Skip to content
Sylo

PII Scanning

Sylo can scan outbound request bodies for personally identifiable information (PII) before they reach external APIs.

Configuration

Section titled “Configuration”

Set PII scanning per-session:

const session = await sylo.createSandboxToken({
  // ...
  pii: {
    action: "redact",  // "redact" or "block"
    patterns: ["ssn", "credit_card", "email", "phone"],
  },
});

Actions

Section titled “Actions”
  • redact — replace detected PII with [REDACTED] and forward the request
  • block — reject the entire request with a 403 response

Supported patterns

Section titled “Supported patterns”
PatternMatches
ssnSocial Security Numbers (e.g., 123-45-6789)
credit_cardCredit card numbers (Luhn-validated)
emailEmail addresses
phonePhone numbers (US and international formats)

Audit trail

Section titled “Audit trail”

PII detections are logged in the audit trail:

const { events } = await sylo.queryAudit({ tenantId: "acme" });
// event.piiDetected: ["ssn", "email"]
// event.piiAction: "redact"

Combining with policies

Section titled “Combining with policies”

PII scanning runs after policy checks. If a request is denied by policy, PII scanning is skipped. If the request is allowed but contains PII:

  • redact: PII is replaced, request forwarded
  • block: request rejected, logged as PII violation