API key masker for prompts
It is dangerously easy to paste a snippet of code or a config block into a chat window or a public log and ship a live API key along with it. This tool scans text for the prefix patterns that real provider keys use — OpenAI, Anthropic, Google, AWS, Stripe, GitHub and more — and produces a masked copy you can safely share. Everything runs locally so the secret never leaves your machine.
How it works
The scanner applies a set of regular expressions, each tied to a known key
format. Provider keys are easy to match precisely because vendors publish their
prefixes: OpenAI keys start with sk-, Anthropic with sk-ant-, AWS access
keys with AKIA, Stripe live keys with sk_live_, and so on. A final
lower-confidence rule catches long high-entropy strings that look like bearer
tokens even without a known prefix. Every match is reported with its provider
label and confidence, and the masked output replaces each key with a redacted
form that keeps just the first and last few characters.
What masked output looks like
For a key like sk-ant-api03-a1b2c3d4…xy99, the masked form becomes:
sk-a████████████████████████████xy99
The first four and last four characters are preserved for traceability — so you can confirm “yes, that was the key ending in xy99 that I retired last week” — without exposing the working key material.
Common scenarios where this prevents leaks
Sharing a debugging session. You paste a failing curl command into a chat with a colleague — and the Authorization: Bearer sk-ant-... header is in there. Running it through the masker first replaces the key before you send.
Public issue reports. Filing a GitHub issue with a stack trace that includes environment variable dumps is a classic leak vector. The masker catches any key patterns that snuck into the trace.
Documentation and tutorials. Copying a working example from your own environment into a public README or blog post may include the actual key you were testing with. Always run example code through the masker before publishing.
Screenshots and screenshares. The masker handles text — for screenshots, blur or redact manually before sharing. A tool that prevents paste-based leaks is a complement to, not a replacement for, visual redaction.
Tips and notes
- Use it as a pre-send gate. Run any code block or log through it before pasting into a chatbot, issue tracker, or screenshot.
- Trust the prefix matches most. A
sk-ant-orAKIAhit is almost certainly a real key; a generic entropy hit may just be a hash or UUID — judge each one. - Masking is not rotation. If a key already reached an untrusted system, revoke and replace it immediately. This tool prevents the next leak; it cannot undo a past one.
- Nothing is stored. Refreshing the page clears everything; no history is kept, by design.