> ## Documentation Index
> Fetch the complete documentation index at: https://pasteguard.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Secrets Detection

> Detect and protect private keys, API keys, tokens, and environment credentials

PasteGuard detects secrets before PII detection and can block, mask, or route requests containing sensitive credentials.

## Supported Secret Types

All supported secret types are enabled by default.

### Private Keys

| Type                  | Pattern                                 |
| --------------------- | --------------------------------------- |
| `OPENSSH_PRIVATE_KEY` | `-----BEGIN OPENSSH PRIVATE KEY-----`   |
| `PEM_PRIVATE_KEY`     | `-----BEGIN RSA PRIVATE KEY-----`, etc. |

### API Keys

| Type             | Pattern                                                                  |
| ---------------- | ------------------------------------------------------------------------ |
| `API_KEY_SK`     | `sk-...` or `sk_...` (20+ chars) - OpenAI, Anthropic, Stripe, RevenueCat |
| `API_KEY_AWS`    | `AKIA...` (20 chars)                                                     |
| `API_KEY_GITHUB` | `ghp_...`, `gho_...`, `ghu_...`, `ghs_...`, `ghr_...` (40+ chars)        |

### Tokens

| Type           | Pattern                          |
| -------------- | -------------------------------- |
| `JWT_TOKEN`    | `eyJ...` (three base64 segments) |
| `BEARER_TOKEN` | `Bearer ...` (40+ char tokens)   |

### Environment Variables

| Type                | Pattern                                             |
| ------------------- | --------------------------------------------------- |
| `ENV_PASSWORD`      | `DB_PASSWORD=...`, `ADMIN_PWD=...` (8+ char values) |
| `ENV_SECRET`        | `APP_SECRET=...`, `JWT_SECRET=...` (8+ char values) |
| `CONNECTION_STRING` | `postgres://user:pass@host`, `mongodb://...`        |

## Actions

| Action        | Description                                                      |
| ------------- | ---------------------------------------------------------------- |
| `mask`        | Replace secrets with placeholders, restore in response (default) |
| `block`       | Return HTTP 400, request never reaches the provider              |
| `route_local` | Route to local LLM (requires route mode)                         |

### Mask (Default)

```yaml theme={null}
secrets_detection:
  action: mask
```

Secrets are replaced with placeholders and restored in the response (like PII masking).

### Block

```yaml theme={null}
secrets_detection:
  enabled: true
  action: block
```

Request is rejected with HTTP 400. The secret never reaches the provider.

### Route to Local

```yaml theme={null}
mode: route
secrets_detection:
  action: route_local
```

Requests with secrets are sent to your local LLM instead.

## Response Headers

When secrets are detected:

```
X-PasteGuard-Secrets-Detected: true
X-PasteGuard-Secrets-Types: OPENSSH_PRIVATE_KEY,API_KEY_SK
```

If secrets were masked:

```
X-PasteGuard-Secrets-Masked: true
```
