Redactorr
Redactorr
100% local • browser-only
← Back to Docs
Tokenization

Reversible Tokens

Protect sensitive data with reversible tokenization that preserves data utility and enables complete restoration.

How Tokenization Works

Before Redaction

Customer john.smith@acme.com purchased using card 4532-1234-5678-9010

SSN: 123-45-6789 | API Key: sk-proj-abc123xyz789

After Redaction

Customer [EMAIL_7f8a] purchased using card [CREDIT_CARD_2b4c]

SSN: [SSN_9d1e] | API Key: [API_KEY_4a6f]

Token Format

Each token follows the format: [TYPE_HASH]

  • TYPE: The category of sensitive data (EMAIL, SSN, CREDIT_CARD, etc.)
  • HASH: A unique 4-character identifier for this specific value

Reversibility Process

1

Token Generation

When sensitive data is detected, a unique token is generated and a mapping is created:

Token: [EMAIL_7f8a]

Original: john.smith@acme.com

2

Encrypted Storage

The token mapping is encrypted using AES-256 and stored locally on your machine. The encryption key is derived from your machine's unique identifier.

3

Document Replacement

All instances of the sensitive data in your document are replaced with the token. The document structure and formatting remain intact.

4

Restoration

To reverse the redaction, the encrypted mappings are decrypted and tokens are replaced with original values. This can only be done on the machine where redaction occurred.

Preserving Data Utility

Unlike simple masking (e.g., "XXXX-XXXX-XXXX-9010"), reversible tokens preserve important document characteristics:

What's Preserved

  • Data Type: You can see what kind of data was redacted
  • Uniqueness: Same values get same tokens
  • Structure: Document format remains readable
  • Context: Surrounding text is unchanged

Use Cases

  • Share logs with support teams while protecting credentials
  • Use AI assistants with customer data safely
  • Create test datasets from production data
  • Collaborate on documents with external parties

Token Security Guarantees

Cryptographically Secure

Token hashes are generated using SHA-256. It's computationally infeasible to reverse-engineer the original value from the token alone.

Machine-Bound Encryption

Token mappings are encrypted with a key derived from your machine's unique identifier. Even if an attacker steals the mapping file, they cannot decrypt it without your specific machine.

No Remote Access

Token mappings are stored locally and never sent to external servers. Only you have access to reverse the redactions.

Expiration Support

Token mappings can be configured to expire after a set period. Once expired, the mapping is securely deleted and the redaction becomes permanent.

Token Management

All token mappings are managed through your local dashboard. You can:

  • View all stored token mappings
  • Reverse specific redactions
  • Export mappings for backup
  • Delete mappings when no longer needed

Learn More

Explore related documentation

Smart DetectionSecurityAPI Reference