deobfuscate()
Standalone function for restoring obfuscated text using serialised session mappings.
deobfuscate() is a standalone function that reverses obfuscation by applying SessionMapping[] to a string. Unlike PrivacyClient.restore(), it does not require a PrivacyClient instance or a session stored in memory — you just pass the mappings directly.
import { deobfuscate } from '@secured-ai/core'Signature
function deobfuscate(content: string, mappings: SessionMapping[]): stringParameters
| Parameter | Type | Description |
|---|---|---|
content | string | The obfuscated text to restore |
mappings | SessionMapping[] | The substitution mappings from the original session |
Returns
The restored string with fake values replaced by their originals. If content or mappings is empty, the input is returned unchanged.
Basic usage
import { deobfuscate } from '@secured-ai/core'
const restored = deobfuscate(obfuscatedText, mappings)When to use deobfuscate() vs PrivacyClient.restore()
PrivacyClient.restore() | deobfuscate() | |
|---|---|---|
Requires PrivacyClient instance | Yes | No |
| Requires session to be in memory | Yes | No |
| Works across page reloads | No | Yes (with serialised mappings) |
| Works in a different browser tab | No | Yes |
| Works after server round-trip | No | Yes |
Use deobfuscate() whenever you need to restore text outside the lifecycle of the PrivacyClient that created the obfuscation.
Cross-context restoration
The primary use case for deobfuscate() is restoring text after a server round-trip — you obfuscate in the browser, send to a server, receive a response, then restore locally without needing a live PrivacyClient session.
// --- Step 1: Obfuscate and serialise mappings ---
import { PrivacyClient } from '@secured-ai/core'
const client = new PrivacyClient({
baseUrl: 'https://dev-api.securedai.com',
sdkAccessToken: import.meta.env.VITE_SECURED_SDK_ACCESS_TOKEN,
})
await client.initialize()
const text = 'Patient Alice Brown, DOB 03/22/1990, insurance ID INS-00443322.'
const { processed, sessionId } = await client.obfuscate(text)
const session = client.getSession(sessionId)!
// Serialise the mappings (store in state, localStorage, or send to server)
const mappingsJson = JSON.stringify(session.mappings)
// --- Step 2: Send obfuscated text to an API ---
const apiResponse = await fetch('/api/analyse', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ text: processed }),
})
const { result } = await apiResponse.json()
// --- Step 3: Restore the API response using serialised mappings ---
import { deobfuscate } from '@secured-ai/core'
const mappings = JSON.parse(mappingsJson)
const restored = deobfuscate(result, mappings)
console.log(restored)
// Contains the real values from Alice Brown's recordMatching behaviour
deobfuscate() uses a three-pass strategy to find and replace each fake value:
- Exact match — case-sensitive string replacement
- Case-insensitive match — handles capitalisation differences introduced by the API or downstream processing
- Partial match (PERSON only) — if a
PERSONreplacement contains multiple words, individual words of 3+ characters are tried separately. This handles cases where an LLM or downstream system paraphrases a name
Mappings are sorted by replacement length (longest first) before processing, which prevents shorter replacements from partially matching within longer ones.
Handling empty or invalid input
deobfuscate('', mappings) // returns ''
deobfuscate(text, []) // returns text unchanged
deobfuscate('', []) // returns ''Type reference
import type { SessionMapping } from '@secured-ai/core'
interface SessionMapping {
id: string
original: string // the real PII value
replacement: string // the fake value that was substituted
entityType: EntityType
position: { start: number; end: number } // position in original text
}