. Only applies at storage scope today.Authorization

Actions

ActionEffect
redactReplace the value with [REDACTED].
maskKeep the last N characters (default 4); replace the rest with *. Useful for card numbers.
hashReplace with the SHA-256 hex digest. Preserves uniqueness for joins/dedup.
removeDelete the key entirely (no trace it ever existed).

Configuration

Via dashboard

  1. Settings → Redaction
  2. Click New policy
  3. Name the policy, choose a scope, add rules
  4. Use the Test with sample payload panel to verify the rules behave as expected before saving

Via API

curl -X POST "https://api.hookbase.app/api/organizations/{orgId}/redaction-policies" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "PII default",
    "scope": "both",
    "rules": [
      { "match": { "type": "field_name", "value": "ssn" }, "action": { "type": "redact" } },
      { "match": { "type": "path", "value": "payment.card_number" }, "action": { "type": "mask", "keepLastN": 4 } },
      { "match": { "type": "regex_value", "value": "[\\w.+-]+@[\\w.-]+\\.[a-z]{2,}", "flags": "i" }, "action": { "type": "hash" } }
    ]
  }'

Precedence

When multiple policies match the same source — e.g. an org-wide policy plus a source-specific override — all rules are unioned. We chose union over override because it's the safer default: adding a source-specific policy can never accidentally undo redaction the org enforced.

Audit trail

Every event records whether redaction fired:

  • redaction_applied — boolean
  • redaction_policy_ids — array of policy IDs that fired

These are visible on the event detail page so support can answer "why is field X missing here?" without ever logging the redacted value itself.

Replay implications

Replays send whatever is in storage. If a policy with scope: storage (or both) stripped a field, that field is gone — replay sends the redacted form. The replay UI shows a banner when an event has redaction applied so you don't get blindsided.

Cache invalidation

Policy lookups are cached in KV for up to 5 minutes per source. When you create, edit, or delete a policy, source-specific caches are busted immediately, but org-wide policies (no sourceId) can lag by up to the cache TTL. Time-sensitive rollouts should use a source-specific policy.

Limitations (v1)

  • Header redaction runs only at storage scope. Outbound headers (auth, custom) are not redacted at delivery.
  • Warehouse destinations (S3/R2/GCS/Azure) apply delivery-scope policies, but only when a sourceId is present on the queue message — older queued messages from before this feature was deployed will not have it.
  • Non-JSON payloads are skipped at delivery time (storage redaction only applies to JSON-parsable bodies).

See also

  • Field Encryption — when reversibility matters
  • Audit Logs — track who created/modified policies
  • Plans — feature availability per tier
PreviousField EncryptionNextAudit Logs

On this page

How it fitsScopesRule shapeMatch typesActionsConfigurationVia dashboardVia APIPrecedenceAudit trailReplay implicationsCache invalidationLimitations (v1)See also