API Key Masker for Prompts

Scan prompts and messages for accidentally embedded API keys

Scans prompt text for common API key patterns (OpenAI, Anthropic, Google, AWS, Stripe, GitHub and more) and masks or flags them before you accidentally paste a secret into a chat, log, or screenshot. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

Which API key formats does it detect?

It recognises OpenAI (sk-, sk-proj-), Anthropic (sk-ant-), Google AI (AIza), AWS access keys (AKIA), Stripe (sk_live / pk_live), GitHub tokens (ghp_, github_pat_), Slack (xox), and generic high-entropy bearer tokens. Patterns are based on each provider's published prefix conventions.

API key masker for prompts

It is dangerously easy to paste a snippet of code or a config block into a chat window or a public log and ship a live API key along with it. This tool scans text for the prefix patterns that real provider keys use — OpenAI, Anthropic, Google, AWS, Stripe, GitHub and more — and produces a masked copy you can safely share. Everything runs locally so the secret never leaves your machine.

How it works

The scanner applies a set of regular expressions, each tied to a known key format. Provider keys are easy to match precisely because vendors publish their prefixes: OpenAI keys start with sk-, Anthropic with sk-ant-, AWS access keys with AKIA, Stripe live keys with sk_live_, and so on. A final lower-confidence rule catches long high-entropy strings that look like bearer tokens even without a known prefix. Every match is reported with its provider label and confidence, and the masked output replaces each key with a redacted form that keeps just the first and last few characters.

What masked output looks like

For a key like sk-ant-api03-a1b2c3d4…xy99, the masked form becomes:

sk-a████████████████████████████xy99

The first four and last four characters are preserved for traceability — so you can confirm “yes, that was the key ending in xy99 that I retired last week” — without exposing the working key material.

Common scenarios where this prevents leaks

Sharing a debugging session. You paste a failing curl command into a chat with a colleague — and the Authorization: Bearer sk-ant-... header is in there. Running it through the masker first replaces the key before you send.

Public issue reports. Filing a GitHub issue with a stack trace that includes environment variable dumps is a classic leak vector. The masker catches any key patterns that snuck into the trace.

Documentation and tutorials. Copying a working example from your own environment into a public README or blog post may include the actual key you were testing with. Always run example code through the masker before publishing.

Screenshots and screenshares. The masker handles text — for screenshots, blur or redact manually before sharing. A tool that prevents paste-based leaks is a complement to, not a replacement for, visual redaction.

Tips and notes

  • Use it as a pre-send gate. Run any code block or log through it before pasting into a chatbot, issue tracker, or screenshot.
  • Trust the prefix matches most. A sk-ant- or AKIA hit is almost certainly a real key; a generic entropy hit may just be a hash or UUID — judge each one.
  • Masking is not rotation. If a key already reached an untrusted system, revoke and replace it immediately. This tool prevents the next leak; it cannot undo a past one.
  • Nothing is stored. Refreshing the page clears everything; no history is kept, by design.