Which secret formats does it detect?

It matches 40+ patterns including OpenAI (sk-, sk-proj-), Anthropic (sk-ant-), AWS access keys (AKIA), GitHub tokens (ghp_, gho_, ghs_), Stripe (sk_live, rk_live, pk_live), Google API keys (AIza), Slack (xoxb/xoxp), JWTs, generic bearer tokens, and PEM private key blocks.

Will it produce false positives?

Some generic rules — like long high-entropy strings — can flag non-secrets such as hashes or IDs. The detection list shows exactly what matched so you can confirm before sharing. Specific provider rules rarely misfire.

Does it modify my secret or just hide it?

It replaces the secret with a labelled placeholder such as [OPENAI_KEY_1]. The real value is never transmitted, and identical values reuse the same token so the structure of your snippet stays intact.

Is anything sent to a server?

No. All scanning happens in your browser with regular expressions. Nothing is uploaded, logged, or stored — safe to use even on live production secrets.

If a key was already exposed, is scrubbing enough?

No. If a real secret leaked anywhere it should be considered compromised and rotated immediately. Scrubbing only prevents future exposure of values that have not yet left your machine.

API Key & Secret Scrubber

A single committed API key or pasted access token can drain an account or open a breach. Yet sharing code with an AI assistant, a teammate, or an issue tracker is part of daily work. This API key and secret scrubber scans your text against 40+ provider-specific and generic patterns and swaps every match for a safe placeholder, so you can share freely without leaking credentials.

How it works

The tool applies an ordered set of regular expressions, from the most specific provider formats to broad fallbacks. Provider rules key off well-known prefixes and lengths — sk- for OpenAI, sk-ant- for Anthropic, AKIA for AWS, ghp_ for GitHub, sk_live for Stripe, AIza for Google, xoxb/xoxp for Slack — and there are catch-alls for JWTs, bearer tokens, and PEM private key blocks. Each unique secret is replaced with a typed placeholder such as [STRIPE_KEY_1], and repeats of the same value reuse the same token so your snippet keeps its shape.

Everything runs in the browser with no network calls, so even genuine production secrets are safe to paste here. The detection summary names the provider and rule behind every match, which lets you spot any false positive from the broad fallback rules before you copy the result.

Tips and examples

Lead with the specific rules and trust the generic ones less. A match labelled “AWS access key” is almost certainly real; a match from the generic high-entropy rule might just be a content hash or a UUID. The detection list exists precisely so you can make that call quickly.

If this tool ever flags a real key that has already been committed, pushed, or pasted somewhere, scrubbing the text now is not enough — that key should be treated as compromised and rotated immediately at the provider. Use the scrubber to prevent the next leak, and your provider’s dashboard to contain the last one.