Which API key formats does it detect?

It recognises OpenAI (sk-, sk-proj-), Anthropic (sk-ant-), Google AI (AIza), AWS access keys (AKIA), Stripe (sk_live / pk_live), GitHub tokens (ghp_, github_pat_), Slack (xox), and generic high-entropy bearer tokens. Patterns are based on each provider's published prefix conventions.

Is my text uploaded anywhere?

No. All scanning and masking happens in your browser with JavaScript. The text never leaves your device, which is the whole point of a tool you use precisely because the content may contain secrets.

What does the masked output look like?

Each detected key is replaced with its first four and last four characters joined by a redaction block, for example sk-1234…████…ab12. This keeps the output readable and auditable without exposing the secret.

Can it produce false positives?

Yes, long random-looking strings can match generic token patterns. The tool labels each hit with the matched rule so you can judge it. Provider-prefixed matches (sk-ant-, AKIA, etc.) are high confidence; generic entropy matches are flagged as lower confidence.

Should I still rotate a key that leaked?

Absolutely. Masking text after the fact does not undo a key that was already pasted into an untrusted system. If a real secret was exposed, revoke and rotate it immediately, then use this tool going forward as a pre-send safety check.

API Key Masker for Prompts

API key masker for prompts

It is dangerously easy to paste a snippet of code or a config block into a chat window or a public log and ship a live API key along with it. This tool scans text for the prefix patterns that real provider keys use — OpenAI, Anthropic, Google, AWS, Stripe, GitHub and more — and produces a masked copy you can safely share. Everything runs locally so the secret never leaves your machine.

How it works

The scanner applies a set of regular expressions, each tied to a known key format. Provider keys are easy to match precisely because vendors publish their prefixes: OpenAI keys start with sk-, Anthropic with sk-ant-, AWS access keys with AKIA, Stripe live keys with sk_live_, and so on. A final lower-confidence rule catches long high-entropy strings that look like bearer tokens even without a known prefix. Every match is reported with its provider label and confidence, and the masked output replaces each key with a redacted form that keeps just the first and last few characters.

Tips and notes

Use it as a pre-send gate. Run any code block or log through it before pasting into a chatbot, issue tracker, or screenshot.
Trust the prefix matches most. A sk-ant- or AKIA hit is almost certainly a real key; a generic entropy hit may just be a hash or UUID.
Masking is not rotation. If a key already reached an untrusted system, revoke it. This tool prevents the next leak, it cannot reverse a past one.
Nothing is stored. Refreshing the page clears everything; no history is kept, by design.