Feature request: automatically obscure credentials and secrets in terminal output
Summary
Claude Code should automatically detect and obscure credentials, tokens, API keys, and other secrets in terminal output — rather than displaying them in full.
Current behavior
When Claude Code runs commands that involve secrets (e.g. retrieving a value from AWS Secrets Manager, printing an auth token, echoing an environment variable), the raw secret value can appear in full in the terminal output.
Desired behavior
Any value that looks like a credential or secret should be automatically obscured in the display. Two acceptable formats:
- Blank/redacted: replace the value entirely with
[REDACTED] - Partial obscure (preferred): show a few characters at the start and end with
...OBSCURED...in the middle, e.g.EWhD7h...OBSCURED...z320Y
This would apply to:
- AWS credentials and session tokens
- API keys and bearer tokens
- Passwords and private keys
- Any value retrieved from secrets managers (AWS Secrets Manager, HashiCorp Vault, etc.)
- Environment variables with names matching common secret patterns (
*_TOKEN,*_SECRET,*_KEY,*_PASSWORD, etc.)
Use case
Users run Claude Code in shared terminal sessions, screen recordings, pair programming, and demo environments. A secret that appears in tool output can be inadvertently captured in a screenshot, recording, or over-the-shoulder view. Baking automatic obscuring into the UI — rather than relying on users or the model to remember — provides a meaningful security guardrail.
This is especially important because Claude Code has the ability to retrieve secrets on the user's behalf, making it a natural point to enforce this protection.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗