Ory Kratos (and other Ory services) redact sensitive values such as Authorization headers, Cookies, and request queries by default in logs. The logs will show a placeholder message like:

query: Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true".

This means that by default, these sensitive fields are not logged. If you want to ensure that sensitive data is not leaked, you should keep the configuration option

log.leak_sensitive_values

set to

false

(which is the recommended and default setting for production). However, the knowledge sources do not mention a way to selectively redact or allowlist specific keys within the HTTP request context beyond the default redaction of cookies, authorization headers, and queries. The redaction appears to be an all-or-nothing setting controlled by `log.leak_sensitive_values`—either sensitive values are redacted, or they are not. There is no documented way to specify custom keys for redaction in the logs at this time [Logs and audit trails](https://www.ory.sh/docs/self-hosted/operations/logging#log-fields). If you need more granular control, such as redacting only certain keys, this is not currently supported according to the available documentation.

If you proxy all Ory Kratos requests through a backend service, you gain full control over the HTTP requests and responses before they reach Ory Kratos. While Ory Kratos itself does not provide a way to selectively redact specific keys in its logs (it only supports redacting all sensitive values via the

log.leak_sensitive_values

setting), your backend proxy could implement custom logic to remove or mask any sensitive fields from the requests or responses before forwarding them to Ory Kratos. This approach is not documented as an official Ory feature, but it is technically feasible because your proxy can manipulate the data as needed. However, the knowledge sources do not provide explicit guidance or best practices for implementing such a proxy-based redaction mechanism. The only officially documented method for redacting sensitive values in Ory Kratos logs is the global

log.leak_sensitive_values

configuration [Secure secrets](https://www.ory.sh/docs/kratos/guides/deploy-kratos-example#secure-secrets). In summary: - Ory Kratos does not support selective redaction of log fields natively. - If you proxy requests, you can implement your own redaction logic in the proxy, but this is outside the scope of Ory's official documentation and support. If you need more granular log redaction, you would need to handle it at the proxy layer, as Ory Kratos itself does not provide this capability.