TokenCap automatically redacts secrets before writing any file content to disk. Redaction is enabled by default (redactSecrets: true).
Patterns detected and redacted:
- OpenAI API keys:
sk-...→[REDACTED_OPENAI_KEY] - GitHub PATs:
ghp_...,github_pat_...→[REDACTED] - Slack tokens:
xox...→[REDACTED] - AWS access keys:
AKIA...→[REDACTED] - Google API keys:
AIza...→[REDACTED] - Bearer tokens (≥20 chars)
- Generic variable assignments:
api_key=,token=,secret=,password=,passwd=,pwd=
To disable redaction (not recommended for shared snapshots):
json
{ "redactSecrets": false }