Policy-Based Scanning
Automatically scan and obfuscate content using Shield's configured policies.
Overview
The /api/scan endpoint applies your configured Shield policies (rules, obfuscations, applications) to automatically detect and mask sensitive data. This is the recommended endpoint for production use where policies are centrally managed.
Authentication
Requires API Key with Data Scanning permission.
How It Works
1. Match namespace against Applications
2. Apply Rules based on user/group/time
3. Detect data types from Obfuscations
4. Apply configured mask formats
5. Return obfuscated content
6. Log activity
The namespace parameter is matched against Application URL filters to determine which policies apply.
Endpoint
POST /api/scan
Scan content using configured policies.
Request
POST /api/scan?namespace=<app>&username=<user>&usergroup=<group>
Content-Type: application/json
Authorization: Bearer <api-key>
Query Parameters
| Parameter | Required | Description |
|---|---|---|
namespace |
Yes | Application identifier matched against app URL filters |
username |
No | Username for activity logging and user-based rules |
usergroup |
No | User group for activity logging and group-based rules |
Request Body
Any content type is supported (JSON, XML, text, etc.). The response will be in the same format as the request.
Application Namespace Matching
The namespace parameter is matched against Application URL filters to determine which rules apply.
Example Application:
Matching Namespaces:
- ✓
payment-api - ✓
payment-api-prod - ✓
payment-api-v2 - ✗
user-api
Recommended namespace patterns:
- Environment-based:
myapp-prod,myapp-staging - Service-based:
user-service,payment-service - Function-based:
external-apis,internal-tools
Examples
Basic Policy-Based Scan
curl -X POST "https://your-shield-host:8080/api/scan?namespace=payment-api&username=john.doe" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"customer": {
"name": "John Doe",
"ssn": "123-45-6789",
"email": "john@example.com",
"creditCard": "4532-1234-5678-9012"
}
}'
import requests
BASE_URL = "https://your-shield-host:8080"
API_KEY = "YOUR_API_KEY"
HEADERS = {"Authorization": f"Bearer {API_KEY}"}
data = {
"customer": {
"name": "John Doe",
"ssn": "123-45-6789",
"email": "john@example.com",
"creditCard": "4532-1234-5678-9012"
}
}
response = requests.post(
f"{BASE_URL}/api/scan",
headers=HEADERS,
params={
"namespace": "payment-api",
"username": "john.doe"
},
json=data
)
masked_data = response.json()
print(masked_data)
const axios = require('axios');
const BASE_URL = 'https://your-shield-host:8080';
const API_KEY = 'YOUR_API_KEY';
const HEADERS = { 'Authorization': `Bearer ${API_KEY}` };
const data = {
customer: {
name: 'John Doe',
ssn: '123-45-6789',
email: 'john@example.com',
creditCard: '4532-1234-5678-9012'
}
};
const response = await axios.post(
`${BASE_URL}/api/scan`,
data,
{
headers: HEADERS,
params: {
namespace: 'payment-api',
username: 'john.doe'
}
}
);
const maskedData = response.data;
console.log(maskedData);
Response:
Scan with User Group
import requests
BASE_URL = "https://your-shield-host:8080"
API_KEY = "YOUR_API_KEY"
HEADERS = {"Authorization": f"Bearer {API_KEY}"}
data = {
"employee": {
"id": "E12345",
"ssn": "987-65-4321",
"salary": 85000
}
}
response = requests.post(
f"{BASE_URL}/api/scan",
headers=HEADERS,
params={
"namespace": "hr-system",
"username": "alice",
"usergroup": "hr-admins"
},
json=data
)
masked_data = response.json()
print(masked_data)
const axios = require('axios');
const BASE_URL = 'https://your-shield-host:8080';
const API_KEY = 'YOUR_API_KEY';
const HEADERS = { 'Authorization': `Bearer ${API_KEY}` };
const data = {
employee: {
id: 'E12345',
ssn: '987-65-4321',
salary: 85000
}
};
const response = await axios.post(
`${BASE_URL}/api/scan`,
data,
{
headers: HEADERS,
params: {
namespace: 'hr-system',
username: 'alice',
usergroup: 'hr-admins'
}
}
);
const maskedData = response.data;
console.log(maskedData);
Note: Group-based rules can apply different masking levels based on user group membership.
Scan XML Content
import requests
BASE_URL = "https://your-shield-host:8080"
API_KEY = "YOUR_API_KEY"
HEADERS = {
"Authorization": f"Bearer {API_KEY}",
"Content-Type": "application/xml"
}
xml_data = """
<customer>
<name>Jane Smith</name>
<ssn>555-12-3456</ssn>
<phone>555-123-4567</phone>
</customer>
"""
response = requests.post(
f"{BASE_URL}/api/scan",
headers=HEADERS,
params={"namespace": "legacy-api"},
data=xml_data
)
masked_xml = response.text
print(masked_xml)
const axios = require('axios');
const BASE_URL = 'https://your-shield-host:8080';
const API_KEY = 'YOUR_API_KEY';
const xmlData = `
<customer>
<name>Jane Smith</name>
<ssn>555-12-3456</ssn>
<phone>555-123-4567</phone>
</customer>
`;
const response = await axios.post(
`${BASE_URL}/api/scan`,
xmlData,
{
headers: {
'Authorization': `Bearer ${API_KEY}`,
'Content-Type': 'application/xml'
},
params: {
namespace: 'legacy-api'
}
}
);
const maskedXml = response.data;
console.log(maskedXml);
Response:
Response
The response format matches the request content type. Sensitive data is masked according to configured policies.
Response Fields:
- Original structure is preserved
- Detected sensitive data is obfuscated
- Non-sensitive data remains unchanged
Related Topics
- Scanning Overview - Main scanning concepts
- Dynamic Scan - Explicit data type control
- Applications API - Configure namespace matching
- Rules API - Set up scanning policies
- Activities API - Query scan activity logs