Skip to main content

Documentation Index

Fetch the complete documentation index at: https://pasteguard.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

PasteGuard detects secrets before PII detection and can block, mask, or route requests containing sensitive credentials.

Supported Secret Types

Private Keys (enabled by default)

TypePattern
OPENSSH_PRIVATE_KEY-----BEGIN OPENSSH PRIVATE KEY-----
PEM_PRIVATE_KEY-----BEGIN RSA PRIVATE KEY-----, etc.

API Keys (opt-in)

TypePattern
API_KEY_SKsk-... or sk_... (20+ chars) - OpenAI, Anthropic, Stripe, RevenueCat
API_KEY_AWSAKIA... (20 chars)
API_KEY_GITHUBghp_..., gho_..., ghu_..., ghs_..., ghr_... (40+ chars)

Tokens (opt-in)

TypePattern
JWT_TOKENeyJ... (three base64 segments)
BEARER_TOKENBearer ... (40+ char tokens)

Environment Variables (opt-in)

TypePattern
ENV_PASSWORDDB_PASSWORD=..., ADMIN_PWD=... (8+ char values)
ENV_SECRETAPP_SECRET=..., JWT_SECRET=... (8+ char values)
CONNECTION_STRINGpostgres://user:pass@host, mongodb://...

Actions

ActionDescription
maskReplace secrets with placeholders, restore in response (default)
blockReturn HTTP 400, request never reaches OpenAI or Anthropic
route_localRoute to local LLM (requires route mode)

Mask (Default)

secrets_detection:
  action: mask
Secrets are replaced with placeholders and restored in the response (like PII masking).

Block

secrets_detection:
  enabled: true
  action: block
Request is rejected with HTTP 400. The secret never reaches OpenAI or Anthropic.

Route to Local

mode: route
secrets_detection:
  action: route_local
Requests with secrets are sent to your local LLM instead.

Response Headers

When secrets are detected: 
X-PasteGuard-Secrets-Detected: true
X-PasteGuard-Secrets-Types: OPENSSH_PRIVATE_KEY,API_KEY_SK
If secrets were masked: 
X-PasteGuard-Secrets-Masked: true