# Secret Redaction ## How to access it Disabled by default, to enable Secret Redaction open **Settings** > **Privacy** > **Secret redaction** or type in "Secret Redaction" to toggle it in the [Command Palette](https://docs.warp.dev/terminal/command-palette). ## How it works Secret Redaction attempts to detect sensitive data (including secrets, passwords, API keys, and PII) using your list of regex patterns. Any identified secret will be redacted instead of being sent to our servers or any LLM provider. Additionally, Warp Drive will prevent you from saving any secrets in plain text (workflows, MCP servers, prompts, etc.).\ \ Warp ships with a [list of recommended regex](#secret-regex-list) you can easily add to the list. Additionally you can add custom regex for secrets you want to include in **Settings** > **Privacy** > **Secret redaction** > **Custom secret redaction**. ## Visually hiding secrets By default, identified secrets will be displayed with a strikethrough visual treatment, i.e. ` echo`` `` `~~`password`~~. If instead you'd prefer to visually hide the secrets as well, i.e. `echo ********`, the setting to obfuscate secrets with asterisks can be found in **Settings** > **Privacy** > **Secret redaction** > **Hide secrets in blocklist**. Clicking on a secret will display a tooltip that lets you reveal the secret or copy the secret's contents. When trying to copy terminal output containing secrets, it will be copied as asterisks (e.g. `echo password` becomes `echo ********`) unless revealed or copied from the tooltip. Secret redaction is not applied in [Session Sharing](https://docs.warp.dev/knowledge-and-collaboration/session-sharing/). ## Case sensitivity Secret redaction regexes are case-sensitive by default (i.e. the regex `password` will not match the text `Password`). If you want a regex to be case-sensitive, you can prepend `(?i)` like so: `(?i)password` to ensure that `PASSWORD`, `Password`, and `password` would all match. ## Secret regex list Here is a list of the recommended regular expressions that Warp uses to identify secrets: | Secret Type | Regex Pattern | | ----------------------------------------- | ----------------------------------------------------------------------------------------- | | IP V4 Address | `\b((25[0-5]\|(2[0-4]\|1\d\|[1-9]\|)\d)\.?\b){4}\b` | | IP V6 Address | `\b((([0-9A-Fa-f]{1,4}:){1,6}:)\|(([0-9A-Fa-f]{1,4}:){7}))([0-9A-Fa-f]{1,4})\b` | | Slack App Token | `\bxapp-[0-9]+-[A-Za-z0-9_]+-[0-9]+-[a-f0-9]+\b` | | Phone Number | `\b(\+\d{1,2}\s)?\(?\d{3}\)?[\s.-]\d{3}[\s.-]\d{4}\b` | | AWS Access ID | `\b(AKIA\|A3T\|AGPA\|AIDA\|AROA\|AIPA\|ANPA\|ANVA\|ASIA)[A-Z0-9]{12,}\b` | | MAC Address | `\b((([a-zA-z0-9]{2}[-:]){5}([a-zA-z0-9]{2}))\|(([a-zA-z0-9]{2}:){5}([a-zA-z0-9]{2})))\b` | | Google API Key | `\bAIza[0-9A-Za-z-_]{35}\b` | | Google OAuth ID | `\b[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com\b` | | GitHub Classic Personal Access Token | `\bghp_[A-Za-z0-9_]{36}\b` | | GitHub Fine Grained Personal Access Token | `\bgithub_pat_[A-Za-z0-9_]{82}\b` | | GitHub OAuth Access Token | `\bgho_[A-Za-z0-9_]{36}\b` | | GitHub User to Server Token | `\bghu_[A-Za-z0-9_]{36}\b` | | GitHub Server to Server Token | `\bghs_[A-Za-z0-9_]{36}\b` | | Stripe Key | `\b(?:r\|s)k_(test\|live)_[0-9a-zA-Z]{24}\b` | | Firebase Auth Domain | `\b([a-z0-9-]){1,30}(\.firebaseapp\.com)\b` | | JSON web token | `\b(ey[a-zA-z0-9_\-=]{10,}\.){2}[a-zA-z0-9_\-=]{10,}\b` | | OpenAI API Key | `\bsk-[a-zA-Z0-9]{48}\b` | | Anthropic API Key | `\bsk-ant-api\d{0,2}-[a-zA-Z0-9\-]{80,120}\b` | | Fireworks API Key | `\bfw_[a-zA-Z0-9]{24}\b` |