Idiomatic way of conditionally masking PII fields? #11519

ivasic · 2025-03-04T11:49:57Z

ivasic
Mar 4, 2025

Is there an idiomatic way to mark Pydantic fields as containing PII so that, during serialization (on demand, e.g. with a context flag like a.model_dump(hide_pii=True)), these fields are automatically obfuscated/masked (recursively for nested models) without breaking OpenAPI schema generation (as with FastAPI)?

Background & What I’ve Tried:
A model like this one:

I tried creating a PIIMixin and attaching it like this:

class PersonSchema(PIIMixin, BaseModel):
    email: EmailStr = Field(..., json_schema_extra={"pii": True})
    phone: str = Field(..., json_schema_extra={"pii": True})
    name: str = Field(...)  # Non-PII field

The idea was to do something like person.model_dump(hide_pii=True).
From here on, in the mixin I tried:

Custom serializer:
I attached a @model_serializer(mode="wrap") to a PII mixin and marked fields as containing PII, which seems to work, but it breaks FastAPI’s OpenAPI schema generation (no details about the schema due to a custom serializer). Something like this:

    @model_serializer(mode="wrap")
    def serialize_with_pii_handling(self, serializer: Any, *, hide_pii: bool = True) -> Any:
        """Custom serializer that obfuscates PII fields when requested."""
        data = serializer(self)
        if hide_pii:
            for name, field in self.model_fields.items():  # type: ignore[attr-defined]
                extra = field.json_schema_extra
                if extra:
                    # Handle case where json_schema_extra is a callable
                    if callable(extra):
                        extra = extra({})
                    
                    if extra.get("hide_pii", False):
                        if name in data:
                            if field.annotation is EmailStr:
                                prefix, domain = data[name].split("@", 1)
                                data[name] = f"{prefix[:2]}***@{domain}"
                            else:
                                value = str(data[name])
                                if len(value) > 2:
                                    data[name] = f"{value[:2]}{'*' * (len(value) - 2)}"
        return data

Overriding model_dump:
Overriding model_dump worked for a flat model but fails for nested models since Pydantic doesn’t seem to call the override recursively.

    def model_dump(self, *args: Any, **kwargs: Any) -> dict[str, Any]:
        """Overriding model_dump to handle PII obfuscation."""
        data: dict[str, Any] = super().model_dump(*args, **kwargs)  # type: ignore

        context = kwargs.get("context")
        if context is not None and context.get("hide_pii", False):
            for name, field in self.model_fields.items():
                if not data.get(name):
                    continue
                extra = field.json_schema_extra
                if extra and isinstance(extra, dict) and extra.get("pii", False):
                    # Apply email-specific obfuscation if it's an email field and contains @
                    if field.annotation is EmailStr:
                        prefix, domain = data[name].split("@", 1)
                        data[name] = f"{prefix[:2]}***@{domain}"
                    # Apply generic obfuscation for other PII fields
                    elif isinstance(data[name], str):
                        data[name] = f"{data[name][:2]}{'*' * (len(data[name]) - 2)}"
        return data

Is there a better, more Pydantic way of achieving this? I can easily hack my way through this, but what I’m looking for is a more robust and built-in or idiomatic approach.

Viicos · 2025-03-05T13:09:06Z

Viicos
Mar 5, 2025
Maintainer

You might be interested in the Secret type.

Or, using a WrapSerializer:

from typing import Annotated, TypeVar

from pydantic import BaseModel, SerializationInfo, SerializerFunctionWrapHandler, WrapSerializer

def serializer_pii(value, handler: SerializerFunctionWrapHandler, info: SerializationInfo):
    if info.context and info.context.get('hide_pii'):
        return '***'
    return handler(value)

T = TypeVar('T')

PiiType = Annotated[T, WrapSerializer(serializer_pii)]


class Model(BaseModel):
    a: PiiType[str]

Model(a="test").model_dump()
#> {'a': 'test'}
Model(a="test").model_dump(context={'hide_pii': True})
#> {'a': '***'}

1 reply

ivasic Mar 6, 2025
Author

Hey @Viicos, great stuff. I did explore the wrap serializer but on the full object, I didn't try it on the field itself. This works perfectly!

Thanks a lot for the help! 🙌

FinchPowers · 2025-11-14T04:32:16Z

FinchPowers
Nov 14, 2025

Thank you for this thread. It inspired me to come up with another solution. The short version is

from typing import Annotated

from pydantic import (
    BaseModel,
    PlainSerializer,
    SecretStr,
)

PIIStr = Annotated[
    SecretStr,
    PlainSerializer(
        lambda x: x.get_secret_value(),
        return_type=str,
        when_used="json",
    ),
]


class PersonalInfo(BaseModel):
    name: PIIStr
    other_value: str


personal_info = PersonalInfo(name="Frank-Mich", other_value="foo bar")
print("raw:", personal_info)
#> raw: name=SecretStr('**********') other_value='foo bar'
print("default (python) model dump:", personal_info.model_dump())
#> default (python) model dump: {'name': SecretStr('**********'), 'other_value': 'foo bar'}
print("json model dump:", personal_info.model_dump(mode="json"))
#> json model dump: {'name': 'Frank-Mich', 'other_value': 'foo bar'}

The major advantage is that it defaults to safety. Unless explicitly dumping as JSON, the PII remains hidden.
The first major drawback is the need to have one annotation per inherent type. Like for the OP, we would need an annotation like PIIEmailStr to be able to set and use the EmailStr validator. The second major drawback is a limitation. If the "target type" (like str or EmailStr) has methods we need, it does not work because the field type is SecretStr, not the target type.

Here is how PIIEmailStr would be annotated. See the addition of BeforeValidator.

PIIEmailStr = Annotated[
    SecretStr,
    BeforeValidator(lambda x: EmailStr._validate(x)),
    PlainSerializer(
        lambda x: x.get_secret_value(),
        return_type=str,
    ),
]

For more detailed explanations and examples in FastAPI, I made a blog post.

0 replies

F71B

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Idiomatic way of conditionally masking PII fields? #11519

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Idiomatic way of conditionally masking PII fields? #11519

Uh oh!

ivasic Mar 4, 2025

Replies: 2 comments · 1 reply

Uh oh!

Uh oh!

Viicos Mar 5, 2025 Maintainer

Uh oh!

ivasic Mar 6, 2025 Author

Uh oh!

FinchPowers Nov 14, 2025

ivasic
Mar 4, 2025

Replies: 2 comments 1 reply

Viicos
Mar 5, 2025
Maintainer

ivasic Mar 6, 2025
Author

FinchPowers
Nov 14, 2025