Password Hash & Token Scrubber

Detect and redact bcrypt, SHA, JWT & other hash formats from text

Identifies password hashes (bcrypt, SHA-256, MD5, Argon2), JWT tokens, OAuth tokens, API keys, and session IDs in pasted logs or text and replaces them with type-labeled placeholders before you share anything with an AI. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What does it detect?

Bcrypt and Argon2 hashes, common hex hashes (MD5, SHA-1, SHA-256), JWTs, bearer/OAuth tokens, AWS-style and generic API keys, and long session-id-like strings. Each is replaced with a type-labeled placeholder.

Password hash & token scrubber

Logs and config snippets are full of things you should never paste into a chat window — bcrypt hashes, JWTs, bearer tokens, API keys, session IDs. The moment they leave your machine they can be cracked, replayed, or abused. This scrubber scans pasted text for the well-known secret and hash formats and swaps each one for a type-labeled placeholder, so you can share a sanitised version with an AI or a colleague while keeping the log structure intact.

What gets detected and why each type matters

FormatPatternWhy it’s sensitive
Bcrypt hashStarts with $2a$ or $2b$ followed by cost and hashOffline crackable, especially with weak source passwords
Argon2 hashStarts with $argon2id$ or $argon2i$Same risk; newer hashes but still crackable given the right input
MD5 hex hash32 hex charactersExtremely fast to crack; MD5 password hashes are considered broken
SHA-1 hex hash40 hex charactersAlso fast offline; widely deprecated for passwords
SHA-256 hex hash64 hex charactersSlower but still crackable without proper salting
JWT (JSON Web Token)Three base64url segments separated by dotsOften contains user identity and session data; valid until expiry
Bearer / OAuth tokenBearer prefix + token stringLive credential; grants API access immediately
AWS-style API keyAKIA prefix + 16 uppercase charsCloud credentials; can control infrastructure if leaked
Generic API keyLong alphanumeric strings matching common key patternsVaries by service; often has wide access scope
Session IDsLong opaque hex or base64 stringsCan be replayed to hijack user sessions

How it works

Everything runs locally in your browser. The tool applies a regular expression pattern for each format listed above. Each match is replaced inline with a placeholder like [REDACTED_JWT] or [REDACTED_BCRYPT], and you get a per-type count so you know exactly what was removed. The surrounding log lines are left untouched so the output stays readable and useful for debugging.

When to use this tool

The most common scenario is pasting a log snippet into a ChatGPT, Claude, or Copilot chat while debugging a production issue. Logs from authentication services, API gateways, and middleware layers routinely contain hashes and tokens, sometimes unexpectedly. A quick paste-and-scrub before sharing with an AI assistant takes seconds and eliminates a whole category of accidental credential exposure.

It is also useful before:

  • Creating a GitHub issue with a log snippet
  • Sharing a debug excerpt with a contractor or support team
  • Posting to Stack Overflow or a community forum
  • Screenshotting a terminal for documentation

Limits and what to do anyway

Because this is pattern-based it excels at standard, widely-used formats but cannot recognise every bespoke token scheme. A proprietary internal session token that looks like random ASCII will not be matched. Always review the output by eye before sharing, and never treat a clean result as proof there are no secrets left.

For anything that has already been shared in its original form: rotate the credential. Redaction is a preventive step, not a retroactive one — once a token or hash has been exposed to another party, the only safe action is to invalidate it.