API Key & Secret Scrubber

Detect and mask AWS, OpenAI, GitHub, Stripe & 40+ key formats

Scans pasted text and code for API keys, tokens, and secrets matching 40+ common patterns — OpenAI sk-, AWS AKIA, GitHub ghp_, Stripe sk_live, JWTs, private keys and more — and replaces each with a safe placeholder before you share with an AI or paste into an issue. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

Which secret formats does it detect?

It matches 40+ patterns including OpenAI (sk-, sk-proj-), Anthropic (sk-ant-), AWS access keys (AKIA), GitHub tokens (ghp_, gho_, ghs_), Stripe (sk_live, rk_live, pk_live), Google API keys (AIza), Slack (xoxb/xoxp), JWTs, generic bearer tokens, and PEM private key blocks.

A single committed API key or pasted access token can drain an account or open a breach. Yet sharing code with an AI assistant, a teammate, or an issue tracker is part of daily work. This API key and secret scrubber scans your text against 40+ provider-specific and generic patterns and swaps every match for a safe placeholder, so you can share freely without leaking credentials.

How it works

The tool applies an ordered set of regular expressions, from the most specific provider formats to broad fallbacks. Provider rules key off well-known prefixes and lengths:

ProviderPatterns detected
OpenAIsk-... and sk-proj-...
Anthropicsk-ant-...
AWSAccess keys starting with AKIA; secret keys (high-entropy 40-char strings)
GitHubghp_, gho_, ghs_, ghr_, github_pat_
Stripesk_live_, rk_live_, pk_live_, whsec_
GoogleAIza... (API keys)
Slackxoxb-, xoxp-, xoxa-, xoxe-
JWTsThree-part base64url strings separated by dots
PEM keys-----BEGIN ... PRIVATE KEY----- blocks

Generic fallbacks catch high-entropy strings and bearer token patterns that do not match any specific provider. Each unique secret is replaced with a typed placeholder such as [STRIPE_KEY_1], and if the same value appears multiple times, it reuses the same placeholder — so your code structure stays readable.

Everything runs in the browser with no network calls, so even genuine production secrets are safe to paste here. The detection summary names the provider and rule behind every match so you can confirm or dismiss each finding before copying the scrubbed result.

What to do if a key was already exposed

Scrubbing text now cannot undo a key that has already been committed to git, pushed to a public repo, or shared in an issue or chat:

  1. Revoke the key immediately in the provider’s dashboard. Do not wait to investigate first — the key is compromised the moment it leaves your environment.
  2. Rotate the key — generate a new one, update your deployments, and confirm the new key works before assuming the old one stopped being used.
  3. Check for abuse — most providers (AWS, Stripe, GitHub) offer audit logs. Review them for activity you did not initiate in the window between when the key was exposed and when you revoked it.
  4. Remove from git history if committed — tools like git filter-repo or the BFG Repo Cleaner can rewrite history. For public repos, also contact GitHub/GitLab to purge caches.

Use the scrubber to prevent the next leak. Use your provider’s revocation flow to contain this one.

Avoiding false positives

The generic high-entropy fallback can occasionally flag non-secrets — content hashes, database IDs, base64-encoded images. The detection list is shown precisely so you can see which rule matched and decide whether to keep or restore that value. Provider-specific rules (AWS AKIA prefix, GitHub ghp_ prefix, etc.) almost never misfire.