Why redact hashes if they are already one-way?

Hashes can still be cracked offline (especially weak or unsalted ones), and leaking them helps attackers. Tokens, JWTs, and API keys are worse — they are often live credentials that grant direct access. Treat all of them as sensitive.

Does my text get uploaded?

No. All detection and replacement happens locally in your browser with JavaScript. Nothing you paste is sent anywhere, which is the whole point of scrubbing before you share.

Could it miss a secret?

Yes. It uses pattern matching, which is strong for well-known formats but cannot recognise every custom token scheme. Always eyeball the output and never assume a clean result means zero secrets.

Will it break the structure of my logs?

It only replaces the matched secret spans with placeholders, leaving the surrounding log lines intact. That keeps the text readable and useful for debugging while removing the sensitive parts.

Password Hash & Token Scrubber

Q: What does it detect?

Bcrypt and Argon2 hashes, common hex hashes (MD5, SHA-1, SHA-256), JWTs, bearer/OAuth tokens, AWS-style and generic API keys, and long session-id-like strings. Each is replaced with a type-labeled placeholder.

Password hash & token scrubber

Logs and config snippets are full of things you should never paste into a chat window — bcrypt hashes, JWTs, bearer tokens, API keys, session IDs. The moment they leave your machine they can be cracked, replayed, or abused. This scrubber scans pasted text for the well-known secret and hash formats and swaps each one for a type-labeled placeholder, so you can share a sanitised version with an AI or a colleague while keeping the log structure intact.

How it works

Everything runs locally in your browser. The tool applies a set of patterns for each format — bcrypt ( $2a$ / $2b$ ), Argon2 ($argon2), hex hashes by length (MD5, SHA-1, SHA-256), three-segment JWTs, bearer/OAuth tokens, AWS-style and generic API keys, and long opaque session strings. Each match is replaced inline with a placeholder like [REDACTED_JWT] or [REDACTED_BCRYPT], and you get a per-type count so you know exactly what was removed. The surrounding text is left untouched so the output stays readable.

Tips and limits

Redact even one-way hashes: weak or unsalted hashes can be cracked offline, and tokens or API keys are often live credentials that grant direct access. Because this is pattern-based it is excellent on standard formats but cannot recognise every bespoke token scheme — always review the output by eye and never treat a clean result as proof there are no secrets left. For anything truly sensitive, rotate the credential as well as redacting it; once a secret has been exposed, redaction does not un-expose it.