Security

How to Auto-Redact API Keys and Tokens Before Sharing curl Commands

Accidentally sharing an Authorization header in Slack is more common than you'd think. Here's how to make it structurally impossible.

The credential leak problem

You're debugging an API issue. You copy a cURL command from DevTools, paste it into Slack to ask a teammate for help, and realize too late that the full Authorization: Bearer eyJhbGci... token was included.

This happens constantly. GitHub's secret scanning catches tens of thousands of committed tokens per year. But Slack messages, Notion docs, and Jira comments are harder to scan — and tokens shared there often stay in search indexes long after they've been rotated.

The DevTools approach (manual, error-prone)

Chrome DevTools' "Copy as cURL" copies the request exactly as-is, including all header values. The only way to redact is to manually edit the pasted command before sharing — which requires remembering to do it every time.

How Shripi handles redaction

Shripi redacts sensitive values before they ever appear in the UI or any export. The redaction happens at capture time, so there's no opt-in step and nothing to remember.

By default, these are redacted:

  • Authorization header — The value is replaced with xxxxxx in the UI and exports
  • Sensitive cookies — Cookie names like sessionid, token, auth, jwt have their values replaced
  • Sensitive query parameters — URL params like api_key, access_token, secret, token
  • Sensitive JSON body keys — Keys like password, secret, private_key

Env var placeholders (Pro): the shareable format

Replacing a token with xxxxxx is safe for sharing, but the resulting cURL command won't run as-is. With env var placeholders enabled (Pro), Shripi replaces redacted values with ${VARIABLE_NAME}:

curl -X GET https://api.example.com/users \
  -H 'Authorization: Bearer ${Authorization}'

Now the command is both safe to share and runnable — the recipient just needs to export Authorization=your_token in their shell. Python exports go further, automatically emitting:

import os
import requests

headers = {
    'Authorization': f'Bearer {os.getenv("Authorization")}'
}
requests.get('https://api.example.com/users', headers=headers)

Custom redaction patterns (Pro)

If your API uses a non-standard header name like X-Api-Key or X-Service-Token, you can add custom auth header name patterns in Settings. Any header matching your regex will be redacted.

Try Shripi — Free See Pro features →
← Back to blog