Skip to content
Markdown Viewer

Markdown Redaction Tool

Mask emails, tokens, and secrets in Markdown — in your browser

Paste any Markdown snippet, toggle which patterns to redact, and copy a safer version ready to share. Detects emails, IPs, bearer tokens, AWS / Stripe / GitHub secrets, JWTs, UUIDs, phone numbers, and credit-card-shaped digit runs. Nothing leaves your tab.

Open the editorCompare revisionsGFM checklist

Patterns to redact

5 replacement(s)287 chars

Original

Redacted output

⚠ Heuristic patterns only — these regexes catch common shapes, not every secret. Always review manually before sharing classified, regulated, or customer-PII content.

How to redact a Markdown document

  1. Paste your content into the left pane, or click Load sample to see what a redacted note looks like.
  2. Pick the categories you want to mask. The pill row at the top shows hit counts per category as you type.
  3. Read the output in the right pane. Every match is replaced with a labeled marker ([REDACTED:email], [REDACTED:bearer], …) so reviewers can tell what kind of content was scrubbed.
  4. Copy redacted when you are ready to share. Always do a final read-through — heuristics can miss things.

When you actually need this

  • Sharing logs in a bug report. Server logs are riddled with internal IPs, request IDs, and bearer tokens that have no business showing up in a public GitHub issue.
  • Asking an LLM for help. Before pasting a snippet into ChatGPT, Claude, or any other AI service, redact customer emails and tokens — even if the provider says they won't train on it, you reduce a real leak surface.
  • Writing post-mortems. Incident write-ups often include credentials accidentally captured in screenshots or transcripts. Run the body through the redactor before publishing internally.
  • Producing public READMEs. Sample curl commands often ship with real API keys instead of placeholders. The tool flags them so you can swap in <YOUR_TOKEN>.
  • Cleaning up exports. Notion, Slack, and Google Docs exports often inline emails and personal names. A quick pass keeps internal docs internal.

What gets masked

CategoryExample matchReplacement
Emailalice@example.com[REDACTED:email]
IPv4203.0.113.10[REDACTED:ipv4]
Bearer tokenBearer abc.def.ghi[REDACTED:bearer]
AWS access keyAKIAIOSFODNN7EXAMPLE[REDACTED:aws-key]
Stripe secretsk_live_AbCd…[REDACTED:stripe-secret]
GitHub tokenghp_AbCd…[REDACTED:github-token]
JWTeyJhbGc….eyJzdWI….[REDACTED:jwt]
UUID550e8400-e29b-41d4-a716-446655440000[REDACTED:uuid]
Phone+1 (415) 555-0143[REDACTED:phone]
Credit card13–19 digit runs[REDACTED:credit-card]

Limitations to know before relying on this

  • Heuristics, not policy enforcement. A motivated attacker can craft strings that bypass these regexes, and a sloppy paste can include shapes that no regex catches (e.g. proprietary access codes).
  • Context-blind. The tool doesn't understand semantics. A username that happens to look like an email format will be masked; a token that looks like a UUID will not.
  • No "undo" tracking. Once you copy the redacted version, the originals are gone. Keep a private copy of the source if you need to refer back.
  • Markdown structure is preserved. Headings, lists, fenced code blocks, and links all remain intact — only the matching substrings inside them change.

Privacy & data handling

  • The redaction engine is a small set of regular expressions compiled and applied client-side.
  • We do not upload, log, or store your input, and we never train on user content.
  • The output is plain Markdown — no scripts, no hidden metadata.

For a deeper safety pass on a final document, run the GFM compliance checklist and the heading auditor before publishing.

Frequently asked questions

What is a Markdown redaction tool?
A Markdown redaction tool scans your text for common sensitive patterns — emails, IP addresses, API tokens, credit card numbers, UUIDs — and replaces each match with a clearly labeled placeholder like `[REDACTED:email]`. It is a quick safety net before pasting logs, transcripts, or draft READMEs into chat or a bug report.
Which patterns does this tool catch?
Built-in detectors for: email addresses, IPv4 addresses, Bearer tokens, AWS access keys (AKIA…), Stripe live and test secret keys (sk_live_/sk_test_), GitHub personal-access tokens (ghp_/gho_/ghu_/ghs_/ghr_), JWT tokens (three base64url segments), UUID v4, phone numbers, and credit-card-shaped digit runs. Toggle any category on or off before copying.
Is my text uploaded to a server?
No. Every regex runs entirely in your browser tab. We don't upload, log, store, or train on your input, which makes the tool safe for incident notes, support tickets, and any text you would not paste into a public site.
Does this replace a real DLP or compliance review?
No — this is a heuristic helper, not a compliance-grade solution. The regexes catch common shapes of secrets and PII but cannot guarantee 100% coverage. For regulated data (HIPAA, PCI, GDPR personal data, classified material), pair this with your organization's official DLP policy and a manual review.
Can it produce false positives?
Yes. The credit-card detector is intentionally aggressive and may flag any 13–19 digit run, so disable that category if you have long timestamps or part numbers in your text. The phone-number detector also matches dates and product IDs in some formats. Toggle categories off when their replacements look wrong.
Why not just delete the sensitive parts manually?
You can — and you should still review the output. The tool is mostly useful when pasting larger blocks (server logs, JSON dumps, transcripts) where eyeballing every email or IP is error prone. The replacement markers also make it obvious to a reader that the content was scrubbed intentionally rather than missing.