This feature allows you to obscure data before sending it as part of the analytics payload.
With this feature, Apigee uses SHA512 to hash the original value before sending data from the runtime
plane to the control plane.
Procedure
You can set the salt value for the hash with the
axHashSalt
property in the overrides.yaml file. The axHashSalt property specifies a value
used as a salt when computing SHA512 hashes to obfuscate sensitive analytics data. Apigee recommends using the same value across different clusters that host
the same Apigee organization. Apply the value with apigeectl.
Enable this feature for each environment by setting features.analytics.data.obfuscation.enabled to
true.
With obfuscation enabled, Apigee hybrid will hash the following fields with SHA512 at the runtime plane before
sending the information to analytics backend:
client_id
client_ip
developer_email
proxy_client_ip
proxy_pathsuffix
request_uri
request_path
target_basepath
target_url
x_forwarded_for_ip
x-apigee.edge.true_client_ip
x-apigee.intelligence.client_ip_header
Apigee hybrid will hash the following dimension values in custom analytics reports:
The obfuscated results display in the Apigee hybrid analytics dashboard. It may take several
minutes before you see the hashed results in the UI.
Example
The following example shows the data before and after obfuscating:
// JSON data sent to AX before obfuscating{"proxy_basepath":"/APP_NAME","x-apigee.edge.execution.stats.request_flow_endtimestamp":1582770652814,"apiproxy":"APP_NAME","x-apigee.edge.is_policy_error":0,"client_sent_start_timestamp":1582770652817,"x-apigee.edge.is_target_error":0,"client_received_start_timestamp":1582770652813,"client_ip":"10.10.0.99","is_error":false,"x-apigee.edge.stats.steps":"{\"JS1.0\":1}","request_size":0,"x-apigee.intelligence.client_ip_header":"10.10.0.99","virtual_host":"default","x-apigee.edge.mp_host":"mp","sla":false,"x-apigee.intelligence.service":"{}","client_sent_end_timestamp":1582770652817,"request_uri":"/APP_NAME","proxy":"default","proxy_client_ip":"10.10.0.99","x-apigee.edge.dn.region":"dc-1","apigee.edge.execution.is_apigee_fault":0,"x-apigee.edge.target.latency.stats":"{\"targetList\":[]}","useragent":"Apache-HttpClient/4.3.6 (java 1.6)","proxy_pathsuffix":"","x-apigee.edge.execution.stats.request_flow_start_timestamp":1582770652814,"x_forwarded_for_ip":"10.10.0.99","x_forwarded_proto":"http","response_status_code":200,"request_verb":"GET","x-apigee.edge.execution.stats.response_flow_end_timestamp":1582770652816,"gateway_source":"message_processor","environment":"env_82hw","client_received_end_timestamp":1582770652814,"organization":"Org_1582769880344","x-apigee.edge.execution.stats.response_flow_start_timestamp":1582770652814,"request_path":"/APP_NAME","gateway_flow_id":"rt-8644-188-1","apiproxy_revision":"1"}
// JSON data sent to AX after obfuscating{"proxy_basepath":"/APP_NAME","x-apigee.edge.execution.stats.request_flow_endtimestamp":1582749361836,"apiproxy":"APP_NAME","x-apigee.edge.is_policy_error":0,"client_sent_start_timestamp":1582749361884,"x-apigee.edge.is_target_error":0,"client_received_start_timestamp":1582749361790,"client_ip":"090cdae81ea6e58e55093f702661cf2325cef6a68aa801f1209e73bb0649c2b931bcad468911da887a42ce1d1daee07b24933e3dbbde6eb7438cfc9020a25445","is_error":false,"x-apigee.edge.stats.steps":"{\"JS1.0\":30}","request_size":0,"x-apigee.intelligence.client_ip_header":"090cdae81ea6e58e55093f702661cf2325cef6a68aa801f1209e73bb0649c2b931bcad468911da887a42ce1d1daee07b24933e3dbbde6eb7438cfc9020a25445","virtual_host":"default","x-apigee.edge.mp_host":"mp","sla":false,"x-apigee.intelligence.service":"{}","client_sent_end_timestamp":1582749361886,"request_uri":"0176937d9c4a33094d3c3f38ac8b15fa05dd6380a6bb544e4002c98de9f27bdbfea754901b0acb487f4980b09f7d312ad1e7027b96b2c8bfd8b9c24e833fbb5a","proxy":"default","proxy_client_ip":"090cdae81ea6e58e55093f702661cf2325cef6a68aa801f1209e73bb0649c2b931bcad468911da887a42ce1d1daee07b24933e3dbbde6eb7438cfc9020a25445","x-apigee.edge.dn.region":"dc-1","apigee.edge.execution.is_apigee_fault":0,"x-apigee.edge.target.latency.stats":"{\"targetList\":[]}","useragent":"Apache-HttpClient/4.3.6 (java 1.6)","proxy_pathsuffix":"cf83e1.67eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81.638327af927da3e","x-apigee.edge.execution.stats.request_flow_start_timestamp":1582749361833,"x_forwarded_for_ip":"090cdae81ea6e58e55093f702661cf2325cef6a68aa801f1209e73bb0649c2b931bcad468911da887a42ce1d1daee07b24933e3dbbde6eb7438cfc9020a25445","x_forwarded_proto":"http","response_status_code":200,"request_verb":"GET","x-apigee.edge.execution.stats.response_flow_end_timestamp":1582749361874,"gateway_source":"message_processor","environment":"env_xj25","client_received_end_timestamp":1582749361821,"organization":"Org_1582749068984","x-apigee.edge.execution.stats.response_flow_start_timestamp":1582749361836,"request_path":"0176937d9c4a33094d3c3f38ac8b15fa05dd6380a6bb544e4002c98de9f27bdbfea754901b0acb487f4980b09f7d312ad1e7027b96b2c8bfd8b9c24e833fbb5a","gateway_flow_id":"rt-6290-57-1","apiproxy_revision":"1"}
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis documentation covers the data obfuscation feature in Apigee hybrid version 1.2 and newer, which uses SHA512 to hash sensitive data in analytics payloads before sending it to the control plane.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eaxHashSalt\u003c/code\u003e property in the \u003ccode\u003eoverrides.yaml\u003c/code\u003e file is used to set a salt value for the SHA512 hashing, and it's recommended to use the same value across clusters within an organization.\u003c/p\u003e\n"],["\u003cp\u003eYou can enable data obfuscation for each environment by setting \u003ccode\u003efeatures.analytics.data.obfuscation.enabled\u003c/code\u003e to \u003ccode\u003etrue\u003c/code\u003e via a PUT request to the Apigee API.\u003c/p\u003e\n"],["\u003cp\u003eOnce enabled, multiple fields, including \u003ccode\u003eclient_ip\u003c/code\u003e, \u003ccode\u003edeveloper_email\u003c/code\u003e, and \u003ccode\u003erequest_uri\u003c/code\u003e, will be hashed, and the hashed values will display in the Apigee hybrid analytics dashboard.\u003c/p\u003e\n"],["\u003cp\u003eAnalytics reports will display unhashed data if communicated before you enabled obfuscation, or after you disable it, while all data will be obfuscated when enabled.\u003c/p\u003e\n"]]],[],null,["# Obfuscate user data for analytics\n\n| You are currently viewing version 1.9 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nThis feature allows you to obscure data before sending it as part of the analytics payload.\nWith this feature, Apigee uses SHA512 to hash the original value before sending data from the runtime\nplane to the control plane.\n| This feature is for Apigee hybrid 1.2 and newer only.\n\nProcedure\n---------\n\nYou can set the salt value for the hash with the\n[`axHashSalt`](/apigee/docs/hybrid/v1.9/config-prop-ref#axhashsalt)\nproperty in the `overrides.yaml` file. The `axHashSalt` property specifies a value\nused as a salt when computing SHA512 hashes to obfuscate sensitive analytics data. Apigee recommends using the same value across different clusters that host\nthe same Apigee organization. Apply the value with [`apigeectl`](/apigee/docs/hybrid/v1.9/cli-reference).\n\nEnable this feature for each environment by setting `features.analytics.data.obfuscation.enabled` to **true**.\nWhen using `PUT`, be careful to include the entire set of properties for your environment. PUT overwrites the entire property set each time you issue it. \n\n```\ncurl -v -X PUT \\\n https://apigee.googleapis.com/v1/organizations/your_org_name/environments/your_env_name \\\n -H \"Content-Type: application/json\" \\\n -H \"Authorization: Bearer $TOKEN\" \\\n -d '{\n \"name\" : \"your_env_name\",\n \"properties\" : {\n \"property\" : [ {\n \"name\" : \"features.analytics.data.obfuscation.enabled\",\n \"value\" : \"true\"\n },]\n }\n}'\n```\n\n\nWith obfuscation enabled, Apigee hybrid will hash the following fields with SHA512 at the runtime plane before\nsending the information to analytics backend:\n\n- client_id\n- client_ip\n- developer_email\n- proxy_client_ip\n- proxy_pathsuffix\n- request_uri\n- request_path\n- target_basepath\n- target_url\n- x_forwarded_for_ip\n- x-apigee.edge.true_client_ip\n- x-apigee.intelligence.client_ip_header\n\nApigee hybrid will hash the following dimension values in custom analytics reports:\n\n- Client ID\n- Client IP Address\n- Developer Email\n- Proxy Client IP\n- Proxy Path Suffix\n- Referred Client IP\n- Request Path\n- Request URI\n- Resolved Client IP\n- Target Base Path\n- Target URL\n- X Forwarded For\n\nSee [Analytics metrics, dimensions, and filters reference](https://docs.apigee.com/api-platform/analytics/analytics-reference#dimensions) for detailed descriptions of analytics dimensions.\n\nViewing obfuscated results\n--------------------------\n\n\nThe obfuscated results display in the Apigee hybrid analytics dashboard. It may take several\nminutes before you see the hashed results in the UI.\n\n| **Note:** Analytics reports will display unhashed data communicated from the runtime plane before you enabled obfuscating or after you disable it. \n\nExample\n-------\n\n\nThe following example shows the data before and after obfuscating: \n\n```scilab\n// JSON data sent to AX before obfuscating\n{\n \"proxy_basepath\":\"/APP_NAME\",\n \"x-apigee.edge.execution.stats.request_flow_endtimestamp\":1582770652814,\n \"apiproxy\":\"APP_NAME\",\n \"x-apigee.edge.is_policy_error\":0,\n \"client_sent_start_timestamp\":1582770652817,\n \"x-apigee.edge.is_target_error\":0,\n \"client_received_start_timestamp\":1582770652813,\n \"client_ip\":\"10.10.0.99\",\n \"is_error\":false,\n \"x-apigee.edge.stats.steps\":\"{\\\"JS1.0\\\":1}\",\n \"request_size\":0,\n \"x-apigee.intelligence.client_ip_header\":\"10.10.0.99\",\n \"virtual_host\":\"default\",\n \"x-apigee.edge.mp_host\":\"mp\",\n \"sla\":false,\n \"x-apigee.intelligence.service\":\"{}\",\n \"client_sent_end_timestamp\":1582770652817,\n \"request_uri\":\"/APP_NAME\",\n \"proxy\":\"default\",\n \"proxy_client_ip\":\"10.10.0.99\",\n \"x-apigee.edge.dn.region\":\"dc-1\",\n \"apigee.edge.execution.is_apigee_fault\":0,\n \"x-apigee.edge.target.latency.stats\":\"{\\\"targetList\\\":[]}\",\n \"useragent\":\"Apache-HttpClient/4.3.6 (java 1.6)\",\n \"proxy_pathsuffix\":\"\",\n \"x-apigee.edge.execution.stats.request_flow_start_timestamp\":1582770652814,\n \"x_forwarded_for_ip\":\"10.10.0.99\",\n \"x_forwarded_proto\":\"http\",\n \"response_status_code\":200,\n \"request_verb\":\"GET\",\n \"x-apigee.edge.execution.stats.response_flow_end_timestamp\":1582770652816,\n \"gateway_source\":\"message_processor\",\n \"environment\":\"env_82hw\",\n \"client_received_end_timestamp\":1582770652814,\n \"organization\":\"Org_1582769880344\",\n \"x-apigee.edge.execution.stats.response_flow_start_timestamp\":1582770652814,\n \"request_path\":\"/APP_NAME\",\n \"gateway_flow_id\":\"rt-8644-188-1\",\n \"apiproxy_revision\":\"1\"\n}\n``` \n\n```scilab\n// JSON data sent to AX after obfuscating\n{\n \"proxy_basepath\":\"/APP_NAME\",\n \"x-apigee.edge.execution.stats.request_flow_endtimestamp\":1582749361836,\n \"apiproxy\":\"APP_NAME\",\n \"x-apigee.edge.is_policy_error\":0,\n \"client_sent_start_timestamp\":1582749361884,\n \"x-apigee.edge.is_target_error\":0,\n \"client_received_start_timestamp\":1582749361790,\n \"client_ip\":\"090cdae81ea6e58e55093f702661cf2325cef6a68aa801f1209e73bb0649c2b931bcad468911da887a42ce1d1daee07b24933e3dbbde6eb7438cfc9020a25445\",\n \"is_error\":false,\n \"x-apigee.edge.stats.steps\":\"{\\\"JS1.0\\\":30}\",\n \"request_size\":0,\n \"x-apigee.intelligence.client_ip_header\":\"090cdae81ea6e58e55093f702661cf2325cef6a68aa801f1209e73bb0649c2b931bcad468911da887a42ce1d1daee07b24933e3dbbde6eb7438cfc9020a25445\",\n \"virtual_host\":\"default\",\n \"x-apigee.edge.mp_host\":\"mp\",\n \"sla\":false,\n \"x-apigee.intelligence.service\":\"{}\",\n \"client_sent_end_timestamp\":1582749361886,\n \"request_uri\":\"0176937d9c4a33094d3c3f38ac8b15fa05dd6380a6bb544e4002c98de9f27bdbfea754901b0acb487f4980b09f7d312ad1e7027b96b2c8bfd8b9c24e833fbb5a\",\n \"proxy\":\"default\",\n \"proxy_client_ip\":\"090cdae81ea6e58e55093f702661cf2325cef6a68aa801f1209e73bb0649c2b931bcad468911da887a42ce1d1daee07b24933e3dbbde6eb7438cfc9020a25445\",\n \"x-apigee.edge.dn.region\":\"dc-1\",\n \"apigee.edge.execution.is_apigee_fault\":0,\n \"x-apigee.edge.target.latency.stats\":\"{\\\"targetList\\\":[]}\",\n \"useragent\":\"Apache-HttpClient/4.3.6 (java 1.6)\",\n \"proxy_pathsuffix\":\"cf83e1.67eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81.638327af927da3e\",\n \"x-apigee.edge.execution.stats.request_flow_start_timestamp\":1582749361833,\n \"x_forwarded_for_ip\":\"090cdae81ea6e58e55093f702661cf2325cef6a68aa801f1209e73bb0649c2b931bcad468911da887a42ce1d1daee07b24933e3dbbde6eb7438cfc9020a25445\",\n \"x_forwarded_proto\":\"http\",\n \"response_status_code\":200,\n \"request_verb\":\"GET\",\n \"x-apigee.edge.execution.stats.response_flow_end_timestamp\":1582749361874,\n \"gateway_source\":\"message_processor\",\n \"environment\":\"env_xj25\",\n \"client_received_end_timestamp\":1582749361821,\n \"organization\":\"Org_1582749068984\",\n \"x-apigee.edge.execution.stats.response_flow_start_timestamp\":1582749361836,\n \"request_path\":\"0176937d9c4a33094d3c3f38ac8b15fa05dd6380a6bb544e4002c98de9f27bdbfea754901b0acb487f4980b09f7d312ad1e7027b96b2c8bfd8b9c24e833fbb5a\",\n \"gateway_flow_id\":\"rt-6290-57-1\",\n \"apiproxy_revision\":\"1\"\n}\n```"]]
