.env file sanitizer

Paste your .env file on the left. Secret values are masked on the right so you can share the file structure safely.

Detects secrets by key name and by value pattern (OpenAI, AWS, GitHub, Stripe, database URLs, JWTs, and more). Nothing leaves the browser.

Raw .env file

Sanitized output

Paste a .env file on the left to see results.

Why sanitize before sharing?

Accidentally committing or sharing a .env file is one of the most common causes of credential leaks. GitHub scans public repositories for known secret patterns and alerts you — but private leaks (Slack, GitHub Issues, Stack Overflow, screenshots) go undetected. Sanitizing before sharing means you can include the full key structure (which is useful for debugging) without exposing the values that matter.

If you believe a secret has already been exposed — even briefly — rotate it immediately. Most API providers make this straightforward in their dashboard. Do not rely on deletion alone; automated scrapers harvest secrets from public sources within seconds of exposure.

About this tool

This tool masks the values of sensitive environment variables in a .env file so you can safely share the file structure — for example in a bug report, Stack Overflow question, or team documentation — without exposing credentials. It identifies secrets by key name (any key containing "key", "secret", "token", "password", "auth", "private", "dsn", "connection", and others) and also by value pattern (known API key prefixes like sk-, AKIA, ghp_, Stripe keys, database URLs, and JWTs). All processing runs client-side in your browser. Nothing is uploaded.

Frequently asked questions

Does this tool send my .env file anywhere?

No. Processing runs entirely in your browser using JavaScript regular expressions. Your file contents are never transmitted to a server, logged, or stored. The tool has no backend.

What secrets does it mask?

It masks values whose key name contains common secret-related words — key, secret, token, password, passwd, pwd, auth, private, signing, credential, dsn, connection, webhook, database_url — and values that match known API key patterns regardless of key name, including OpenAI (sk-...), AWS (AKIA...), GitHub personal access tokens (ghp_, ghs_, gho_), Stripe keys (sk_live_, sk_test_, pk_live_, pk_test_), Slack tokens (xox...), JWTs, and database connection string URLs (postgres://, mysql://, mongodb://, redis://).

Will it accidentally mask things that aren't secrets?

It may be slightly over-cautious — for example, masking a PUBLIC_KEY or STRIPE_PUBLISHABLE_KEY that is intended to be public. The tool errs on the side of caution. You can manually restore any mistakenly masked values in the output. The point is to prevent accidental secret exposure, so false positives are less harmful than false negatives.

What about multi-line values or unusual .env formats?

This tool handles the common single-line KEY=VALUE format (with or without quotes, with or without the export keyword). Multi-line values using shell heredoc syntax or dotenv's multiline format are not currently supported — those lines will be passed through unchanged, which is safer than corrupting them.

.env file sanitizer