XAIO
Docs/Features/Secret Detection

Secret Detection

Updated Mar 30, 2026Features

Automatic detection and masking of sensitive data.

How It Works

XAIO automatically scans chat messages before sending them to detect sensitive data like API keys, passwords, and tokens.

Detected Patterns

  • API Keys — OpenAI (sk-...), Anthropic (sk-ant-...), Stripe (sk_...), Google, AWS
  • Passwords — Keywords like password, passwort, pw, secret followed by values
  • Tokens — Bearer tokens, JWT tokens, access tokens
  • Connection strings — Database URLs with credentials
  • Private keys — RSA/SSH private key blocks

What Happens When Detected

1. A warning dialog appears before the message is sent

2. The detected secrets are highlighted

3. You can choose to:

- Mask and send — Replace the secret with a placeholder

- Send anyway — Send the original message (not recommended)

- Cancel — Don't send the message

Best Practices

  • Use the Environment tab for API keys and credentials
  • Tell the AI: "Use the STRIPE_API_KEY environment variable" instead of pasting the key
  • Different keys for Dev and Prod environments
  • The AI never hardcodes secrets — it always uses environment variable references

Environment Variables

Manage secrets safely in the Environment tab:

  • Separate values for Dev and Prod
  • Variables are injected at runtime, never committed to code
  • Integration-managed variables (like DATABASE_URL) are read-only
Previous
Users & Authentication
Next
Notifications