> ## Documentation Index
> Fetch the complete documentation index at: https://docs.usetusk.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Basic Concepts

> Methods to remove sensitive data from API recordings

## Overview

It is common for sensitive data and Personally Identifiable Information (PII) to
be passed around between services and it is important for compliance and
security reasons that these be handled very carefully.

Tusk provides methods for the redaction of sensitive data so that we can still
test these services while being sure that sensitive data is not leaving your
premises.

## Transforms

We use the concept of **Transforms** to redact PII. You may configure Transforms either in the config.yaml or by directly supplying them
into the call to `initialize()`.

Every module's instrumentation has its own separate configuration, because every
module behaves differently. With that said, they all follow the same structure. A transform is made up of:

1. A matcher
2. An action

### Matcher

A matcher denotes what exactly we want to act on. For example:

```
  "matcher": {
    "pathPattern": "/api/user/*",
    "method": "POST",
    "jsonPath": "$.user.password"
  }
```

says we want to run a transform on only the JSON field at this `jsonPath` for
requests that match the `pathPattern` and is `POST`.

### Action

Actions specify how to mutate the span.
For example:

```
{
  "matcher": {
    "pathPattern": "/api/user/*",
    "method": "POST",
    "jsonPath": "$.user.password"
  },
  "action": {
    "type": "mask",
    "maskChar": "X",
  }
}
```

says we want to mask (replace) all password letters with 'X'.