API Key & Token Redactor Guide

30-second guide

1. Paste logs, environment files, JSON, curl commands, or config snippets into the tool.
2. Click “Redact” and review the findings list and safety summary.
3. Copy or download only the redacted output before sharing.

Tip: search for common key prefixes, Authorization, Cookie, registry tokens, or bot tokens before posting.

Supported patterns

• OpenAI-style project and secret keys
• GitHub classic, OAuth, app, and fine-grained tokens
• Slack app, bot, user, and workspace tokens
• Google API keys, SendGrid keys, GitLab tokens, and AWS access key IDs
• Stripe secret and restricted keys
• npm and registry auth tokens
• Telegram bot tokens and Discord-style tokens
• Bearer / Authorization headers, JWTs, and Cookie / Set-Cookie headers
• PEM private keys
• Environment and JSON values labeled like api key, token, secret, password, client secret, access token, or database URL
• URL query values such as token, api key, access token, client secret, or signature parameters

How to read findings

• High: private keys, Bearer tokens, JWTs, and major API keys.
• Medium: labeled secrets, URL tokens, cookies, and values that need manual review.
• Line: the approximate line number in the original text. Long single-line logs still need manual review.
• Finding previews partially mask secret values. Full secret values are not shown in the findings list.

What it doesn’t do

• No guarantee of catching every secret.
• Doesn’t scan images or screenshots.
• Doesn’t validate or revoke tokens.
• Doesn’t fully remove personal identifiers such as emails, IPs, user IDs, or full URLs.

Privacy

Runs locally in your browser. Nothing is uploaded.