HomeGuidesAPI ReferenceRelease notes
Log In
Guides

Secret & credential detection

Redact exposed API keys, cloud credentials, and private tokens

Exposing internal infrastructure keys, cloud credentials, or production database passwords within public LLM prompts represents a critical compliance risk. The Sentinel scans incoming payloads for structured string patterns matching known API keys, cloud credentials, and private token formats — for example OpenAI, Anthropic, and Google API keys, AWS access keys, GitHub and Slack tokens, Stripe keys, JWTs, and bearer tokens.

Remediation action: Replace with {{REDACTED}} — The problematic credential string is identified and replaced with a redaction placeholder, allowing the request to proceed to the upstream model without exposing the secret.

Example interception

Inbound prompt from application:

"Hey, can you help me write a quick bash script to upload files to our S3 bucket? Here are my local env variables to test with: AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE"

What the upstream LLM actually sees:

"Hey, can you help me write a quick bash script to upload files to our S3 bucket? Here are my local env variables to test with: AWS_ACCESS_KEY_ID={{REDACTED}}"