Guides / Security

API keys, tokens, and passwords in screenshots — redact before you share

Redacting API keys and credentials in screenshots means masking the exact pixel region where a secret appears — using solid fill, not blur — before the image is shared in a ticket, Slack message, or doc. Blur can be reversed with image processing; solid fill cannot. Credentials appear in predictable places: network panels, URL query strings, terminal output, and config file views during screen recording or capture.

Narrow, technical guide: where secrets show up in dev captures (network panel, URL bar, terminals), why blur is the wrong default for credentials, and how to mask with solid fill or pixelation in FramedShot — all in Chrome, with no upload step for editing.

Updated April 11, 2026 6 min read Developers, QA, and security-minded support

For emails, customer fields, and mixed screenshots — not only secrets — use the full screenshot redaction guide. Ready to mask now? Chrome redaction tool — add in one click.

A developer dashboard with API key, database URL, and session token fields redacted with solid blocks before sharing.
API keys, tokens, and connection strings redacted before the screenshot leaves the browser — nothing sensitive travels with the image.

Key takeaways

  • Secrets belong in solid fill or pixelate — never light blur. For per-field tradeoffs, see blur vs pixelate vs solid fill — which to use.
  • Scan DevTools, URL bar, tabs, and env panels — not only the main panel you meant to show.
  • Redact before export; revoke leaked keys first if something already went out.

Where it leaks

Headers, tokens, and env values in one frame

Fake example: network and config rows are common in dev captures. Mask each region — solid fill for Authorization and key material, pixelate if you need viewers to see something was hidden.

This page stays on credentials. For order of operations and export checks, follow the step-by-step screenshot redaction workflow.

Why credentials end up in screenshots

Most credential leaks via screenshots are not careless — they are invisible. A developer copies a curl command from their terminal and screenshots the shell. A QA engineer screenshots a failing API request in the browser's network panel. A product manager shares a screenshot of the dashboard settings page that has a webhook secret sitting in the UI.

The screenshot looks fine at a glance. The main content is what they meant to share. The credential is a detail in a panel they were not focused on.

Common places credentials appear in screenshots without being noticed:

  • Browser address bar (auth tokens appended to URLs)
  • Network panel request headers or query parameters
  • Settings pages showing API keys, webhook secrets, or connection strings
  • Terminal output visible behind the browser window
  • Environment variable editors or .env file previews
  • Log viewers showing authenticated requests

Why blur is not enough for credentials

Blur is useful for hiding low-risk details like names or support ticket IDs where the goal is to soften the visual without completely removing the information. For credentials, it is the wrong tool.

Two reasons:

  1. Blur can be reversed or enhanced. A light Gaussian blur over text can sometimes be partially reconstructed using image sharpening filters, especially if the font is monospace and the blurred area is small — which is exactly what most API keys look like.
  2. JPEG compression degrades blur unpredictably. When a blurred screenshot gets saved as a JPEG or compressed in a Slack upload or email attachment, compression artifacts can interact with the blur in ways that make underlying characters more visible at certain zoom levels.

For API keys, tokens, passwords, and connection strings: use solid fill or pixelation. The goal is that nothing readable survives at any zoom level or compression level. Blur-vs-pixelate tradeoffs for non-secret fields live on blur vs pixelate vs solid fill — which to use — here, default to solid fill when unsure.

Quick path in FramedShot (credentials)

  1. Capture or import the tab, region, or file that shows the secret (DevTools, terminal, settings, URL bar).
  2. Annotations tab → Redact / Blur tool → set style to solid fill or pixelate (not blur).
  3. Mask every value — full token, full header, full connection string — then scan tabs and address bar again.
  4. Export PNG and review at full size before Slack or tickets.

For mixed screenshots (PII + secrets + internal URLs), use the step-by-step screenshot redaction workflow so nothing is styled or cropped before masking.

Common mistakes that leave credentials readable

  • Cropping instead of redacting. Cropping removes the edges of a screenshot but does not protect credentials that appear inside the main crop area. A credential in the center of a settings panel will still be visible after a tight crop.
  • Covering only part of the key. API keys are often 32–64 characters. Covering the first 8 characters while leaving the rest visible does not protect the credential. Cover the entire value.
  • Forgetting the URL bar. OAuth flows, auth callbacks, and some API dashboards append tokens directly to the URL. Check the address bar in every screenshot from authenticated contexts.
  • Using blur and saving as JPEG. As above — blur plus JPEG compression is not a safe combination for secrets. If you must use blur for something, export as PNG.
  • Redacting after resizing. Redact on the original-resolution capture, then resize for export. Redacting on an already-downscaled image can leave partial pixel data around the masked area.

What to do if you already shared the screenshot

If you catch yourself after the fact:

  1. Rotate or revoke the credential immediately. That is the priority — not the screenshot. Treat any exposed API key, token, or secret as compromised the moment it leaves your control.
  2. Delete or replace the shared screenshot where possible (Slack, Notion, Jira, email).
  3. Check whether the credential was used in the window between sharing and rotating — most API providers log access.

Redacting a screenshot that has already been shared only prevents further spread. It does not undo the exposure. Revoke first.

FAQ

Is blur safe enough for API keys and tokens?

No. Blur can be partially reversed, especially on short monospace strings after JPEG compression. Use solid fill or pixelation for any credential. For method tradeoffs, see when to use blur vs pixelate vs solid fill.

Does FramedShot upload the screenshot when I redact?

No. Capture and redaction both happen inside Chrome. The image is processed in-browser and exported directly to your device without being sent to an external server.

Can I redact multiple credentials in one screenshot?

Yes. Each drag creates an independent masked region. Redact as many fields as needed before exporting.

What if I already shared the screenshot?

Rotate or revoke the exposed credential immediately — that is the first step, not editing the image. See the section above for the full response checklist.

Mask secrets in Chrome, then export

Same-tab workflow for captures that include credentials — no upload-to-edit step.

Add FramedShot to Chrome — free
Related guides
Guide

Full screenshot redaction guide

Redacting sensitive info in screenshots — the broader workflow when the capture is not only secrets.

 Guide

Blur vs pixelate vs solid fill — which to use

Field-by-field masking decisions when blur is too weak for some rows.

 Use Case

Bug report screenshots

How to capture, annotate, and share bug report screenshots without leaking environment or credential data.