Skip to main content

Overview

PII redaction runs automatically on every tool call when enabled. It scans the API response for sensitive patterns and replaces matches with labelled placeholders — for example [email protected] becomes [REDACTED:EMAIL] — before the data is sent to the AI client and/or stored in the call log. Redaction is configured per server and applies to all tools on that server.

Where to Configure It

Open GetMCP → Servers → {Your Server} → Settings tab → PII Redaction section.
  1. Enable PII Redaction — toggle on.
  2. Scope — choose where redaction is applied.
  3. Presets — check the built-in patterns to activate.
  4. Custom Rules — add your own regex patterns (optional).
Server Settings — PII Redaction section with scope selector and preset checkboxes

Redaction Scope

ScopeWhat gets redacted
Both (default)AI response and call log storage
Response onlyAI response only — raw values stored in logs
Log onlyLogs only — AI receives unredacted response
Log only is useful when you need the AI to see full data (e.g. an email tool that must read addresses) but don’t want raw PII in your audit trail.

Built-in Presets

PresetDetectsPlaceholder
Email addressesStandard email format[REDACTED:EMAIL]
US Social Security NumbersXXX-XX-XXXX format[REDACTED:SSN]
Credit card numbers13–19 digit sequences[REDACTED:CARD]
Phone numbersInternational and US formats[REDACTED:PHONE]
IPv4 addressesStandard dotted-quad[REDACTED:IP]
AWS access keysAKIA-prefixed 20-char strings[REDACTED:AWS_KEY]
JWT tokenseyJ-prefixed three-part tokens[REDACTED:JWT]
Enable only the presets you need — each active preset adds a small regex cost per field in the response.

Custom Rules

Add your own patterns for data that doesn’t match any built-in preset. Each custom rule has:
FieldDescription
LabelHuman-readable name shown in the admin UI
PatternPCRE regex (no delimiters — they are added automatically)
ReplacementText that replaces every match, e.g. [REDACTED:ACCOUNT_ID]
Example — UK National Insurance numbers:
FieldValue
LabelUK National Insurance
Pattern\b[A-CEGHJ-PR-TW-Z]{2}\d{6}[A-D]\b
Replacement[REDACTED:NIN]
Test custom patterns carefully before enabling them in production. Over-broad patterns can redact legitimate data the AI needs, silently degrading tool quality.

How It Works

Redaction happens after JMESPath/JSONPath extraction but before the data is sent to the AI client or written to the database:
API Response
    → JMESPath / JSONPath extraction
    → PII Redaction   ← here
    → Template substitution
    → MCP content blocks → AI client
                        → Call log (if scope includes log)
Redaction walks the entire extracted data structure recursively. For each string value:
  1. Each active preset and custom rule is applied in order.
  2. All matches within the string are replaced with the configured placeholder.
  3. Strings longer than 1 MB are skipped (to avoid PCRE timeouts on huge payloads).
Numeric and boolean values are never modified — only strings are scanned.

Placeholder Labels in AI Responses

Matches are replaced with named labels (e.g. [REDACTED:EMAIL]) rather than blanked entirely. This lets the AI:
  • Know that a field existed but was redacted
  • Ask the user to provide the value if needed
  • Reason about the response without silently missing data
Example AI response with redaction:
“I found 3 orders for customer [REDACTED:EMAIL]. Would you like me to look up more details?”

Log Storage

When scope includes logs, redaction is applied to both:
  • Arguments — the input the AI sent to the tool
  • Response data — the upstream API response stored in the log
The HMAC signature in the Immutable Audit Log covers the redacted content. This is intentional: the signature verifies what was actually stored on disk, not the original unredacted values.

What PII Redaction Does Not Cover

  • Headers — auth headers are masked by a separate allowlist; other headers are not scanned for PII
  • Tool configuration — API keys and credentials in tool settings are encrypted at rest, not redacted
  • Existing logs — redaction is applied at write time; past logs are not retroactively scanned