How to blur API keys in screenshots before you tweet (or get fired)

2026-04-29 · 7 minute read · Tutorial

If you've ever screenshotted your terminal, posted a video walkthrough, or sent a customer a Loom of your dashboard — there's a non-trivial chance you've shared an API key without realizing it. The cost ranges from "awkward Slack message from your CTO" to "$40,000 in unauthorized OpenAI usage".

This guide covers three ways to redact API keys in screenshots, ranked from slowest to fastest. The fastest takes one keystroke and works on any webpage.

Why API keys leak so often

API keys leak in screenshots because they're embedded in places we don't think to check:

• Terminal screenshots — visible OPENAI_API_KEY=sk-proj-... in .env output, history, or accidental echo $VAR
• Browser dev tools — Authorization headers in the Network tab, set-cookie values in Storage
• SaaS admin panels — many tools display the key once at creation and you screenshot for your team's records
• Demo videos — keys sit in URLs, panels, sidebars while you talk about something else

Once a key hits Twitter, GitHub, or a customer's inbox, you have minutes — sometimes seconds — before automated scrapers find it. Rotation is the only fix once it's leaked; redaction is the only prevention.

Method 1: macOS Preview (slow but free)

If you only need to redact occasionally, macOS Preview's Mark Up tool will get the job done.

1. Take the screenshot (Cmd+Shift+4)
2. Open it in Preview
3. Click the Mark Up icon (the pencil-tip icon in the toolbar)
4. Click the rectangle tool, draw over the key
5. Set fill to solid black, stroke to none
6. Save

Time per redaction: 30–45 seconds. Catch: only works on still images, not videos. Risk: the underlying pixel data is gone (good), but if you accidentally export the unflattened version, the rectangle is removable.

Method 2: Dedicated screenshot apps (medium speed)

Tools like CleanShot X, Skitch, and Annotate add a blur tool to your screenshot workflow.

1. Take the screenshot through the tool's hotkey
2. The editor opens with a blur tool in the toolbar
3. Drag a rectangle over the key
4. Save / export

Time per redaction: 10–15 seconds. Catch: $29 for CleanShot X, you have to open the editor every time, and you're redacting after the screenshot — which means the original frame still has the unredacted data.

For screen recordings this is a worse story: you can't go back and blur a single frame after the fact without re-rendering the whole video.

Method 3: Chrome extension before screenshot (the fast way)

The fastest path is to redact before the screenshot — directly on the webpage, in the browser. The advantages:

• One keystroke replaces three seconds of editor work
• Works for screenshots and screen recordings (the unredacted state is never on screen)
• No editor to open, no flatten step

This is what RedactPro does. Step-by-step:

1. Install RedactPro from the Chrome Web Store
2. Pin it to your toolbar
3. Open the page with the API key visible
4. Click the RedactPro icon → click "Click an element to redact"
5. Click the API key → it blurs instantly
6. Take your screenshot

Time per redaction: 2–3 seconds. Cost: free for occasional use (3 redactions per page on the free tier). From $4.99/mo (or $79 lifetime) for unlimited.

Bonus: auto-detect every API key on the page

Manual redaction is fine when you remember to do it. The real risk is the key you forgot was visible. RedactPro Pro's auto-detect feature solves this with one keystroke:

1. Press Alt+Shift+E
2. RedactPro scans every text node on the page
3. It finds and redacts every match for 11 patterns:

Email addresses          [email protected]
OpenAI API keys          sk-proj-aBcDeF1234...
Anthropic API keys       sk-ant-api03-...
GitHub PATs              ghp_aBcDeFgHiJkLm...
AWS access keys          AKIAIOSFODNN7EXAMPLE
Slack tokens             xoxb-1234567890-...
JWTs                     eyJhbGciOiJIUzI1NiI...
IPv4 addresses           192.168.42.183
Credit cards             4242 4242 4242 4242
Social Security numbers  123-45-6789
UUIDs                    9b2fc3c7-1f4a-4b2c...

One keystroke, eleven categories, every match on the page redacted at once. This is the feature most users buy Pro for.

What does NOT count as redacting

A few common mistakes worth flagging:

• Lowering the resolution — a quick photo edit to "make it small" still preserves the key in the underlying image. tesseract and similar OCR tools recover it in seconds.
• "Hiding" by changing color to match background — copy-pastable in any PDF / screenshot. Redaction must remove the data, not the appearance.
• Cropping near the key — Twitter, Slack, and Notion all preserve the original image and may expose cropped-off content depending on the tool. Use only as a complement to actual redaction, never alone.
• Blurring after the screen recording is done — every unblurred frame is still in the original recording. If you're sharing the original .mp4, you've leaked the key.

All three methods above (Preview, dedicated apps, RedactPro) replace pixels with opaque content, which is what you want. Just don't shortcut to "blur" with a soft visual filter that's still readable.