Data Masking

The Data Masking service transforms sensitive values — email addresses, phone numbers, national IDs, credit card numbers, and arbitrary secrets — into masked or tokenised representations. Use it before writing data to logs, sending payloads to webhooks, feeding records into AI models, or passing data to third-party integrations.

Masking is reversible (for authorised callers) or irreversible (redact mode), depending on the masking strategy you choose.

Masking Strategies

Strategy	Output	Reversible	Use when
`redact`	`[REDACTED]`	No	Logs, debug output
`mask`	`ali***@acme.com`	No	UI display, exports
`tokenise`	Stable opaque token	Yes (with permission)	Data pipelines, deduplication
`hash`	SHA-256 of value	No	Pseudonymisation, analytics
`format`	Format-preserving (e.g. fake email)	No	Testing, demos

Mask a Single Value

import { CpodClient } from '@cpod/sdk'
const sdk = CpodClient.fromEnv()
 
const result = await sdk.masking.mask({
  value: 'alice@acme.com',
  type: 'email',
  strategy: 'mask',
})
// result.masked → "ali***@acme.com"
 
const redacted = await sdk.masking.mask({
  value: '+1-555-867-5309',
  type: 'phone',
  strategy: 'redact',
})
// redacted.masked → "[REDACTED]"
 
const tokenised = await sdk.masking.mask({
  value: '123-45-6789',
  type: 'ssn',
  strategy: 'tokenise',
})
// tokenised.masked → "tok_a1b2c3d4e5f6"
// tokenised.token  → "tok_a1b2c3d4e5f6"  (stable per value per tenant)

from cpod import CpodClient
sdk = CpodClient.from_env()
 
result = await sdk.masking.mask(
    value="alice@acme.com",
    type="email",
    strategy="mask",
)
# result.masked → "ali***@acme.com"
 
redacted = await sdk.masking.mask(
    value="+1-555-867-5309",
    type="phone",
    strategy="redact",
)
 
tokenised = await sdk.masking.mask(
    value="123-45-6789",
    type="ssn",
    strategy="tokenise",
)

import "github.com/cpod-ai/cpod-sdk-go/masking"
 
client := cpod.New(os.Getenv("CPOD_API_KEY"))
 
result, err := client.Masking.Mask(ctx, masking.MaskInput{
    Value:    "alice@acme.com",
    Type:     "email",
    Strategy: "mask",
})
// result.Masked → "ali***@acme.com"
 
tokenised, err := client.Masking.Mask(ctx, masking.MaskInput{
    Value:    "123-45-6789",
    Type:     "ssn",
    Strategy: "tokenise",
})

Mask Multiple Values at Once

const results = await sdk.masking.maskBatch([
  { value: 'alice@acme.com',   type: 'email', strategy: 'mask' },
  { value: 'bob@acme.com',     type: 'email', strategy: 'mask' },
  { value: '555-867-5309',     type: 'phone', strategy: 'redact' },
  { value: '4111111111111111', type: 'card',  strategy: 'mask' },
])
 
for (const r of results) {
  console.log(r.original, '→', r.masked)
}

results = await sdk.masking.mask_batch([
    {"value": "alice@acme.com",   "type": "email", "strategy": "mask"},
    {"value": "bob@acme.com",     "type": "email", "strategy": "mask"},
    {"value": "555-867-5309",     "type": "phone", "strategy": "redact"},
    {"value": "4111111111111111", "type": "card",  "strategy": "mask"},
])
 
for r in results:
    print(r.original, "→", r.masked)

results, err := client.Masking.MaskBatch(ctx, []masking.MaskInput{
    {Value: "alice@acme.com",   Type: "email", Strategy: "mask"},
    {Value: "bob@acme.com",     Type: "email", Strategy: "mask"},
    {Value: "555-867-5309",     Type: "phone", Strategy: "redact"},
    {Value: "4111111111111111", Type: "card",  Strategy: "mask"},
})
for _, r := range results {
    fmt.Printf("%s → %s\n", r.Original, r.Masked)
}

Detokenise (Reveal)

Reveal the original value behind a token. Requires the masking.detokenise scope.

⚠️

Detokenisation is a privileged operation. Only service accounts with masking.detokenise in their declared scopes can call this endpoint. All detokenisation calls are written to the audit log.

const original = await sdk.masking.detokenise('tok_a1b2c3d4e5f6')
// original.value → "123-45-6789"

original = await sdk.masking.detokenise("tok_a1b2c3d4e5f6")
# original.value → "123-45-6789"

original, err := client.Masking.Detokenise(ctx, "tok_a1b2c3d4e5f6")
// original.Value → "123-45-6789"

Mask a Whole Record

Apply masking rules to every sensitive field in an object in one call:

const masked = await sdk.masking.maskRecord(
  { firstName: 'Alice', lastName: 'Smith', email: 'alice@acme.com', phone: '555-1234' },
  {
    rules: [
      { field: 'email', strategy: 'mask' },
      { field: 'phone', strategy: 'redact' },
    ],
  }
)
// masked → { firstName: 'Alice', lastName: 'Smith', email: 'ali***@acme.com', phone: '[REDACTED]' }

masked = await sdk.masking.mask_record(
    {"first_name": "Alice", "email": "alice@acme.com", "phone": "555-1234"},
    rules=[
        {"field": "email", "strategy": "mask"},
        {"field": "phone", "strategy": "redact"},
    ],
)

masked, err := client.Masking.MaskRecord(ctx, map[string]any{
    "firstName": "Alice",
    "email":     "alice@acme.com",
    "phone":     "555-1234",
}, []masking.FieldRule{
    {Field: "email", Strategy: "mask"},
    {Field: "phone", Strategy: "redact"},
})

Jobs Telemetry