Skip to main content

Secrets Detection

PasteGuard detects secrets before PII detection and can block, redact, or route requests containing sensitive credentials.

Supported Secret Types

Private Keys (enabled by default)

TypePattern
OPENSSH_PRIVATE_KEY-----BEGIN OPENSSH PRIVATE KEY-----
PEM_PRIVATE_KEY-----BEGIN RSA PRIVATE KEY-----, etc.

API Keys (opt-in)

TypePattern
API_KEY_OPENAIsk-... (48+ chars)
API_KEY_AWSAKIA... (20 chars)
API_KEY_GITHUBghp_..., gho_..., ghu_..., ghs_..., ghr_... (40+ chars)

Tokens (opt-in)

TypePattern
JWT_TOKENeyJ... (three base64 segments)
BEARER_TOKENBearer ... (40+ char tokens)

Actions

ActionDescription
redactReplace secrets with placeholders, restore in response (default)
blockReturn HTTP 400, request never reaches LLM
route_localRoute to local LLM (requires route mode)

Redact (Default)

secrets_detection:
  action: redact
Secrets are replaced with placeholders and restored in the response (like PII masking).

Block

secrets_detection:
  enabled: true
  action: block
Request is rejected with HTTP 400. The secret never reaches the LLM.

Route to Local

mode: route
secrets_detection:
  action: route_local
Requests with secrets are sent to your local LLM instead.

Response Headers

When secrets are detected: 
X-PasteGuard-Secrets-Detected: true
X-PasteGuard-Secrets-Types: OPENSSH_PRIVATE_KEY,API_KEY_OPENAI
If secrets were redacted: 
X-PasteGuard-Secrets-Redacted: true