DevToolbox

Secret Redactor

Paste logs, configuration files, or code snippets and automatically detect and mask embedded secrets.

About This Tool

The Secret Redactor is a free, browser-based security tool that automatically scans text for embedded secrets — API keys, access tokens, passwords, private keys, connection strings, and more — and replaces them with safe placeholder text. It is designed for developers, DevOps engineers, and security professionals who need to share logs, configuration files, code snippets, or error reports without accidentally leaking sensitive credentials.

The tool recognizes a wide range of secret patterns out of the box, including AWS access keys and secret keys, GitHub personal access tokens, Stripe API keys, Google API keys, Slack bot tokens, JWT tokens, Bearer authorization headers, private key blocks, database connection strings with embedded passwords, and generic password/secret/token/credential assignments. Each detected secret is classified by type and highlighted with a distinct color so you can quickly review what was found.

If you work with JWTs regularly, our JWT Decoder lets you inspect token payloads in detail. For validating environment files before deployment, check out the Environment Variables Validator.

All processing runs entirely in your browser using client-side JavaScript and regular expressions. Your text is never sent to any server, stored in any database, or logged by any analytics service. This makes it safe to paste production logs, real configuration files, and actual credentials — nothing ever leaves your machine.

You can choose how redacted values appear: typed placeholders like [REDACTED:AWS_KEY], simple asterisks ***, or any custom replacement string you prefer. The summary panel shows a breakdown of how many secrets were found in each category, and the detail table lists every match with its type, truncated value, and position in the original text.

How to Use

  1. Paste or type text containing potential secrets into the Input panel on the left. This can be log output, .env files, YAML configs, source code, or any plain text.
  2. Alternatively, click the Sample button to load example text with various embedded secrets for testing.
  3. Secrets are detected automatically in real time. A summary bar appears showing the total count and breakdown by type.
  4. Toggle between highlighted original (secrets marked with colored backgrounds) and redacted output in the right panel.
  5. Use the Replace with selector to choose the replacement format: [REDACTED:TYPE], ***, or a custom string.
  6. Click Copy Output or press Ctrl+Shift+C to copy the redacted text to your clipboard.
  7. Click Clear to reset both panels and start fresh.

FAQ

Is my data safe?

Yes. All secret detection and redaction runs entirely in your browser using JavaScript regular expressions. Your text is never sent to a server, stored in a database, or logged in any way. You can verify this by inspecting network activity in your browser's developer tools — there are zero outgoing requests.

What types of secrets can the tool detect?

The tool detects AWS access keys and secret keys, GitHub tokens (ghp_, gho_, ghu_, ghs_, ghr_), Stripe live keys, Google API keys, Slack tokens, JWT tokens, Bearer authorization tokens, RSA/EC/DSA/OPENSSH private key headers, database connection strings with passwords, generic API key assignments, and password/secret/token/credential patterns. The detection is based on well-known regex patterns used in the security industry.

Can the tool miss some secrets?

Yes. Regex-based detection cannot catch every possible secret format — especially custom or proprietary token formats. The tool covers the most common patterns, but you should always manually review sensitive content before sharing. Think of this tool as a first pass that catches the obvious leaks.

What replacement formats are available?

Three options: (1) Typed placeholders like [REDACTED:AWS_KEY] that indicate the secret type, (2) Simple asterisks (***) for minimal redaction, and (3) Custom text where you can type any replacement string you prefer.

Does the tool modify my original text?

No. The original text stays in the input panel untouched. The redacted version is generated as a separate output that you can copy. Your clipboard and input are never mutated unless you explicitly paste new text or click Clear.

Can I use this for CI/CD log sanitization?

This tool is designed for manual, interactive use in the browser. For automated CI/CD pipeline log sanitization, you would need to implement similar regex patterns in a script or use a dedicated secrets scanning tool like truffleHog, GitLeaks, or detect-secrets. However, you can use this tool to quickly prototype and test redaction patterns before adding them to your pipeline.

Related Tools

Regex Tester

Test regular expressions with real-time match highlighting and capture groups.

String Escape/Unescape

Escape and unescape strings for JSON, JavaScript, HTML, URL, SQL, and CSV formats.

Text Sort & Deduplicate

Sort lines alphabetically, remove duplicates, trim whitespace, and filter empty lines instantly.

Password Generator

Generate secure passwords and passphrases with entropy-based strength analysis.

Text Encrypt / Decrypt

Encrypt and decrypt text with AES-256-GCM using a password. All processing in your browser.