LLM prompt sanitizer

Paste any text before sending it to an AI — emails, documents, Slack exports, code snippets. PII and secrets are replaced with labelled tokens client-side. Nothing leaves the browser.

Detects emails, phone numbers, card numbers, SSNs, and API keys automatically. Use the custom field for names, company names, or any other identifiers regex alone can't catch.

Paste your text

Detect & replace

Custom words to redact (comma-separated)

Sanitized output

Paste text on the left to see what gets redacted.

How this tool works

Each detection pattern runs as a regular expression over your text. Matches are replaced with a labelled placeholder — [EMAIL], [PHONE], [API-KEY], and so on — so the AI can still understand the structure of the surrounding text. All processing happens locally; your text is never sent anywhere.

Regex catches well-structured formats reliably but cannot detect unstructured PII like person names, street addresses, or freeform account numbers. For those, use the custom words field to explicitly list any names or terms you want redacted. When in doubt, paste the sanitized output into a second pass and review it before sending.

About this tool

This tool strips personally identifiable information (PII) and secrets from text before you paste it into an AI tool. It detects and replaces emails, phone numbers, credit and debit card numbers, US Social Security Numbers, API keys and bearer tokens, JWT tokens, and any custom words you specify. Processing runs entirely in your browser — no text is transmitted to a server.

Frequently asked questions

Does this tool send my text anywhere?

No. All processing runs in your browser using JavaScript regular expressions. Your text is never transmitted to a server, logged, or stored anywhere. The tool has no backend.

What API key formats does it detect?

OpenAI keys (sk-...), AWS access keys (AKIA...), GitHub personal access tokens (ghp_, gho_, ghs_), Stripe keys (sk_live_, sk_test_, pk_live_, pk_test_), JWT tokens (three base64url segments separated by dots), and Bearer tokens in Authorization headers. It also catches generic patterns like api_key = "..." or apiKey: "..." when the value is 16 or more characters.

Will it catch everything?

No regex-based approach catches 100% of PII. Names, addresses, and freeform sensitive content require NLP models. This tool targets the most machine-readable formats — structured numbers, tokens, and keys — which are the highest-risk items to accidentally share. Always review the sanitized output before sending, and use the custom words field for specific names or identifiers the tool can't detect automatically.

Why replace with tokens instead of deleting?

Replacement tokens like [EMAIL] preserve the structure of the text so the AI can still understand context — "the user at [EMAIL] reported a bug" is more useful than "the user at reported a bug". You can always delete tokens manually in the output if you prefer blank removal.

LLM prompt sanitizer