diff --git a/contents/docs/error-tracking/code-variables/python.mdx b/contents/docs/error-tracking/code-variables/python.mdx index 55975e0dd90d..12d313dabf5b 100644 --- a/contents/docs/error-tracking/code-variables/python.mdx +++ b/contents/docs/error-tracking/code-variables/python.mdx @@ -87,6 +87,57 @@ with new_context(): mask_patterns_will_only_apply_to_this_method() ``` +### Detecting secrets automatically + +As a last resort, the SDK also scans captured variable *values* for high-entropy secrets that name-based masking misses — API keys, tokens, and strong passwords in innocuously-named variables — and replaces them with `***`. It recognizes common key formats (OpenAI, Anthropic, AWS, Stripe, GitHub, and more) and random high-entropy strings, while leaving identifiers like UUIDs, hashes, file paths, and URLs untouched. + +This is enabled by default. To disable it globally: + +```python +posthog = Posthog( + "", + enable_exception_autocapture=True, + capture_exception_code_variables=True, + code_variables_detect_secrets=False, +) +``` + +Or for a specific code block using contexts: + +```python +with new_context(): + set_code_variables_detect_secrets_context(False) + detection_disabled_only_here() +``` + +### Masking connection string credentials + +Credentials embedded in connection strings and URLs are scrubbed automatically, regardless of the variable name. Only the credentials are replaced — the scheme, host, and path are kept so the value stays useful for debugging: + +``` +postgresql://user:password@db.example.com:5432/mydb +→ postgresql://***@db.example.com:5432/mydb +``` + +This is enabled by default. To disable it globally: + +```python +posthog = Posthog( + "", + enable_exception_autocapture=True, + capture_exception_code_variables=True, + code_variables_mask_url_credentials=False, +) +``` + +Or for a specific code block using contexts: + +```python +with new_context(): + set_code_variables_mask_url_credentials_context(False) + masking_disabled_only_here() +``` + ### Ignoring variables Variable names matching ignore patterns are not captured at all. This is useful for excluding internal variables, temporary data, or framework-specific variables that don't provide debugging value.