Skip to main content
The Data Classes API provides access to information about sensitive data classifications that Metlo uses to identify and categorize data in your API traffic.

Get Data Class Information

Retrieve a list of all data classes configured in Metlo.
cURL
curl 'https://<your-metlo-instance>/api/v1/data-class' \
  -H 'Authorization: metlo_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

Response

dataClasses
DataClass[]
Array of data class objects
Response Example
[
  {
    "className": "email",
    "severity": "MEDIUM",
    "shortName": "Email Address"
  },
  {
    "className": "ssn",
    "severity": "HIGH",
    "shortName": "Social Security Number"
  },
  {
    "className": "credit_card",
    "severity": "HIGH",
    "shortName": "Credit Card"
  },
  {
    "className": "phone_number",
    "severity": "MEDIUM",
    "shortName": "Phone Number"
  },
  {
    "className": "ip_address",
    "severity": "LOW",
    "shortName": "IP Address"
  },
  {
    "className": "driver_license",
    "severity": "HIGH",
    "shortName": "Driver's License"
  },
  {
    "className": "dob",
    "severity": "MEDIUM",
    "shortName": "Date of Birth"
  },
  {
    "className": "address",
    "severity": "MEDIUM",
    "shortName": "Physical Address"
  },
  {
    "className": "api_key",
    "severity": "HIGH",
    "shortName": "API Key"
  },
  {
    "className": "authentication_token",
    "severity": "HIGH",
    "shortName": "Auth Token"
  }
]

Data Class Object Structure

className
string
Machine-readable identifier for the data class (e.g., email, ssn, credit_card)
severity
enum
Risk level associated with this data type:
  • HIGH: Critical sensitive data (SSN, credit cards, API keys)
  • MEDIUM: Moderately sensitive data (emails, phone numbers)
  • LOW: Less sensitive data (IP addresses, generic identifiers)
  • NONE: Non-sensitive data
shortName
string
Human-readable name for display purposes

Common Data Classes

Metlo includes built-in detection for common sensitive data types:

High Severity

Social Security Numbers

US SSNs in various formats

Credit Card Numbers

Major credit card formats (Visa, MasterCard, Amex, etc.)

API Keys

Common API key patterns from various services

Authentication Tokens

JWT tokens, OAuth tokens, session tokens

Driver's License

Driver’s license numbers

Passport Numbers

International passport numbers

Medium Severity

Email Addresses

Email addresses in standard format

Phone Numbers

Phone numbers in various international formats

Date of Birth

Birth dates in various formats

Physical Addresses

Street addresses and mailing addresses

Low Severity

IP Addresses

IPv4 and IPv6 addresses

MAC Addresses

Network hardware addresses

User IDs

Generic user identifiers

Data Field Management

While the Data Classes API provides information about data types, the Endpoints API includes operations for managing data fields on specific endpoints.

Update Data Field Classes

Modify the data classes assigned to a specific data field:
cURL
curl -X POST 'https://<your-metlo-instance>/api/v1/data-field/{dataFieldId}/update-classes' \
  -H 'Authorization: metlo_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
  -H 'Content-Type: application/json' \
  -d '{
    "dataClasses": ["email", "phone_number"],
    "dataSection": "RESPONSE_BODY",
    "dataPath": "user.contact"
  }'

Request Body

dataClasses
string[]
required
Array of data class identifiers to assign
dataSection
enum
required
Where the data appears:
  • REQUEST_QUERY: URL query parameters
  • REQUEST_HEADER: Request headers
  • REQUEST_BODY: Request body
  • RESPONSE_HEADER: Response headers
  • RESPONSE_BODY: Response body
dataPath
string
required
JSON path to the data field (e.g., user.email, items[0].name)

Delete Data Field

Remove a data field classification:
cURL
curl -X DELETE 'https://<your-metlo-instance>/api/v1/data-field/{dataFieldId}' \
  -H 'Authorization: metlo_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

Update Data Field Entity

Assign an entity/owner to a data field:
cURL
curl -X PUT 'https://<your-metlo-instance>/api/v1/data-field/{dataFieldId}/update-entity' \
  -H 'Authorization: metlo_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
  -H 'Content-Type: application/json' \
  -d '{"entity": "user-service"}'

Update Data Field Path

Update the path for a data field:
cURL
curl -X PUT 'https://<your-metlo-instance>/api/v1/data-field/{dataFieldId}/update-data-path' \
  -H 'Authorization: metlo_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
  -H 'Content-Type: application/json' \
  -d '{"dataPath": "user.profile.email"}'

Clear All Sensitive Data

Remove all sensitive data classifications (use with caution):
cURL
curl -X POST 'https://<your-metlo-instance>/api/v1/clear-sensitive-data' \
  -H 'Authorization: metlo_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
This operation will clear all sensitive data classifications across all endpoints. This action cannot be undone.

Bulk Delete Data Fields

Delete multiple data fields at once:
cURL
curl -X POST 'https://<your-metlo-instance>/api/v1/clear-all-datafields' \
  -H 'Authorization: metlo_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

Use Cases

Audit Sensitive Data Classifications

Retrieve all data classes to understand what types of sensitive data Metlo can detect: 
curl 'https://<your-metlo-instance>/api/v1/data-class' \
  -H 'Authorization: metlo_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' | jq '.'

Filter by Severity

Get only high-severity data classes: 
curl 'https://<your-metlo-instance>/api/v1/data-class' \
  -H 'Authorization: metlo_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
  | jq '[.[] | select(.severity == "HIGH")]'

Check for Specific Data Types

Verify if a specific data type is being detected: 
curl 'https://<your-metlo-instance>/api/v1/data-class' \
  -H 'Authorization: metlo_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
  | jq '.[] | select(.className == "credit_card")'

Data Sections

Data can be detected in various sections of API traffic:
SectionDescription
REQUEST_QUERYURL query parameters
REQUEST_HEADERHTTP request headers
REQUEST_BODYRequest payload
RESPONSE_HEADERHTTP response headers
RESPONSE_BODYResponse payload
For GraphQL endpoints, Metlo also analyzes REQUEST_BODY, REQUEST_QUERY, and RESPONSE_BODY sections for GraphQL-specific data patterns.

Best Practices

Periodically review the data classes to ensure they align with your organization’s data sensitivity policies.
While Metlo provides many built-in data classes, you may want to define custom classifications specific to your industry or business.
Pay special attention to endpoints handling HIGH severity data classes like credit cards and SSNs.
Regularly audit where sensitive data appears in your API traffic and ensure it’s properly protected.

Integration Examples

Python: Get All High-Risk Data Types

import requests

response = requests.get(
    'https://<your-metlo-instance>/api/v1/data-class',
    headers={'Authorization': 'metlo_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'}
)

data_classes = response.json()
high_risk = [dc for dc in data_classes if dc['severity'] == 'HIGH']

print(f"Found {len(high_risk)} high-risk data types:")
for dc in high_risk:
    print(f"  - {dc['shortName']} ({dc['className']})")

JavaScript: Check for Specific Data Class

const response = await fetch(
  'https://<your-metlo-instance>/api/v1/data-class',
  {
    headers: {
      'Authorization': 'metlo_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
    }
  }
);

const dataClasses = await response.json();
const hasEmailDetection = dataClasses.some(dc => dc.className === 'email');

if (hasEmailDetection) {
  console.log('Email detection is enabled');
}

Build docs developers (and LLMs) love

Get started for freeTalk to us