How to Redact PII from Any API Call
Stop PII from leaking through outbound API calls. Learn how to redact sensitive data from any HTTP request — AI providers, webhooks, payment APIs — using a proxy-level security layer.
The problem: PII leaking through outbound API calls
Sensitive data doesn't only leak through AI APIs. Every outbound HTTP call is a potential vector — webhooks sending customer data to third-party services, payment integrations passing PII to processors, analytics platforms receiving user context. Most of these calls have zero scanning or controls.
// Webhook to a third-party CRM
await fetch("https://api.thirdparty.com/contacts", {
method: "POST",
headers: {
"Content-Type": "application/json",
Authorization: `Bearer ${CRM_TOKEN}`,
},
body: JSON.stringify({
name: "Lisa Park",
email: "lisa.park@startup.io",
phone: "+1-650-555-0199",
notes: `Customer since 2023. SSN on file: 412-55-7890.
Home address: 55 Market St, San Francisco, CA 94105.
Internal ref: db_password=supersecret123`,
}),
});
That webhook just sent a name, email, phone number, SSN, home address, and a database password to an external service. And this isn't even an AI call — it's a standard integration that most teams never audit.
Where PII hides in outbound traffic
Any outbound HTTP request can carry sensitive data:
- Webhooks — customer data sent to Slack, CRMs, ticketing systems
- Payment APIs — cardholder names, addresses, and account numbers
- Analytics and logging — user context, IP addresses, session data
- AI providers — prompts assembled from user inputs, CRM records, internal docs
- Email services — recipient PII, personalization tokens, form submissions
- Third-party integrations — any API that receives data from your system
The common thread: freeform text fields and JSON bodies carry PII, and most teams have no visibility into what's being sent.
The solution: proxy-level redaction with Grepture
Grepture is an open-source security proxy that sits between your application and any external service. Every outbound request is scanned for PII, secrets, and sensitive patterns before it leaves your network. Sensitive values are masked — and for AI calls, restored in the response so your application works normally.
It works with any HTTP call, not just AI providers. One security layer for all outbound traffic.
Setup in 3 minutes
1. Install the SDK
npm install @grepture/sdk
2. Get your API key
Sign up at grepture.com/en/pricing — the free plan includes 1,000 requests/month. Copy your API key from the dashboard.
3. Replace fetch with grepture.fetch
import { Grepture } from "@grepture/sdk";
const grepture = new Grepture({
apiKey: process.env.GREPTURE_API_KEY!,
proxyUrl: "https://proxy.grepture.com",
});
// Drop-in replacement for fetch — same API, same arguments
const response = await grepture.fetch(
"https://api.thirdparty.com/contacts",
{
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
name: "Lisa Park",
email: "lisa.park@startup.io",
notes: customerNotes,
}),
}
);
const data = await response.json();
grepture.fetch() accepts the same arguments as the standard fetch API. Every request flows through the proxy, scanned against your detection rules before reaching the destination.
For AI SDKs: use clientOptions
If you're using an SDK like OpenAI or Anthropic, use clientOptions() instead for tighter integration:
import OpenAI from "openai";
import { Grepture } from "@grepture/sdk";
const grepture = new Grepture({
apiKey: process.env.GREPTURE_API_KEY!,
proxyUrl: "https://proxy.grepture.com",
});
const openai = new OpenAI({
...grepture.clientOptions({
apiKey: process.env.OPENAI_API_KEY!,
baseURL: "https://api.openai.com/v1",
}),
});
This works with any OpenAI-compatible provider — OpenAI, Anthropic, Google AI, Azure OpenAI, Mistral, Groq, Cohere, and more. Just change the baseURL and apiKey.
What gets detected
Grepture ships with 50+ detection patterns on the free tier and 80+ on Pro:
| Category | Examples | Tier |
|---|---|---|
| Personal identifiers | Names, emails, phone numbers, SSNs, dates of birth | Free (regex), Pro (AI) |
| Financial data | Credit card numbers, IBANs, routing numbers | Free |
| Credentials | API keys, bearer tokens, passwords, connection strings | Free |
| Network identifiers | IP addresses, MAC addresses | Free |
| Freeform PII | Names, organizations, and addresses in unstructured text | Pro (local AI models) |
| Adversarial inputs | Prompt injection attempts | Business |
All detection runs on Grepture infrastructure — no data is forwarded to additional third parties.
Mask and restore: reversible redaction
For AI API calls, Grepture supports reversible redaction — PII is replaced with tokens in the outbound request and restored in the response.
What the AI provider sees:
Summarize this customer record:
Name: [PERSON_1]
Email: [EMAIL_1]
Phone: [PHONE_1]
...
What your app gets back:
The customer Lisa Park (lisa.park@startup.io) has been
a member since 2023. Contact via +1-650-555-0199.
For non-AI calls (webhooks, payment APIs, etc.), you can choose to permanently redact, mask with fixed patterns, or block the request entirely — depending on your compliance requirements.
Works everywhere
grepture.fetch() runs anywhere the standard fetch API is available:
- Node.js (18+)
- Bun
- Deno
- Edge runtimes (Vercel Edge, Cloudflare Workers)
Zero dependencies. Same API. One proxy for all outbound traffic.
Next steps
- View pricing — free for up to 1,000 requests/month
- Read the docs — SDK reference, configuration, and dashboard guide
- See how it works — architecture, detection rules, and zero-data mode