Guides / Privacy

How to redact API keys and passwords in screenshots before sharing

Credentials in screenshots are a real exposure risk — and the fix is straightforward. This guide covers which redaction method to use for secrets, the common mistakes that leave data readable, and a local workflow that keeps the image in your browser from capture to export.

Updated March 30, 2026 6 min read Best for developers, QA, and security-conscious teams

Looking for general sensitive info redaction? Read the blur vs redact guide. Need to redact a screenshot right now? Open the FramedShot redaction tool.

A developer dashboard with API key, database URL, and session token fields redacted with solid blocks before sharing.
API keys, tokens, and connection strings redacted before the screenshot leaves the browser — nothing sensitive travels with the image.

Key takeaways

  • Blur is not safe for credentials. Use solid fill or pixelation — these cannot be reversed at any zoom level.
  • JPEG compression can make blurred text partially readable again. Never use light blur on API keys or tokens.
  • Check the address bar, active tabs, and browser profile — credentials often appear outside the main content area.
  • Redact before you style or export. Once a screenshot leaves the browser unredacted, it is hard to contain.

Why credentials end up in screenshots

Most credential leaks via screenshots are not careless — they are invisible. A developer copies a curl command from their terminal and screenshots the shell. A QA engineer screenshots a failing API request in the browser's network panel. A product manager shares a screenshot of the dashboard settings page that has a webhook secret sitting in the UI.

The screenshot looks fine at a glance. The main content is what they meant to share. The credential is a detail in a panel they were not focused on.

Common places credentials appear in screenshots without being noticed:

  • Browser address bar (auth tokens appended to URLs)
  • Network panel request headers or query parameters
  • Settings pages showing API keys, webhook secrets, or connection strings
  • Terminal output visible behind the browser window
  • Environment variable editors or .env file previews
  • Log viewers showing authenticated requests

Why blur is not enough for credentials

Blur is useful for hiding low-risk details like names or support ticket IDs where the goal is to soften the visual without completely removing the information. For credentials, it is the wrong tool.

Two reasons:

  1. Blur can be reversed or enhanced. A light Gaussian blur over text can sometimes be partially reconstructed using image sharpening filters, especially if the font is monospace and the blurred area is small — which is exactly what most API keys look like.
  2. JPEG compression degrades blur unpredictably. When a blurred screenshot gets saved as a JPEG or compressed in a Slack upload or email attachment, compression artifacts can interact with the blur in ways that make underlying characters more visible at certain zoom levels.

For API keys, tokens, passwords, and connection strings: use solid fill or pixelation. The goal is that nothing readable survives at any zoom level or compression level.

Solid fill

Best for credentials

Replaces the sensitive area with a solid block. No underlying information survives. Use this for API keys, tokens, passwords, and connection strings.

Pixelate

Good for most secrets

Makes the masked area clearly intentional and unreadable. Slightly more visible than solid fill. A safe choice when you also want the viewer to know something was there.

Blur

Not for credentials

Appropriate for names, support IDs, and background UI details. Do not use blur on API keys, tokens, or passwords — it is not reliably safe after compression.

Step-by-step: capture, redact, export

  1. Capture the tab or area. Use FramedShot to capture the browser tab or select a specific area. If the credential is in a small panel, a selection capture reduces the amount of cleanup needed.
  2. Open the Redact tool. In the editor, go to the Effects tab and select the Redact tool. Choose solid fill or pixelation — not blur.
  3. Cover all credential fields. Drag over each sensitive field: API keys, tokens, passwords, connection strings, secret values. Make each redaction region slightly larger than the visible text so nothing bleeds out at the edges.
  4. Scan beyond the main content. Check the address bar (auth tokens in URLs), the active tab title, browser profile name, and any visible panels or sidebars outside the area you intended to share.
  5. Zoom out and review at export size. Before exporting, zoom out to see the full screenshot as a recipient would. Small redaction gaps are easier to miss when working zoomed in.
  6. Export directly to your device. The image is processed in-browser and saved to your device from Chrome — it does not pass through an external server.

Common mistakes that leave credentials readable

  • Cropping instead of redacting. Cropping removes the edges of a screenshot but does not protect credentials that appear inside the main crop area. A credential in the center of a settings panel will still be visible after a tight crop.
  • Covering only part of the key. API keys are often 32–64 characters. Covering the first 8 characters while leaving the rest visible does not protect the credential. Cover the entire value.
  • Forgetting the URL bar. OAuth flows, auth callbacks, and some API dashboards append tokens directly to the URL. Check the address bar in every screenshot from authenticated contexts.
  • Using blur and saving as JPEG. As above — blur plus JPEG compression is not a safe combination for secrets. If you must use blur for something, export as PNG.
  • Redacting after resizing. Redact on the original-resolution capture, then resize for export. Redacting on an already-downscaled image can leave partial pixel data around the masked area.

What to do if you already shared the screenshot

If you catch yourself after the fact:

  1. Rotate or revoke the credential immediately. That is the priority — not the screenshot. Treat any exposed API key, token, or secret as compromised the moment it leaves your control.
  2. Delete or replace the shared screenshot where possible (Slack, Notion, Jira, email).
  3. Check whether the credential was used in the window between sharing and rotating — most API providers log access.

Redacting a screenshot that has already been shared only prevents further spread. It does not undo the exposure. Revoke first.

FAQ

Is blur safe enough for API keys and tokens?

No. Blur can be partially reversed, especially on short monospace strings after JPEG compression. Use solid fill or pixelation for any credential. For a deeper comparison of redaction methods, see the blur vs redact guide.

Does FramedShot upload the screenshot when I redact?

No. Capture and redaction both happen inside Chrome. The image is processed in-browser and exported directly to your device without being sent to an external server.

Can I redact multiple credentials in one screenshot?

Yes. Each drag creates an independent masked region. Redact as many fields as needed before exporting.

What if I already shared the screenshot?

Rotate or revoke the exposed credential immediately — that is the first step, not editing the image. See the section above for the full response checklist.

Redact credentials in Chrome — no upload required

FramedShot handles capture, redaction, and export in one browser-first workflow. Your screenshots stay in your browser from start to finish.

Install FramedShot free
Related guides
Guide

Blur vs redact — which to use

When blur is appropriate and when solid masking is the safer choice for different types of sensitive information.

 Use Case

Bug report screenshots

How to capture, annotate, and share bug report screenshots without leaking environment or credential data.

 Feature

Screenshot redaction in FramedShot

Review the full redaction feature — blur, pixelate, and solid fill in one Chrome-native workflow.