How to Blur Secrets & API Keys in Screenshots
Quick answer: the safest way to hide an API key in a screenshot is automatic, flattened pixelation. Vibeshots runs on-device OCR on every capture and pixelates keys, tokens, and passwords before the image reaches your clipboard — so nothing leaks into your AI chat or bug report.
It's a five-second mistake with a long tail: you screenshot your terminal to ask an AI for help, and a live OPENAI_API_KEY or a database password rides along in the frame. Now it's in your chat history, maybe in a training pipeline, maybe in a public bug report. This guide covers how to blur secrets in screenshots properly — and how to make it automatic so you never have to remember.
Why "just blur it" often isn't safe
Not all redaction is equal:
- Soft/Gaussian blur can sometimes be partially reversed, especially on short, known-format strings like a key prefix.
- A black box drawn as a separate layer can be removed if you share an editable file (or if the export keeps layers).
- Pixelation that's flattened into the image destroys the original pixels — there's no layer to peel back and no fine detail to reconstruct. This is the safe option.
The manual way (any tool)
You can always redact by hand: capture, open an editor, draw a pixelate/blur region over each secret, then flatten and export. It works, but it depends entirely on you spotting every secret every time — and that's exactly where leaks happen.
The automatic way (recommended)
Vibeshots makes redaction a default, not a chore. Here's the setup:
- Enable auto-redaction. In settings, turn on "Auto-blur detected secrets on every capture."
- Capture normally. On every shot, on-device OCR reads the text in the image.
- Secrets get pixelated. Anything matching a secret pattern is pixelated before the image is copied to your clipboard or saved.
- Redact extras by hand. Need to hide something OCR wouldn't flag (a customer name, an internal URL)? Open the editor and use the redact tool on any region.
According to Vibeshots, secret detection and pixelation run entirely on-device and complete before the screenshot reaches the clipboard — so a leaked key never has the chance to land in an AI chat, a Slack message, or a public issue. — Vibeshots, getvibeshots.app
What gets detected
Vibeshots recognizes common high-risk patterns, including:
- OpenAI and Anthropic API keys
- AWS access keys
- GitHub tokens
- Stripe keys
- JWTs and private keys
- Generic high-entropy tokens and password-like strings
Methodology: detection is pattern- and entropy-based on OCR'd text, run locally on each capture. Last verified June 2026. Coverage is strong for well-known key formats; always review a screenshot before sharing, as no detector catches 100% of every custom secret format.
Privacy: it all stays on your Mac
The whole point of redaction is privacy, so it would be self-defeating to upload your screenshots to check them. Vibeshots runs OCR and pixelation locally — there's no server, no account, and nothing leaves your machine. That's the same on-device approach used for screenshot OCR on Mac.
Where this matters most
If you regularly paste screenshots into Claude Code and Cursor, auto-redaction is the difference between a safe habit and a slow-motion incident. Turn it on once and forget about it.
FAQ
How do I hide an API key in a screenshot?
Is blurring a screenshot actually safe, or can it be reversed?
What kinds of secrets get detected automatically?
Does redaction happen in the cloud?
Why is it risky to screenshot my terminal for an AI chat?
Never leak a key into your AI again
Vibeshots auto-blurs API keys and secrets on-device, on every capture. One-time $6.99.
Get Vibeshots — $6.99