> ## Documentation Index
> Fetch the complete documentation index at: https://pasteguard.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Secrets Detection Config

> Configure detection of private keys, API keys, tokens, and environment credentials

```yaml theme={null}
secrets_detection:
  enabled: true
  action: mask
  entities:
    - OPENSSH_PRIVATE_KEY
    - PEM_PRIVATE_KEY
    - API_KEY_SK
    - API_KEY_AWS
    - API_KEY_GITHUB
    - JWT_TOKEN
    - BEARER_TOKEN
    - ENV_PASSWORD
    - ENV_SECRET
    - CONNECTION_STRING
  max_scan_chars: 200000
  log_detected_types: true
```

## Options

| Option               | Default             | Description                             |
| -------------------- | ------------------- | --------------------------------------- |
| `enabled`            | `true`              | Enable secrets detection                |
| `action`             | `mask`              | Action when secrets found               |
| `entities`           | All supported types | Secret types to detect                  |
| `max_scan_chars`     | `200000`            | Max characters to scan (0 = unlimited)  |
| `log_detected_types` | `true`              | Log detected types (never logs content) |

## Actions

| Action        | Description                                                      |
| ------------- | ---------------------------------------------------------------- |
| `mask`        | Replace secrets with placeholders, restore in response (default) |
| `block`       | Return HTTP 400, request never reaches the provider              |
| `route_local` | Route to local LLM (requires route mode)                         |

### Mask (Default)

```yaml theme={null}
secrets_detection:
  action: mask
```

### Block

```yaml theme={null}
secrets_detection:
  action: block
```

### Route to Local

```yaml theme={null}
mode: route
secrets_detection:
  action: route_local
```

## Secret Types

All supported secret types are enabled by default. Set `entities` to a smaller
list if you want to scan only specific categories.

### Private Keys

```yaml theme={null}
secrets_detection:
  entities:
    - OPENSSH_PRIVATE_KEY  # -----BEGIN OPENSSH PRIVATE KEY-----
    - PEM_PRIVATE_KEY      # RSA, PRIVATE KEY, ENCRYPTED PRIVATE KEY
```

### API Keys

```yaml theme={null}
secrets_detection:
  entities:
    - API_KEY_SK       # sk-/sk_ prefix (OpenAI, Anthropic, Stripe, RevenueCat)
    - API_KEY_AWS      # AKIA... (20 chars)
    - API_KEY_GITHUB   # ghp_, gho_, ghu_, ghs_, ghr_ (40+ chars)
```

### Tokens

```yaml theme={null}
secrets_detection:
  entities:
    - JWT_TOKEN      # eyJ... (three base64 segments)
    - BEARER_TOKEN   # Bearer ... (40+ char tokens)
```

### Environment Variables

```yaml theme={null}
secrets_detection:
  entities:
    - ENV_PASSWORD       # DB_PASSWORD=..., ADMIN_PWD=... (8+ char values)
    - ENV_SECRET         # APP_SECRET=..., JWT_SECRET=... (8+ char values)
    - CONNECTION_STRING  # postgres://user:pass@host, mongodb://user:pass@host
```

## Scan Roles

By default, PasteGuard scans user messages and tool results. It skips system, developer,
and assistant text. Set `scan_roles` to replace that default:

```yaml theme={null}
secrets_detection:
  scan_roles:
    - user
    - tool
    - function
    - mcp
```

| Scan label  | Description                                                                        |
| ----------- | ---------------------------------------------------------------------------------- |
| `user`      | User messages                                                                      |
| `assistant` | Assistant responses                                                                |
| `system`    | System prompts                                                                     |
| `developer` | Developer prompts                                                                  |
| `tool`      | Tool results, including file reads and shell output                                |
| `function`  | Legacy OpenAI function results                                                     |
| `mcp`       | PasteGuard internal label for MCP tool items, such as Codex `mcp_tool_call` output |

If `scan_roles` is set, PasteGuard scans exactly those roles.

## Performance

For large payloads, limit scanning:

```yaml theme={null}
secrets_detection:
  max_scan_chars: 200000  # 200KB default
  # max_scan_chars: 0     # Scan entire request
```

Secrets placed after the limit won't be detected.
