Captorify

Guide

How to remove API keys and tokens from screenshots

To remove API keys and tokens from screenshots, identify every visible secret, redact the pixels permanently, review OCR output, and share only after confirming the export is flattened.

Add to Chrome

Quick answer

To remove API keys and tokens from a screenshot, find every visible secret, black it out permanently, verify the export with a quick text-extraction pass, and only then share. Use a solid blackout, not blur, because blur can sometimes be reversed.

In Captorify, suggested redactions can auto-detect common key formats for you to review, and the blackout is baked into the exported image so the secret is gone from the file you send.

What to check

Secrets show up in more places than the obvious code block. Check terminal output, environment variable panels, network request headers, config files, URLs with tokens in query strings, and anything copied to the clipboard preview.

  • Provider keys (Stripe, GitHub tokens, AWS IDs)
  • High-entropy tokens (32+ character random strings)
  • Bearer tokens and session cookies in request headers
  • Connection strings and passwords in config or .env views
  • Tokens embedded in URLs in the address bar

Fake key demo

When documenting the workflow, use a clearly fake key (a dummy value that matches the format but is not a live secret) so you never publish a real one while demonstrating redaction.

This also lets you confirm that suggested redaction detects the pattern and that your blackout fully covers it before you do it for real.

Redaction steps

Open the capture, select the redaction tool, and choose blackout. Review any suggested redactions Captorify flags for key-like patterns, then draw over anything it missed. Cover the entire secret, including any visible prefix or surrounding characters.

Export a flattened image so the redaction is baked in. Do not send a layered or editable source file.

OCR review

As a final check, run text extraction on the redacted export. Captorify does this locally in the browser with on-device OCR (Pro), so the screenshot is not uploaded just to read its text. If the extracted text still contains any part of a secret, the redaction missed something.

A clean OCR pass over the export gives you confidence the blackout actually covered the value.

Sharing controls

Once the secret is removed, share the flattened export. For anything that still carries residual risk, prefer a Captorify share link (Pro) with a password and expiry over a permanent attachment, so you can revoke access if needed.

Incident boundary

Redacting a screenshot protects future viewers, but it does not undo a leak that already happened. If a real key was ever visible in a sent or posted image, treat it as compromised and rotate it.

Captorify helps you stop exposing the secret going forward; rotation and incident response are still your responsibility.

Related

Features
Redaction Permanent screenshot redaction means the sensitive pixels are overwritten in the exported image, not hidden behind a…
Guides
Privacy checklist This checklist makes privacy review practical before a screenshot reaches a teammate, customer, or vendor.
Local OCR guide
Use cases
Security reviews Security review screenshots can expose API keys, tokens, internal hosts, and account identifiers.