JSON Redact

Detect and mask secrets — API keys, tokens, passwords, private keys and emails — in a JSON document before you share it. Keeps the JSON structure and key order intact. Runs in your browser; nothing is uploaded.

Try:
Redacted JSON

About this tool

JSON Redact scans a JSON document and masks the secrets inside it — API keys, tokens, passwords, private keys and emails — so you can paste a config, log line, API response or webhook payload into a bug report, gist or chat without leaking credentials. The JSON structure and key order are preserved; only the detected values change.

It detects secrets two ways, together:

Worked example

Input:

{ "user": "ada", "api_key": "AKIAIOSFODNN7EXAMPLE", "note": "ok" }

Output (default redacted style):

{
  "user": "ada",
  "api_key": "[REDACTED]",
  "note": "ok"
}

api_key is masked by its key name. user and note are left alone (their values don't look like secrets). Run it in a gizza chat or the CLI and you also get a count and the JSON path of every redacted value — here ["$.api_key"].

Replacement styles

Privacy

Everything runs in your browser via WebAssembly — the document is never uploaded to a server. The same logic is available from the gizza CLI and inside a gizza chat.

Limits & edge cases

FAQ

Does my JSON get uploaded anywhere?

No. On this page everything runs locally in your browser through WebAssembly — the document never leaves your device. The gizza CLI and chat run the same pure-Rust logic on your machine.

How does it decide what's a secret?

Two ways at once. First by key name: the key is lowercased and stripped of separators, then matched against markers like password, secret, apikey, token, privatekey, authorization, email, ssn (plus any you add in Extra key names). Second by value pattern — when value scanning is on, a string that matches a known secret shape (JWT, AKIA…, sk-…, ghp_…, sk_live_…, AIza…, xox…, a PEM private-key block, or an email) is redacted even under a harmless key.

Can I keep the field but hide only its length or replace it with null?

Yes — that's the Replacement style. mask writes ***, null writes JSON null, empty writes "", and preserve-length writes * repeated to the value's original character length. Use redacted with a custom placeholder when you want a labelled marker like [REDACTED] or <hidden>.

Why was a non-secret field redacted?

Key-name matching is intentionally broad, so a key that merely contains a marker (for example token_type, csrf_token, or user_email) is masked. That errs on the side of safety. If you need it left alone, rename the field to something without the marker, or turn off value scanning if the trigger was the value rather than the key.

Does it change my JSON's structure or key order?

No. The document is parsed and re-serialized with key order preserved; only the detected values are replaced. Numbers, booleans, arrays and nesting stay as they were, so the redacted output is still valid JSON with the same shape.

Developer & Automation Access

Run it from the terminal

Same engine as this page, headless — via the gizza CLI:

gizza tool json-redact "{"user": "ada", "api_key": "AKIAIOSFODNN7EXAMPLE", "password": "hunter2"}"

New to the CLI? Get gizza →

Open it by URL

Pre-fill and auto-run this tool with query parameters — the names match the API/CLI:

https://gizza.ai/tools/json-redact/?json=%7B%22user%22%3A%20%22ada%22%2C%20%22api_key%22%3A%20%22AKIAIOSFODNN7EXAMPLE%22%2C%20%22password%22%3A%20%22hunter2%22%7D&style=redacted&placeholder=%5BREDACTED%5D&detect_values=true&extra_keys=nickname%2C%20phone

Machine-readable descriptor: tool.json — title + parameters JSON Schema for agents.