Feature request: Secret detection in chat input
Resolved 💬 3 comments Opened Feb 27, 2026 by brainbloodbarrier Closed Mar 3, 2026
Summary
Claude Code should detect and mask secrets (API keys, tokens, passwords) in user input before they are displayed in the chat history, similar to how Warp terminal has done for years.
Problem
When a user accidentally pastes a secret (e.g., an API key) into the chat, it is:
- Displayed in plain text in the conversation
- Stored in conversation history
- Potentially sent to the API in future context
There is no warning, no masking, and no way to redact it after the fact. The entire burden falls on the user.
Proposed Solution
- Input scanning: Before rendering user input, scan for common secret patterns (API keys, tokens, passwords, private keys, connection strings)
- Masking: Replace detected secrets with
[REDACTED]orsk_****...****in the displayed chat - Warning: Alert the user that a potential secret was detected
- Opt-out: Allow users to override if it's a false positive
Common patterns to detect
sk_,sk-,pk_,api_,token_prefixed strings- AWS keys (
AKIA...) - GitHub tokens (
ghp_,gho_,ghs_) - Base64-encoded private keys (
-----BEGIN) - Connection strings with passwords
- High-entropy strings in key-value contexts
Prior Art
- Warp Terminal: Real-time secret detection and masking
- GitHub: Push protection scans for secrets in commits
- GitGuardian / TruffleHog: Pre-commit secret scanning
Impact
This is a basic security UX feature that would prevent accidental credential exposure for all Claude Code users.
---
Opened via Claude Code
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗