Security & masking

Sensitive values should not reach storage in clear text. SDKs and ingest apply masking before events are persisted. maskFields only adds extra names—the built-in list always runs.

maskFields (optional)

Optional. Extra JSON/header field names to redact. A built-in sensitive-name list always runs first—you never disable it by leaving maskFields empty.

Omit maskFields or pass []—defaults still redact passwords, tokens, cookies, and card-related keys. Use it when your API uses custom property names (for example patientId, ssn).

Extra field namestypescript

createReplayStackClient({
  apiKey: process.env.REPLAYSTACK_API_KEY!,
  maskFields: ['phone_number', 'national_id', 'patientId'],
});

Always redacted (built-in list)

Case-insensitive; hyphens, underscores, and spaces are normalized when matching keys.

authorization
password
passwd
token
access_token
refresh_token
apiKey
api_key
secret
client_secret
cookie
set-cookie
cardNumber
card_number
cvv
otp

What ReplayStack is not

End-user mouse clicks, screen recordings, or front-end DOM snapshots (ReplayStack is backend observability, not session replay for visitors).
Passwords, bearer tokens, cookies, or API secrets in clear text—matching field names are redacted before storage.
Full payment card numbers or CVV values when field names match our built-in list (add custom names with maskFields if your schema differs).
Arbitrary files, databases, or infrastructure metrics unless your integration sends them as part of an event payload.
Selling or renting your production payloads to advertisers or data brokers.

Marketing summary: /security

Transport uses TLS. Stored data should be encrypted at rest in your ReplayStack deployment. Tune project settings and replay safety rules for endpoints you never want replayed.