That terminal, .env, Postman or CI-log grab you're about to paste into a PR still has a live key in it. One click blurs detected keys, tokens and long secret strings — right in your browser, never uploaded. Then rotate the key too.
It matches known key prefixes and long opaque strings — a strong first pass. Short IDs and anything unusual are on you to box.
Recognises common key shapes by their prefix: Stripe sk_/pk_/rk_, GitHub ghp_, Slack xoxb/xoxa/xoxp, and generic api_/key_/token_. If it starts with a known secret prefix, it gets flagged.
Any unbroken 28+ character string of letters, digits, _ and - is treated as a secret — which catches AWS secret access keys, JWTs, base64 tokens and GOCSPX- Google client secrets even without a tidy prefix.
The same pass covers emails, phone numbers, IBANs, payment cards and US SSNs — the account details that ride along in a dashboard or billing screenshot.
Short unprefixed IDs like an AWS access-key ID (AKIA…, 20 chars) won't trip the length rule. Cover those yourself by dragging a box — the manual backstop for anything the detector can't know.
Paste from the clipboard, drag the PNG in or tap to browse — the terminal, dashboard, Postman or CI-log screenshot loads right in your browser. Nothing is uploaded.
One click reads the image and blurs detected keys, tokens and long secret strings. Eyeball the result and drag a box over any short ID or value it didn't flag.
Download a clean PNG with the blur baked in — no layer to peel back. Then rotate the key too: redacting the picture doesn't un-share a secret that was already visible.
The classic mistake: you paste a terminal, dashboard or Postman screenshot into a PR, Slack thread, GitHub issue or Stack Overflow answer to show a bug — with a live token sitting right there in the output. Secret scanners and OCR bots crawl images too, so a key in a picture is a key in the wild.
Auto-Redact reads the image in your browser and blurs the key shapes it recognises — prefixed keys and long opaque strings. It's a strong first pass, not a guarantee: check the result, drag a box over any short ID it couldn't know was a secret, and remember to rotate a key that was ever shown. The blur is baked into the export — no layer to peel back.
On-device, permanent, and honest that a redaction is not a rotation.
OCR and blur run locally on your device — the screenshot with the live key in it is never uploaded to a server. There's nothing sitting in someone's logs to leak later.
Redactions are flattened into the exported image. There's no hidden layer with the real key underneath for a reviewer, a scraper or a git history to peel back.
Blurring the screenshot stops the leak spreading, but a key that was ever posted should be considered burned. Rotate it in the provider dashboard; treat redaction as damage control, not a fix.
The full playbook for clean, safe screenshots in docs, PRs and bug reports.
Developer guideFramed, sharp shots for your README — with secrets blurred before they hit the repo.
README shotsTurn a snippet or terminal into a crisp, shareable image — redact the sensitive lines first.
Code shotsThe hub: emails, cards, IBANs, SSNs and phone numbers — not just keys — blurred in your browser.
Redaction hubFree, runs in your browser, no signup — your screenshot never leaves your device. Then go rotate that key.