A single committed API key or pasted access token can drain an account or open a breach. Yet sharing code with an AI assistant, a teammate, or an issue tracker is part of daily work. This API key and secret scrubber scans your text against 40+ provider-specific and generic patterns and swaps every match for a safe placeholder, so you can share freely without leaking credentials.
How it works
The tool applies an ordered set of regular expressions, from the most specific provider formats to broad fallbacks. Provider rules key off well-known prefixes and lengths:
| Provider | Patterns detected |
|---|---|
| OpenAI | sk-... and sk-proj-... |
| Anthropic | sk-ant-... |
| AWS | Access keys starting with AKIA; secret keys (high-entropy 40-char strings) |
| GitHub | ghp_, gho_, ghs_, ghr_, github_pat_ |
| Stripe | sk_live_, rk_live_, pk_live_, whsec_ |
AIza... (API keys) | |
| Slack | xoxb-, xoxp-, xoxa-, xoxe- |
| JWTs | Three-part base64url strings separated by dots |
| PEM keys | -----BEGIN ... PRIVATE KEY----- blocks |
Generic fallbacks catch high-entropy strings and bearer token patterns that do not match any specific provider. Each unique secret is replaced with a typed placeholder such as [STRIPE_KEY_1], and if the same value appears multiple times, it reuses the same placeholder — so your code structure stays readable.
Everything runs in the browser with no network calls, so even genuine production secrets are safe to paste here. The detection summary names the provider and rule behind every match so you can confirm or dismiss each finding before copying the scrubbed result.
What to do if a key was already exposed
Scrubbing text now cannot undo a key that has already been committed to git, pushed to a public repo, or shared in an issue or chat:
- Revoke the key immediately in the provider’s dashboard. Do not wait to investigate first — the key is compromised the moment it leaves your environment.
- Rotate the key — generate a new one, update your deployments, and confirm the new key works before assuming the old one stopped being used.
- Check for abuse — most providers (AWS, Stripe, GitHub) offer audit logs. Review them for activity you did not initiate in the window between when the key was exposed and when you revoked it.
- Remove from git history if committed — tools like
git filter-repoor the BFG Repo Cleaner can rewrite history. For public repos, also contact GitHub/GitLab to purge caches.
Use the scrubber to prevent the next leak. Use your provider’s revocation flow to contain this one.
Avoiding false positives
The generic high-entropy fallback can occasionally flag non-secrets — content hashes, database IDs, base64-encoded images. The detection list is shown precisely so you can see which rule matched and decide whether to keep or restore that value. Provider-specific rules (AWS AKIA prefix, GitHub ghp_ prefix, etc.) almost never misfire.