By default, Subtrace redacts all known authorization credentials from every request. To change this behaviour, set the authCredentials field in your config YAML file. Here’s an example:

# The default value is "redact". By setting this field's value to "keep", we're
# overriding the behavior so that Subtrace keeps all credentials unmodified.
authCredentials: "keep"

# ...the rest of your config
tags:
  service: foo

To use the config file, set the --config command line flag when starting Subtrace:

./subtrace run --config=/path/to/subtrace.yaml -- node app.js

This option affects the following HTTP headers across all requests:

  • Cookie header on the request
  • Set-Cookie header on the response
  • Authorization header on the response

The following values are allowed:

  • redact will redact the auth credential completely (default).
  • hash will replace the value with a SHA256 hash of the original value (see below).
  • keep will trace the full auth credential string in cleartext (NOT recommended).

Using authCredentials: "hash"

The authCredentials: "hash" allows you to cross-match credentials across different requests safely without storing raw auth credentials in cleartext. For example, let’s say a client makes an API call with following request header:

Authorization: Bearer my-secret-api-key-1234

Setting authCredentials: "hash" will hash the value when the request is traced:

Authorization: <redacted:sha256:a4281572876fbe0eb4780386c435bd8be7bc36136a98e90a68a0af3837f27483>

Two requests using the same Authorization header will have the same redacted hash. If you know the original API key, you can also compute the hash yourself using the sha256sum command:

$ echo -n "Bearer my-secret-api-key-1234" | sha256sum
a4281572876fbe0eb4780386c435bd8be7bc36136a98e90a68a0af3837f27483  -
TagsUsing the dashboard