Sensitive Field Detector

Identify sensitive data fields in JSON/CSV before sending to AI APIs

Paste JSON or CSV and automatically identify fields likely to hold sensitive information — PII, financial data, health data, and authentication tokens — with a suggested pseudonymization strategy for each before you pass the data to an AI API. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

Does it inspect values or just field names?

It classifies by field name, which is fast and private but means a generically named field like "notes" can still hold PII. Always spot-check the actual values before sending anything to an AI API.

Sensitive field detector

Before you paste a database row or an API payload into an AI tool, it pays to know which fields carry risk. This detector reads your JSON or CSV, extracts the field names, and flags the ones likely to hold sensitive data — with a concrete pseudonymization strategy for each so you can clean the payload first.

How it works

Paste JSON or a CSV with a header row. The tool parses JSON (walking nested objects and arrays) or reads the CSV header, then classifies each field name against five categories: credentials and secrets, financial data, health data, general PII, and contact or location data. Matches are grouped and each comes with a handling recommendation — drop credentials, mask financial values, pseudonymize identifiers, coarsen locations. All of it runs locally in your browser.

The five categories and what to do with each

Credentials and secrets — API keys, passwords, tokens, private keys, connection strings. The recommended action is always drop entirely. There is no safe pseudonymization for a credential; even a masked value like sk-*** confirms the field exists and can still trip an overeager AI that asks clarifying questions. Remove these before the data leaves your system.

Financial data — card numbers, account numbers, routing numbers, CVVs, balances, transaction amounts. Mask numeric amounts to plausible ranges (replace the exact balance with a [FINANCIAL_VALUE] token or round to the nearest thousand). Card and account numbers should be tokenized or dropped.

Health data — diagnoses, medications, lab values, clinical notes, health identifiers. Health data carries HIPAA or GDPR special-category obligations and should be pseudonymized with opaque tokens. Aggregate or generalise where possible (replace a specific diagnosis code with its category, not the exact value).

General PII — names, national ID numbers, date of birth, biometric data. Stable tokens (PERSON_001) preserve relationships across records for AI analysis without exposing identity. If the relationship is not needed, drop the field.

Contact and location — email addresses, phone numbers, street addresses, GPS coordinates, IP addresses. For email and phone, replace with [CONTACT_REDACTED]. For location, coarsen to city or country level rather than full address.

Why field-name detection alone is not enough

The tool flags fields by name pattern, which is fast and works well for structured schemas where the DBA used descriptive column names. But fields called notes, description, comments, or metadata frequently contain freeform text that can include PII — a user who typed their phone number in a notes field, a doctor who wrote a patient name in a comment. Always read through the actual values in generic text fields before sending the data to any AI API, even if no field names were flagged.

Tips and notes

  • Names, not values. A field called notes or description won’t be flagged but can easily contain PII — always eyeball the actual values too.
  • Credentials get dropped, not masked. There is no safe way to send an API key to a third-party model; remove it entirely.
  • Pseudonymize, don’t just delete, identifiers. A stable token like USER_1 keeps your data’s structure intact for the AI while removing identity.
  • Private by design. Nothing leaves your browser, which is the point — you shouldn’t have to upload sensitive data to find out it’s sensitive.