Skip to main content
PasteGuard detects secrets before PII detection and can block, mask, or route requests containing sensitive credentials.

Supported Secret Types

All supported secret types are enabled by default.

Private Keys

TypePattern
OPENSSH_PRIVATE_KEY-----BEGIN OPENSSH PRIVATE KEY-----
PEM_PRIVATE_KEY-----BEGIN RSA PRIVATE KEY-----, etc.

API Keys

TypePattern
API_KEY_SKsk-... or sk_... (20+ chars) - OpenAI, Anthropic, Stripe, RevenueCat
API_KEY_AWSAKIA... (20 chars)
API_KEY_GITHUBghp_..., gho_..., ghu_..., ghs_..., ghr_... (40+ chars)

Tokens

TypePattern
JWT_TOKENeyJ... (three base64 segments)
BEARER_TOKENBearer ... (40+ char tokens)

Environment Variables

TypePattern
ENV_PASSWORDDB_PASSWORD=..., ADMIN_PWD=... (8+ char values)
ENV_SECRETAPP_SECRET=..., JWT_SECRET=... (8+ char values)
CONNECTION_STRINGpostgres://user:pass@host, mongodb://...

Actions

ActionDescription
maskReplace secrets with placeholders, restore in response (default)
blockReturn HTTP 400, request never reaches the provider
route_localRoute to local LLM (requires route mode)

Mask (Default)

secrets_detection:
  action: mask
Secrets are replaced with placeholders and restored in the response (like PII masking).

Block

secrets_detection:
  enabled: true
  action: block
Request is rejected with HTTP 400. The secret never reaches the provider.

Route to Local

mode: route
secrets_detection:
  action: route_local
Requests with secrets are sent to your local LLM instead.

Response Headers

When secrets are detected:
X-PasteGuard-Secrets-Detected: true
X-PasteGuard-Secrets-Types: OPENSSH_PRIVATE_KEY,API_KEY_SK
If secrets were masked:
X-PasteGuard-Secrets-Masked: true