Skip to main content
PasteGuard detects secrets before PII detection and can block, mask, or route requests containing sensitive credentials.

Supported Secret Types

Private Keys (enabled by default)

TypePattern
OPENSSH_PRIVATE_KEY-----BEGIN OPENSSH PRIVATE KEY-----
PEM_PRIVATE_KEY-----BEGIN RSA PRIVATE KEY-----, etc.

API Keys (opt-in)

TypePattern
API_KEY_SKsk-... or sk_... (20+ chars) - OpenAI, Anthropic, Stripe, RevenueCat
API_KEY_AWSAKIA... (20 chars)
API_KEY_GITHUBghp_..., gho_..., ghu_..., ghs_..., ghr_... (40+ chars)

Tokens (opt-in)

TypePattern
JWT_TOKENeyJ... (three base64 segments)
BEARER_TOKENBearer ... (40+ char tokens)

Environment Variables (opt-in)

TypePattern
ENV_PASSWORDDB_PASSWORD=..., ADMIN_PWD=... (8+ char values)
ENV_SECRETAPP_SECRET=..., JWT_SECRET=... (8+ char values)
CONNECTION_STRINGpostgres://user:pass@host, mongodb://...

Actions

ActionDescription
maskReplace secrets with placeholders, restore in response (default)
blockReturn HTTP 400, request never reaches OpenAI or Anthropic
route_localRoute to local LLM (requires route mode)

Mask (Default)

secrets_detection:
  action: mask
Secrets are replaced with placeholders and restored in the response (like PII masking).

Block

secrets_detection:
  enabled: true
  action: block
Request is rejected with HTTP 400. The secret never reaches OpenAI or Anthropic.

Route to Local

mode: route
secrets_detection:
  action: route_local
Requests with secrets are sent to your local LLM instead.

Response Headers

When secrets are detected: 
X-PasteGuard-Secrets-Detected: true
X-PasteGuard-Secrets-Types: OPENSSH_PRIVATE_KEY,API_KEY_SK
If secrets were masked: 
X-PasteGuard-Secrets-Masked: true