Sensitive Data Redaction On Console/API

[sancar]

Workflow logs may contain sensitive data in the body or headers. Users need a way to redact these fields so they are not visible in the dashboard or API responses, preventing accidental data leaks. This also enables safer use of Workflow in multi-tenant setups where customer data may be included in logs.

API

Allow specifying fields to redact when triggering a workflow.

import { Client } from "@upstash/workflow";

const client = new Client({ token: "<QSTASH_TOKEN>" });

const { workflowRunId } = await client.trigger({
  url: "https://my-app.com/api/workflow",
  body: { hello: "world" },
  redact: {
    body: true,
    header: ["Authorization"] // or `header: true` to redact all headers
  },
});

In this example, the log body and the "Authorization" header are redacted and will not appear in the UI or API responses. Instead, the UI will display REDACTED:<SHA256> so users can verify the value without revealing the original data.

Docs: https://upstash.com/docs/workflow/howto/redact-fields