Detect and Redact API Keys in Text
Learn how to detect and redact API keys from code, logs, and configuration files. Protect sensitive credentials before sharing text publicly or with teammates.
Detailed Explanation
Detecting and Redacting API Keys
API keys are one of the most commonly leaked secrets in software development. They appear in source code, configuration files, log output, error messages, and documentation. A single exposed API key can lead to unauthorized access, data breaches, and significant financial costs.
What Makes an API Key Recognizable?
Most API keys follow predictable patterns that make automated detection possible:
- Fixed prefixes — Many services use identifiable prefixes like
sk_live_,pk_test_,AKIA, orxoxb- - Consistent length — API keys typically have a fixed character count (e.g., 32, 40, or 64 characters)
- Character set — Keys usually consist of alphanumeric characters, sometimes with hyphens or underscores
- Entropy — Real keys have high randomness compared to normal text
# Before redaction
Authorization: Bearer sk_live_4eC39HqLyjWDarjtT1zdp7dc
X-API-Key: a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
# After redaction
Authorization: Bearer [REDACTED_API_KEY]
X-API-Key: [REDACTED_API_KEY]
Common API Key Formats
| Provider | Pattern | Example Prefix |
|---|---|---|
| Stripe | sk_live_ / pk_live_ |
sk_live_... |
| AWS | AKIA[A-Z0-9]{16} |
AKIA... |
| GitHub | ghp_ / gho_ / ghs_ |
ghp_... |
| Slack | xoxb- / xoxp- |
xoxb-... |
AIza[A-Za-z0-9_-]{35} |
AIza... |
Detection Strategies
The most effective approach combines pattern matching (regex for known formats) with entropy analysis (flagging high-randomness strings). Pattern matching catches keys from well-known services, while entropy analysis catches generic API keys that do not follow a recognized format.
Why Client-Side Redaction Matters
When you paste sensitive text into a web tool, the data should never leave your browser. Server-side redaction tools require you to send your secrets over the network, which defeats the purpose. Client-side processing ensures your API keys are never transmitted anywhere.
Use Case
A developer needs to share a debug log with a colleague but the log contains API keys for multiple third-party services. By pasting the log into the Secret Redactor, all recognized API key patterns are automatically detected and replaced with safe placeholder text, making the log safe to share via Slack, email, or a bug report.