# Hiding Sensitive Values in Event Data Block outputs may contain sensitive data such as API keys, passwords, or personally identifiable information. Sensitive paths let you specify which fields in a block’s output should be redacted, replacing their values with `******` in the event viewer and API responses. ## How Redaction Works [Section titled “How Redaction Works”](#how-redaction-works) Each block output can have a list of JSONPath expressions that identify sensitive fields. When a block produces an event, the system evaluates these paths against the output data and marks matching values as sensitive. Those values are then replaced with `******` whenever the event is displayed in the UI or returned through the API. Downstream blocks still receive the actual unredacted values for processing. Redaction only affects how the data is displayed. **Example**: A block outputs the following data with `$.password` configured as a sensitive path: ** ``` { "username": "alice", "password": "s3cret!"} ``` **In the event viewer:** ** ``` { "username": "alice", "password": "******"} ``` ## Configuring Sensitive Paths [Section titled “Configuring Sensitive Paths”](#configuring-sensitive-paths) To add sensitive paths to a block output: 1. Select the block on the canvas to open its sidebar 1. Navigate to the block’s output section 1. Expand the **Sensitive paths** card 1. Click **Add path** and enter a JSONPath expression (e.g. `$.password`) 1. Click outside the input or press Tab to save — changes apply automatically ![Sensitive Paths](/images/sensitive-paths.png) To remove a path, click the trash icon next to it. Closing the **Sensitive paths** card clears all configured paths. ## JSONPath Syntax [Section titled “JSONPath Syntax”](#jsonpath-syntax) Sensitive paths use [JSONPath](https://www.rfc-editor.org/rfc/rfc9535#name-overview-of-jsonpath-expres) expressions starting with `$` (the root of the block’s output). Here are the most common patterns: | Expression | Matches | | --- | --- | | `$.password` | A top-level field | | `$.credentials.token` | A nested field | | `$.users[*].ssn` | A field in every array element | | `$.tokens[*]` | Every element of an array | | `$` | The entire output | Expressions support wildcards (`[*]`) for arrays and can be chained to arbitrary depth (e.g. `$.data.users[*].credentials.apiKey`). The full syntax is specified [here](https://www.rfc-editor.org/rfc/rfc9535#name-overview-of-jsonpath-expres). ## Examples [Section titled “Examples”](#examples) ### Redacting a field from an API response [Section titled “Redacting a field from an API response”](#redacting-a-field-from-an-api-response) A block calls an external API and returns connection details: ** ``` { "host": "db.example.com", "port": 5432, "username": "app_user", "password": "xK9#mP2$vL"} ``` **Sensitive path**: `$.password` **Result in event viewer:** ** ``` { "host": "db.example.com", "port": 5432, "username": "app_user", "password": "******"} ``` ### Redacting PII from an array of records [Section titled “Redacting PII from an array of records”](#redacting-pii-from-an-array-of-records) A block queries a list of users: ** ``` { "users": [ { "name": "Alice", "email": "alice@example.com", "ssn": "123-45-6789" }, { "name": "Bob", "email": "bob@example.com", "ssn": "987-65-4321" } ]} ``` **Sensitive path**: `$.users[*].ssn` **Result in event viewer:** ** ``` { "users": [ { "name": "Alice", "email": "alice@example.com", "ssn": "******" }, { "name": "Bob", "email": "bob@example.com", "ssn": "******" } ]} ``` Multiple sensitive paths can be combined — for example, adding both `$.users[*].ssn` and `$.users[*].email` redacts both fields. ## App-Defined Sensitive Fields [Section titled “App-Defined Sensitive Fields”](#app-defined-sensitive-fields) App developers can mark fields as sensitive directly in the output schema by setting `"sensitive": true` on a property. When a block with such a schema produces events, the matching paths are automatically configured — no manual setup is needed. This is useful for apps that inherently deal with sensitive data, such as credential managers or authentication providers. See the [Configuration](/developers/building-apps/configuration) documentation for details on declaring sensitive fields in app definitions. ## Important Behavior [Section titled “Important Behavior”](#important-behavior) - **Redaction is display-level only.** Downstream blocks receive actual values through the `outputs` variable. Sensitive paths control what is visible in the event viewer and API, not what flows through the automation. - **Non-matching paths are ignored.** If a JSONPath expression doesn’t match any field in the output (e.g. the field doesn’t exist or the structure differs), it is silently skipped. No errors are raised. - **Applied after output customization.** If a block has a Customize expression on its output, sensitive paths are evaluated against the transformed data, not the original. Make sure your JSONPath expressions match the structure produced by the customization. - **Parent paths cover children.** Marking `$.credentials` as sensitive redacts the entire object, including all nested fields. There is no need to also mark `$.credentials.password` separately. - **Sensitive paths vs Secrets.** [Secrets](/configuration-and-expressions/secrets) protect values used in configuration expressions (API tokens, signing keys). Sensitive paths protect values that appear in block output event data. Use both when appropriate.