TL;DR
PII scrubbing means redacting tokens, API keys, emails, phone numbers, and card-like values before logs leave the local machine.
PII Scrubbing for AI Agent API Logs
PII scrubbing means redacting sensitive values before logs are stored, displayed, or uploaded. For AI agent API logs, that usually means removing API keys, bearer tokens, emails, phone numbers, card-like values, and token-like URL parameters.
Guardrly performs this scrubbing locally before any log data leaves your machine.
Local vs Cloud PII Scrubbing
Local PII scrubbing redacts sensitive values before logs are stored or uploaded. Cloud-only scrubbing removes data after it has already crossed the network, which means tokens, API keys, or customer identifiers may briefly exist in transit, server-side queues, or raw ingestion logs.
| Approach | Where redaction happens | Main risk | Best fit |
|---|---|---|---|
| Local PII scrubbing | On the user's machine before upload | A local bug could miss a pattern | AI agent logs, API monitoring, production credentials |
| Cloud PII scrubbing | After data reaches the vendor cloud | Raw secrets may cross the network or enter queues | Low-sensitivity analytics with no tokens |
| Hybrid scrubbing | Local first, cloud validation second | More complexity | Regulated teams that want defense in depth |
Guardrly uses local scrubbing so the cloud dashboard receives operation metadata, not raw secrets.
What Is PII Scrubbing?
PII scrubbing is the process of replacing sensitive values with safe placeholders. In AI agent monitoring, the goal is to preserve the operational signal, such as method, endpoint, platform, status code, latency, and risk level, while removing the values that could identify a customer or expose an account.
For example:
| Raw value type | Scrubbed output |
|---|---|
Authorization: Bearer sk_live_... | Authorization: [REDACTED] |
customer@example.com | [email_redacted] |
?access_token=abc123 | ?access_token=[REDACTED] |
+1 415 555 0199 | [phone_redacted] |
What Gets Scrubbed
Authorization Headers
All Authorization header values are replaced with [REDACTED]. This includes Bearer tokens, API keys, and Basic auth credentials.
Access Tokens in URLs
URL parameters containing access_token, api_key, token, or key are replaced with [REDACTED].
Email Addresses
Email addresses in request bodies and URLs are replaced with [email_redacted].
Phone Numbers
Phone numbers (international and domestic formats) are replaced with [phone_redacted].
Credit Card Numbers
16-digit card numbers (with or without spaces or dashes) are replaced with [card_redacted].
What Is NOT Scrubbed
- Request URLs (endpoint paths are kept for monitoring purposes)
- HTTP method and status codes
- Response timing data
- Platform-specific non-sensitive fields
Technical Implementation
PII scrubbing runs on your local machine using 5 precompiled regex patterns. Processing time is under 1ms per request.
The scrubbed payload is what gets stored locally and uploaded to the cloud. The original sensitive data never leaves your machine.
Verification
You can verify scrubbing is working by checking your logs at app.guardrly.com/logs. Authorization headers and tokens should appear as [REDACTED].
Compliance
Guardrly's PII scrubbing approach supports compliance with:
- GDPR (data minimization principle)
- CCPA (personal information protection)
- SOC 2 (access control requirements)
For the broader MCP hardening checklist, read MCP server security best practices.
FAQ
What is PII scrubbing?
PII scrubbing is the process of redacting sensitive values such as tokens, API keys, emails, phone numbers, and card-like numbers before logs are stored or uploaded.
Is local PII scrubbing safer than cloud scrubbing?
Local PII scrubbing is safer for AI agent logs because raw secrets are removed before data crosses the network or reaches a cloud queue.
What data gets scrubbed?
Guardrly scrubs authorization headers, token-like URL parameters, email addresses, phone numbers, and credit card-like numbers.
Is scrubbing local or cloud-based?
Scrubbing is local. Sensitive values are redacted before the operation log is queued locally or uploaded to the Guardrly cloud.
How can I verify redaction?
Send a test request with a dummy token or email, then check the Guardrly logs. Sensitive values should appear as redacted placeholders.