Feature request: automatically obscure credentials and secrets in terminal output

Resolved 💬 3 comments Opened May 12, 2026 by tyleratverkada Closed May 16, 2026

Summary

Claude Code should automatically detect and obscure credentials, tokens, API keys, and other secrets in terminal output — rather than displaying them in full.

Current behavior

When Claude Code runs commands that involve secrets (e.g. retrieving a value from AWS Secrets Manager, printing an auth token, echoing an environment variable), the raw secret value can appear in full in the terminal output.

Desired behavior

Any value that looks like a credential or secret should be automatically obscured in the display. Two acceptable formats:

  • Blank/redacted: replace the value entirely with [REDACTED]
  • Partial obscure (preferred): show a few characters at the start and end with ...OBSCURED... in the middle, e.g. EWhD7h...OBSCURED...z320Y

This would apply to:

  • AWS credentials and session tokens
  • API keys and bearer tokens
  • Passwords and private keys
  • Any value retrieved from secrets managers (AWS Secrets Manager, HashiCorp Vault, etc.)
  • Environment variables with names matching common secret patterns (*_TOKEN, *_SECRET, *_KEY, *_PASSWORD, etc.)

Use case

Users run Claude Code in shared terminal sessions, screen recordings, pair programming, and demo environments. A secret that appears in tool output can be inadvertently captured in a screenshot, recording, or over-the-shoulder view. Baking automatic obscuring into the UI — rather than relying on users or the model to remember — provides a meaningful security guardrail.

This is especially important because Claude Code has the ability to retrieve secrets on the user's behalf, making it a natural point to enforce this protection.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗