Free · No Signup

Hide API Key Screenshot

Black out tokens before GitHub issues, tweets, and slide decks.

🔒 No upload · Runs in your browser · Instant download

A one-line `.env` capture can leak production keys to search engines when pasted into a public forum. Black boxes over key material are mandatory before any outward share.

HideShot edits locally so keys are not duplicated on a cloud GPU—rotate the credential after exposure even if you redact quickly.

Mode
Shape

Drop your terminal or dashboard screenshot

Or click to browse · Paste with Ctrl+V also works

PNG · JPG · WebP · GIF
How It Works
1

Upload

Drop your image in or paste from clipboard.

2

Pick Mode

Black Box, Blur, or Pixelate.

3

Select Areas

Rectangle, oval, or freehand lasso — then hide what you selected.

4

Download

Hit Download PNG. Done.

Hiding API keys means making them invisible in the version you share, even when the original photo or screenshot still exists on your device. On this page you'll hide an API key that typically appears in a Postman or Insomnia panel showing the Authorization header or a Postman or Insomnia panel showing the Authorization header. The fields that need attention usually include an OpenAI or Anthropic API key and an OpenAI or Anthropic API key — and any nearby context that helps a reader reconstruct them. Getting this right matters because exposed api keys are scraped from public images within minutes by automated bots that scan github, discord, and tutorial sites.

People who reach this page are usually in one of three positions. The first is content creators recording a coding tutorial. The second is content creators recording a coding tutorial. The third is support staff who screenshot a customer's dashboard to investigate an issue. In all three, the screenshot or photo isn't the point — the work that needs to happen around it is — and hiding an API key cleanly is the unblocking step between 'I shouldn't share this yet' and 'okay, sending'. HideShot is built specifically for that gap: drag, mark, download, get on with the rest of your day.

What to Redact — and Why It Matters

The first job is to inventory what's actually visible. For an API key, the high-priority fields are any associated account ID or project ID printed next to the key, any associated account ID or project ID printed next to the key, and the Authorization header value in a request panel. Less obvious but equally important is the key prefix (e.g., sk_live_, AKIA, ghp_) which identifies the provider — it's the one most people forget on the first pass, and it tends to be the field that re-identifies everything you carefully covered above. Walk down the image once with a checklist mindset, marking each instance you find. If a key is visible in any screenshot you've already posted publicly, rotate it now — redaction tools cannot un-leak a key that has already been seen. After rotation, replace the screenshot.

The reason this matters is concrete. keys are often long-lived — even one screenshot from a year ago can still be active and exploitable today. That pattern is documented in fraud and harassment cases — not hypothetical. The two-minute redaction step you take before sharing is the single highest-leverage privacy move available for this kind of content.

HideShot handles an API key entirely inside your browser. The image is loaded from your device into a local canvas; the redaction tools draw on that canvas; the exported PNG is generated by your browser's own rendering code. Nothing about the source file is transmitted to any HideShot server, because there isn't one in the path — the page is static, the JavaScript runs locally, and the only network traffic during the redaction itself is the page load that happened before you uploaded anything. For hide api key screenshot, that means the original never leaves your machine, the redacted version is generated locally, and you can use the tool with Wi-Fi turned off if you want to prove it to yourself.

Step-by-Step: How to Hide An Api Key with HideShot

  1. Open the HideShot canvas above and drop your image directly onto it, or click the upload area and select the file. The image loads locally — your browser reads it from disk, no upload happens.
  2. Zoom in until an API key fills enough of the canvas for you to draw precisely around it. Precision matters: a generous margin protects you against character-edge bleed, but too generous and you cover useful context.
  3. Select API keys with the rectangle or lasso tool. Choose 'Blackout' to cover them with an opaque block.
  4. Sweep the rest of the image for the indirect leaks listed above — any associated account ID or project ID printed next to the key, any associated account ID or project ID printed next to the key, and anything in the surrounding chrome (URL bar, sidebar, timestamps) that could help a reader reconstruct what you just covered.
  5. Download the finished PNG. The export is a flattened image: the redacted pixels are baked in, the original pixels under your black blocks are gone, and the file is safe to share through whatever channel you were planning.

Common Mistakes When Hiding An Api Key

Cropping the key out of view instead of redacting it, then posting the screenshot alongside the original. Cropping is reversible if the original lives anywhere. Flatten the redaction into the export and delete the original draft. Treat every key exposure as a credential leak, even if the key was 'never used'.

Trusting masking from the provider dashboard. Many dashboards print the full key once at creation and you screenshotted that moment. Creation screens often display the full key as a one-time reveal. If the screenshot was taken then, the full secret is in the file. Rotate the key whenever a screenshot is shared, even if you also redacted it — assume the unredacted pixels were captured somewhere.

Black Out vs Blur vs Pixelate — Which to Use

For hide api key screenshot, the three options behave differently. Blur is fast and visually soft, but at small radii the original shape of API keys survives well enough for OCR or human reconstruction at 2x zoom. Pixelation breaks API keys into colored blocks — at 12-16 pixel block size it defeats both human reading and modern depixelation models, and it's the right choice when you want visible 'something was here' without revealing the data. Black-out (solid opaque block) is the strongest option: there is no signal under the block to reconstruct, and reviewers immediately understand the field was intentionally hidden. Hiding API keys with a solid block is the most reliable choice. Blur reads as softer but allows reconstruction at low radii.