Log Redactor

Strip API keys, tokens, passwords, emails and IPs from a log before pasting it into a bug report, Slack, or an AI chat — entirely in your browser.

… or drag & drop it onto the box above — read in your browser, never uploaded.
Redact these categories

Quick answer

The Log Redactor replaces secrets in a pasted log — AWS keys, API keys, bearer/JWT tokens, passwords, emails, IPs, card numbers — with labeled placeholders like [REDACTED_JWT], so you can share the log without leaking credentials. Everything runs in your browser; the log you paste is never uploaded.

Key takeaways

How does the redactor work?

The pasted text is scanned by a set of patterns in two styles. Format-based patterns catch secrets with a recognizable shape no matter where they appear — an AWS access key ID always looks like AKIA…, a JWT is three base64url segments where the first two start with eyJ, a GitHub token starts with ghp_. Context-based patterns catch values that are only secret because of what sits next to them: password=…, api_key: …, or the user:password@ pair inside a database connection string — there the key name is kept and only the value is replaced, so the log stays readable. Overlaps are resolved so each character is redacted at most once, and every replacement is a labeled placeholder rather than asterisks, because whoever reads the log still needs to understand what happened.

What does it detect?

Category Examples
Vendor & API keysAWS access key IDs, GitHub / Slack / npm tokens, Stripe & Google keys, sk-… style API keys
Tokens & auth headersJWTs, Authorization: Bearer …, Basic …, PEM private-key blocks
Passwords & secretspassword=…, client_secret: …, user:pass@host in connection strings
Email addressesAny name@domain.tld — user emails are personal data
Network addressesIPv4 & IPv6 addresses (localhost excluded), MAC addresses
Card numbers13–19 digit sequences that pass the Luhn checksum, with or without spaces/dashes

Is it private?

Yes — and for this tool that's the entire point. The redaction is plain regex substitution running in your browser: the log you paste is never uploaded or sent to a server. A log sanitizer that uploaded your logs to sanitize them would defeat its own purpose. This also means it works offline once the page is loaded.

When should I use it?

Any time a log is about to leave your machine: attaching output to a GitHub issue, pasting a stack trace into Slack or a support ticket, or handing a log to an AI assistant for debugging. Request dumps are the classic trap — one curl -v or middleware log line quietly includes your Authorization header, and once it's on someone else's server the token has to be rotated. A second pair of use cases is compliance-shaped: emails, IPs and card numbers in logs are personal or payment data you often aren't allowed to share internally, let alone externally.

What are its limits?

Pattern matching can only catch secrets that look like secrets. A random hex string with no key name next to it and no vendor prefix is indistinguishable from a request ID, so it passes through. The detector deliberately errs toward catching more — but you should still skim the output before sharing, especially for secrets your own systems invent. And redaction is one-way by design: keep the original if you'll need those values again.

Debugging the error inside that log? Paste it into the Error Log Analyzer to jump straight to the fix. Need to inspect a token before redacting it? Use the JWT Decoder — it's just as private.

Frequently Asked Questions

What does the Log Redactor do?

Paste a raw log, stack trace, or terminal output and it replaces secrets — AWS keys, API keys, bearer and JWT tokens, passwords, connection-string credentials, emails, IP addresses and credit-card numbers — with clearly labeled placeholders like [REDACTED_JWT]. You get a copy that is safe to paste into a bug report, a Slack channel, or an AI chat.

Is my log uploaded to a server?

No. The redaction is pure JavaScript running in your browser — the log you paste is never uploaded or transmitted anywhere. That is the whole point: you can sanitize logs from private infrastructure without the log ever leaving your machine.

What kinds of secrets does it detect?

Vendor credentials with recognizable formats (AWS access key IDs, GitHub, Slack, Stripe, Google and npm tokens, sk-style API keys), JWTs, Bearer and Basic authorization headers, private-key PEM blocks, user:password pairs inside connection strings, key=value pairs where the key looks secret-like (password, secret, api_key, token…), email addresses, IPv4/IPv6 and MAC addresses, and Luhn-valid credit-card numbers.

Why should I redact logs before sharing them?

Logs routinely capture more than you intend: an Authorization header in a request dump, a connection string in a crash message, an API key echoed by a startup script. Once pasted into an issue tracker, chat, or AI assistant, that secret is stored on someone else's servers and should be considered leaked — most security teams require rotating it. Redacting first costs seconds; rotating credentials costs a lot more.

Can it miss secrets?

Yes. It matches known patterns, and a secret with no recognizable shape — a random string with no context around it — can slip through. Treat the output as a strong first pass, not a guarantee, and skim it before sharing. When in doubt, redact more: the checkboxes let you strip whole categories like every email or IP address.

Why does it catch card numbers but not my order IDs?

Every candidate digit sequence is checked against the Luhn checksum that real payment-card numbers must satisfy, plus a 13–19 digit length rule. Random IDs, timestamps and phone numbers almost never pass that checksum, so they are left alone while real card numbers are caught.

Can I choose what gets redacted?

Yes. Detection is grouped into six categories — vendor/API keys, tokens and auth headers, passwords and secrets, email addresses, network addresses, and card numbers — each with its own checkbox. Untick a category if, say, internal IPs are fine to share, and the output updates instantly.

Last updated: July 2026