Home → JSON Masking and Redaction

JSON Masking and Redaction

Mask sensitive fields in JSON before sharing, logging, or debugging.

About This Tool

Mask sensitive fields in JSON before sharing, logging, or debugging. This tool runs entirely in your browser — no data is ever sent to a server. Free to use, no account required.

What JSON Data Masking Is

Masking replaces sensitive field values with a placeholder before the JSON is shared, ensuring private data does not leave a controlled environment.

Key-Based Masking

Specify keys like "password", "token", or "ssn" and all values under those keys — at any nesting depth — are replaced with *** or a custom mask string. This is the fastest way to sanitize common sensitive fields.

Pattern-Based Masking

Use regex patterns to mask values that look sensitive regardless of key name — all email addresses, all credit card numbers, all Bearer tokens. This catches sensitive data stored under unexpected key names.

When to Use JSON Masking

Masking is important whenever JSON containing sensitive information needs to be shared outside a secure context.

Sharing Logs and Debugging Info

Mask sensitive fields before pasting JSON into Slack messages, Jira tickets, GitHub issues, or support requests. This prevents accidental exposure of API keys, passwords, or personal data.

Preparing Test Data

Create realistic but safe test fixtures by masking production data. The masked JSON retains the structure and non-sensitive values, making it useful for testing without exposing real user data.

Frequently Asked Questions

What is JSON data masking?

JSON data masking replaces sensitive values in a JSON document with a placeholder like *** or REDACTED before the document is shared, logged, or used in non-production environments. Unlike deleting the field entirely, masking preserves the key and structure so the document shape is still visible, which helps with debugging.

Which fields does the tool mask?

You specify which keys to mask by name (exact match or wildcard). Common examples include password, token, secret, api_key, ssn, credit_card, and authorization. The tool recursively searches the entire JSON document for those keys at any nesting depth and replaces their values.

Can I mask values by pattern instead of key name?

Yes. Use regex pattern masking to redact values that match a format regardless of key name. For example, mask all strings matching the email pattern, all 16-digit numbers (credit cards), or all strings starting with 'Bearer ' (auth tokens). This catches sensitive data in unexpected fields.

Is masked JSON reversible?

No. Masking is a one-way operation — the original values are replaced and cannot be recovered from the masked output. This is intentional: the point of masking is to permanently remove sensitive data from the shared copy. Always keep the original if you need the real values.

JSON Data Masking Reference

JSON masking protects sensitive data (PII, credentials, financial data) in logs, API responses, and debugging outputs. It's required for GDPR, PCI-DSS, and HIPAA compliance.

Masking Strategies

// Original
{
  "name": "Alice Johnson",
  "email": "alice@example.com",
  "phone": "+1-555-0134",
  "ssn": "123-45-6789",
  "creditCard": "4111111111111111",
  "password": "secret123"
}

// Masked
{
  "name": "A*** J***",
  "email": "a***@e***.com",
  "phone": "+1-***-**34",
  "ssn": "***-**-6789",
  "creditCard": "****-****-****-1111",
  "password": "***"
}

Masking Patterns by Data Type

Field Type	Masking Pattern
Password / secret	Replace entirely with ***
Email	Show first char + * + domain: a*@example.com
Phone number	Show last 4 digits: *-34
Credit card (PAN)	Show last 4: **--**-1111 (PCI-DSS standard)
SSN	Show last 4: *--6789
Name	Show initials: A.J. or A* J*
IP address	Mask last octet: 192.168.1.***
API key	Show first 4 + *: sk-**...

JavaScript Masking Implementation

const SENSITIVE_KEYS = new Set(["password","token","apiKey","ssn","creditCard"]);

function maskJson(obj) {
  if (typeof obj !== "object" || obj === null) return obj;
  return Object.fromEntries(
    Object.entries(obj).map(([k, v]) => [
      k,
      SENSITIVE_KEYS.has(k.toLowerCase()) ? "***" : maskJson(v)
    ])
  );
}

JSON Masking: Protecting Sensitive Data

Masking replaces sensitive field values with redacted placeholders so the data can be safely shared in logs, bug reports, or debugging sessions without exposing private information.

// Before masking
{
  "user": {
    "id": 12345,
    "name": "Alice Smith",
    "email": "alice@example.com",
    "password": "mySecretP@ss!",
    "creditCard": "4111-1111-1111-1111",
    "apiKey": "sk-abc123xyz789",
    "address": {
      "street": "123 Main St",
      "city": "London"
    }
  }
}

// After masking sensitive fields
{
  "user": {
    "id": 12345,
    "name": "Alice Smith",
    "email": "al***@***.com",
    "password": "****",
    "creditCard": "****-****-****-1111",
    "apiKey": "sk-****",
    "address": {
      "street": "123 Main St",
      "city": "London"
    }
  }
}

Fields That Should Always Be Masked

These field types require masking under GDPR, PCI-DSS, and HIPAA regulations. When in doubt, mask any field that could identify or harm a person if exposed.

Field Type	Common Key Names	Masking Pattern
Passwords	password, passwd, pwd, secret	****
API Keys	apiKey, api_key, token, accessToken	First 4 chars + ****
Credit cards	creditCard, cardNumber, cc	Last 4 digits only
Email addresses	email, emailAddress	al*@*.com
Phone numbers	phone, phoneNumber, mobile	Last 4 digits only
SSN / National ID	ssn, nationalId, taxId	*--XXXX
Private keys	privateKey, secretKey	**** (fully masked)

Explore more tools: All JSON Tools | Validator | Pretty Print | JSON Diff