Please extend the Log Streams PII obfuscation mechanism (Masking / XXHash) to cover additional fields that may contain email addresses or other sensitive identifiers.
Currently, several Auth0 event payload fields expose email addresses in plaintext even when:
-
All log data options are enabled
-
PII obfuscation is configured as “XXHash (Recommended)”
According to Support, this is currently an intended limitation because obfuscation only applies to a predefined list of field names rather than to PII values detected contextually.
Affected Events and Fields
1. Event types: scp and fcp
Field:
@data.details.query.identifier.value
Current behavior:
Email addresses are visible in plaintext.
Expected behavior:
Email addresses should be obfuscated using the configured masking/hash strategy.
2. Event types: sce and fce
Field:
@data.details.body.newEmail
Current behavior:
Email addresses are visible in plaintext.
Expected behavior:
Email addresses should be obfuscated using the configured masking/hash strategy.
3. Event type: fp
Field:
@data.user_id
Current behavior:
Email addresses are visible in plaintext when user_id contains an email-based identifier.
Expected behavior:
Email addresses should be obfuscated using the configured masking/hash strategy.
Problem Statement
The current implementation only obfuscates a static set of field names such as:
-
email -
username -
phone -
first_name -
last_name
However, many other Auth0 log fields can contain PII depending on the event type and authentication flow.
This creates several operational and compliance challenges:
-
Sensitive data may unintentionally reach third-party observability platforms (Datadog, AWS.)
-
Additional downstream filtering pipelines become necessary
-
Customers cannot rely on Auth0’s built-in obfuscation as a comprehensive privacy control
-
Increased risk for GDPR/security compliance gaps
Requested Enhancement
We would like Auth0 to support one or more of the following improvements:
-
Extend the default obfuscation coverage to include the affected fields above
-
Introduce configurable field-based obfuscation rules
Example:
- allow customers to specify additional JSON paths to hash/mask
- Introduce value-aware obfuscation
Example:
- automatically detect and obfuscate email patterns regardless of field name
- Provide a “strict PII mode”
Example:
- aggressively hash all detected identifiers and email-like values before export
Business Impact
For customers using Log Streams integrations with platforms such as Datadog, Splunk, or other SIEM/observability tools, this limitation reduces confidence in using Auth0-native PII obfuscation and requires custom middleware or log processing pipelines.