Feature request: Secret detection in chat input

Resolved 💬 3 comments Opened Feb 27, 2026 by brainbloodbarrier Closed Mar 3, 2026

Summary

Claude Code should detect and mask secrets (API keys, tokens, passwords) in user input before they are displayed in the chat history, similar to how Warp terminal has done for years.

Problem

When a user accidentally pastes a secret (e.g., an API key) into the chat, it is:

  1. Displayed in plain text in the conversation
  2. Stored in conversation history
  3. Potentially sent to the API in future context

There is no warning, no masking, and no way to redact it after the fact. The entire burden falls on the user.

Proposed Solution

  • Input scanning: Before rendering user input, scan for common secret patterns (API keys, tokens, passwords, private keys, connection strings)
  • Masking: Replace detected secrets with [REDACTED] or sk_****...**** in the displayed chat
  • Warning: Alert the user that a potential secret was detected
  • Opt-out: Allow users to override if it's a false positive

Common patterns to detect

  • sk_, sk-, pk_, api_, token_ prefixed strings
  • AWS keys (AKIA...)
  • GitHub tokens (ghp_, gho_, ghs_)
  • Base64-encoded private keys (-----BEGIN)
  • Connection strings with passwords
  • High-entropy strings in key-value contexts

Prior Art

  • Warp Terminal: Real-time secret detection and masking
  • GitHub: Push protection scans for secrets in commits
  • GitGuardian / TruffleHog: Pre-commit secret scanning

Impact

This is a basic security UX feature that would prevent accidental credential exposure for all Claude Code users.

---

Opened via Claude Code

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗