Extend PII Obfuscation Coverage for Additional Log Stream Fields

Product Feedback
1

Please extend the Log Streams PII obfuscation mechanism (Masking / XXHash) to cover additional fields that may contain email addresses or other sensitive identifiers.

Currently, several Auth0 event payload fields expose email addresses in plaintext even when:

  • All log data options are enabled

  • PII obfuscation is configured as “XXHash (Recommended)”

According to Support, this is currently an intended limitation because obfuscation only applies to a predefined list of field names rather than to PII values detected contextually.

Affected Events and Fields

1. Event types: scp and fcp

Field:
@data.details.query.identifier.value

Current behavior:
Email addresses are visible in plaintext.

Expected behavior:
Email addresses should be obfuscated using the configured masking/hash strategy.

2. Event types: sce and fce

Field:
@data.details.body.newEmail

Current behavior:
Email addresses are visible in plaintext.

Expected behavior:
Email addresses should be obfuscated using the configured masking/hash strategy.

3. Event type: fp

Field:
@data.user_id

Current behavior:
Email addresses are visible in plaintext when user_id contains an email-based identifier.

Expected behavior:
Email addresses should be obfuscated using the configured masking/hash strategy.

Problem Statement

The current implementation only obfuscates a static set of field names such as:

  • email

  • username

  • phone

  • first_name

  • last_name

However, many other Auth0 log fields can contain PII depending on the event type and authentication flow.

This creates several operational and compliance challenges:

  • Sensitive data may unintentionally reach third-party observability platforms (Datadog, AWS.)

  • Additional downstream filtering pipelines become necessary

  • Customers cannot rely on Auth0’s built-in obfuscation as a comprehensive privacy control

  • Increased risk for GDPR/security compliance gaps

Requested Enhancement

We would like Auth0 to support one or more of the following improvements:

  1. Extend the default obfuscation coverage to include the affected fields above

  2. Introduce configurable field-based obfuscation rules
    Example:

  • allow customers to specify additional JSON paths to hash/mask
  1. Introduce value-aware obfuscation
    Example:
  • automatically detect and obfuscate email patterns regardless of field name
  1. Provide a “strict PII mode”
    Example:
  • aggressively hash all detected identifiers and email-like values before export

Business Impact

For customers using Log Streams integrations with platforms such as Datadog, Splunk, or other SIEM/observability tools, this limitation reduces confidence in using Auth0-native PII obfuscation and requires custom middleware or log processing pipelines.