← Back

How to hide an API key in a screenshot

Before you paste that terminal, .env file, error log or dashboard into Slack, a GitHub issue or Stack Overflow: never blur or pixelate the key. Both are reversible, and a key is the easiest thing of all to recover. Cover it with a solid opaque block or a destructive scramble, then export a new flattened image. Do the redaction on your own machine, not in a web tool that has to receive the live secret first. And if the key was ever in a shared image, rotate it. Assume it is already burned.

Why a key is the worst case for a blur

This is the part that makes screenshots of secrets special. A blur or a pixelation does not remove the pixels underneath, it just scrambles them in a way that can be worked backwards. In 2022 Dan Petro at Bishop Fox released Unredacter, a tool that reconstructs pixelated text by rendering each candidate string in the same font, pixelating the guess with the same settings, and matching it against the redacted image, walking along character by character. It builds on an earlier tool, Depix, which solves the block-to-character mapping using a De Bruijn sequence of the font. Petro's advice was blunt: no pixelization, no blurring, no fuzzing.

Those tools do best on short, structured text in a known font, sitting next to plenty of readable characters they can calibrate from. An API key is exactly that and then some. It is short. It is drawn from a known, published character set. It often carries a fixed prefix that tells an attacker the format and narrows the search. It is usually rendered in the same monospace font as the readable text around it in your terminal. A key is not a hard case for these tools, it is close to the ideal one, so a blur over a key is weaker than a blur over anything else. If you want the full picture of what can and cannot be reversed, I wrote can you reverse a blurred or pixelated image.

Which methods actually hide a key

Only two things genuinely hide a secret: a solid, fully opaque block flattened into a fresh file, or a tool that destroys the pixels underneath. Everything else on this list can be undone, and for a key that is not a theoretical risk. Here is how each common method does against a secret specifically.

MethodSafe for a secret?Why
BlurNoObscures without removing. A low-radius blur can be estimated back, and a key is short enough to brute-force.
Pixelate or mosaicNoDeterministic and local, so a solver walks it character by character. Best against exactly the short, known-charset strings a key is made of.
Marker or highlighterNoInk applied below full opacity leaves the key readable when someone pushes brightness and contrast.
Black box on a separate layerNoThe shape sits over intact text. Delete the layer, or select and copy the key straight out of the file.
A web "blur" or "redact" toolNoIt has to receive the full unredacted image, live key and all, before it hides anything. You have uploaded the secret.
Opaque block, exported as a new fileYesThe pixels are painted over and nothing sits on a removable layer. Cover generously so the length does not leak.
A content-independent scrambleYesBlocks are sampled from across the whole region, so the pattern holds no relationship to the characters underneath.

Cover it, flatten it, export a new file

The safe manual route works in Preview, with care. It is the same method I cover in full in how to redact a screenshot on a Mac, applied to a key.

  1. Open the screenshot in Preview and show the Markup toolbar.
  2. Choose the rectangle shape. Preview has no blur or pixelate tool, and that is fine, because you should not use one on a key anyway.
  3. Set its fill to solid black and its opacity to 100 percent, and cover the whole key. Cover a little generously, a bar traced tightly around the string still leaks its length.
  4. Flatten it. Go to File, then Export, and save a fresh PNG. Do not save over the original. Exporting a new file bakes the block into the pixels and drops the editable annotation.
  5. Open the file you are about to send, not the one you edited, and zoom in on the covered area to confirm nothing shows through.

Do the redaction on-device

A web tool that "blurs" or "redacts" a screenshot has a problem it cannot get around: to hide the key, it first has to receive the whole image with the key still in it. You are uploading a live credential to a stranger's server to protect it from everyone else, which is backwards. The same goes for pasting the shot into a chat assistant to "clean it up." Keep the image on the machine it was taken on, redact it there, and the key never travels. This is the whole reason ScrubShot does its work locally.

Rotate the key anyway

Here is the honest part most guides skip. If a live key was ever in an image you shared, no redaction after the fact makes it safe again, because you cannot know who already saw the original. Leaked keys on public repositories are tested by automated bots within minutes, sometimes seconds, and screenshots are no safe harbor: they get indexed, reverse image searched, and run through OCR by the same scrapers. Deleting the message helps but does not undo exposure.

So treat the key as burned. Revoke it in the provider's dashboard, issue a new one with the smallest set of permissions it actually needs, and update your environment variables and secret store. Then check the provider's access logs for use in the window between when you shared the image and when you rotated. Redaction protects the next person who opens the file. Rotation is what actually closes the hole.

The key is rarely the only secret in the frame

The key you noticed is rarely the only secret in the shot. A terminal pane usually shows more than the one line you meant to share: other exported variables, a database connection string, a bearer token in a prior curl command, a hostname. A browser screenshot can carry an auth token in the address bar, a session in a devtools panel, or a second secret in an open tab's title. Before you cover the key and hit send, read the whole frame and redact every credential in it, then rotate anything live that made it into the image.

How ScrubShot handles it

The manual route works but it is fiddly and easy to get half right, so I built ScrubShot to make the safe path the default. Press Fn + Space and it captures the whole screen with ScreenCaptureKit and opens it in an editor. You crop afterwards rather than fighting a drag selection.

The Scrub tool is the part that matters for a key. A normal pixelate sets each block to the average of the pixels beneath it, which is the exact signal Depix and Unredacter exploit. ScrubShot does not do that. It uses what I think of as a content-independent scramble: each mosaic block is filled with the average of a few pixels sampled at random from across the whole selected region, so the block pattern is decoupled from whatever characters sat underneath. It looks like a redaction and keeps the rough colors of the area, but there is no per-block relationship to the key to solve for. It reverses to nothing by design, and the scrub is baked straight into the image, so the original pixels are gone, not hidden on a layer.

From there you can add a marker stroke or a text label, crop, undo with ⌘Z, then Copy and Save. The capture, scrub and share flow makes no network connections, so the key never leaves your Mac in the first place. To be precise, the app does talk to a server for the free-trial check, license activation and update checks, and that request carries a hashed machine identifier and your license key, never any image data. ScrubShot runs on macOS 14 and later, on both Apple Silicon and Intel. Even with all of that, if the key was already shared somewhere else, rotate it.

FAQ

How do you hide an API key in a screenshot?
Cover the key with a solid opaque block, or a tool that destroys the pixels underneath, then export a fresh flattened image rather than saving over the original. Never blur or pixelate a key, both are reversible. Do the redaction on your own machine so the live secret is not uploaded anywhere. Then rotate the key, because if it was ever in a shared image you have to assume it is burned.
Is it safe to blur or pixelate an API key?
No. Pixelation is deterministic and can be reconstructed character by character by tools like Depix and Bishop Fox's Unredacter, and a low-radius blur can be estimated back. A key is the worst possible case for these tools: a short string from a known character set, often in a monospace font next to plenty of readable text. That is exactly what they recover best. Use a solid opaque cover or a destructive scramble instead.
Should I rotate a key that appeared in a screenshot?
Yes. Once a live secret has been in an image posted to Slack, a GitHub issue or Stack Overflow, treat it as compromised and revoke it. Leaked keys on public repositories are tested by automated bots within minutes, sometimes seconds, and screenshots get indexed and run through OCR too. Rotating the key is the only move that actually closes the exposure. A clean redaction just stops the next person seeing it.
Can I use an online tool to blur a secret in a screenshot?
Not for a live secret. A web blur or redact tool has to receive the full, unredacted image, key and all, before it hides anything, so you have handed the secret to a third-party server to protect it from everyone else. Redact on-device instead. If a key did pass through a web tool, rotate it.
Does ScrubShot upload my screenshots?
No. The capture, scrub and share flow makes no network connections, so a screenshot with an API key in it never leaves your Mac. It reaches the network only to check the trial, activate a license and look for updates, and those calls carry a hashed machine identifier and your license key, never image data.

Try it

ScrubShot is a one-time $30 purchase with a seven-day free trial, no account and no card up front. It runs entirely on your Mac.

Get ScrubShot