Skip to main content
Get your secret detection running in minutes with Fiddler’s Centor Secret Detection Guardrail. This guide walks you through detecting API keys, credentials, and tokens to prevent sensitive secrets from leaking through your LLM applications.

​
What You’ll Build

In this quick start, you’ll implement a secret detection system that:
  • Detects ~42 known credential formats (Anthropic, OpenAI, AWS, GitHub, Slack, and more)
  • Catches unknown secrets using Shannon entropy analysis
  • Returns character-level spans so you can locate and redact secrets in your text
  • Provides real-time detection with sub-second latency

​
Prerequisites

  • Fiddler account with access token
  • Python 3.10+ environment

​
Overview

Fiddler’s Centor Secret Detection guardrail scans text for credentials before they reach your LLM or get logged, delivering deterministic, low-latency results with no GPU required.

​
Key Capabilities

  • Pattern-based detection: ~42 known credential formats covering major providers and platforms
  • Entropy analysis: Catches high-entropy strings that match unknown or custom secret formats (labeled as Possible Secret)
  • Character-level spans: Returns start and end offsets for precise redaction
  • Fast: Sub-millisecond detection latency, CPU-only
1

Set Up Your Environment

Configure the Secret Detection Guardrail API:
import requests
import time

# Replace with your actual values
URL = 'https://your_company.fiddler.ai'
TOKEN = 'your_token_here'

# API Configuration
SECRET_DETECTION_URL = f"{URL}/v3/guardrails/secret-detection"
FIDDLER_HEADERS = {
    "Authorization": f"Bearer {TOKEN}",
    "Content-Type": "application/json",
}
2

Define Helper Functions

Create reusable functions for interacting with the API:
def detect_secrets(text: str):
    """
    Detect secrets and credentials in text.

    Args:
        text: Input text to scan

    Returns:
        Tuple of (API response dict, latency in seconds)
    """
    start_time = time.monotonic()

    try:
        response = requests.post(
            SECRET_DETECTION_URL,
            headers=FIDDLER_HEADERS,
            json={"data": {"input": text}},
        )
        response.raise_for_status()
        return response.json(), (time.monotonic() - start_time)

    except requests.exceptions.RequestException as e:
        print(f"❌ API call failed: {e}")
        return {}, (time.monotonic() - start_time)

def print_detection_results(response, latency):
    """Display detection results in a formatted way."""
    secrets = response.get("fdl_secret_detection_scores", [])

    print(f"\nπŸ” Detection Results (⏱️ {latency:.3f}s)")
    print(f"πŸ“Š Total Secrets Found: {len(secrets)}\n")

    if not secrets:
        print("βœ… No secrets detected.")
        return

    for secret in secrets:
        print(f"πŸ”‘ {secret['label']}")
        print(f"   Position: {secret['start']}–{secret['end']}")
        print()

def redact_secrets(text: str, secrets: list) -> str:
    """Apply redactions right-to-left to preserve offsets."""
    for secret in sorted(secrets, key=lambda s: s["start"], reverse=True):
        label = secret["label"].upper().replace(" ", "_")
        text = text[: secret["start"]] + f"[REDACTED {label}]" + text[secret["end"] :]
    return text
3

Example 1: API Key Detection

Detect common API keys and credentials:
sample_text = """
Setting up the integration. My Anthropic key is sk-ant-api03-abcdefghijklmnopqrstu
and the OpenAI key is sk-proj-ABCDEFGHIJKLMNOPQRSTUVWXYZabcde.
GitHub token: ghp_ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
"""

print("πŸ§ͺ Testing API Key Detection")
response, latency = detect_secrets(sample_text)
print_detection_results(response, latency)

# Redact detected secrets
secrets = response.get("fdl_secret_detection_scores", [])
redacted = redact_secrets(sample_text, secrets)
print("πŸ“ Redacted text:")
print(redacted)
Expected Output:
πŸ” Detection Results (⏱️ 0.008s)
πŸ“Š Total Secrets Found: 3

πŸ”‘ Anthropic API Key
πŸ”‘ OpenAI Project Key
πŸ”‘ GitHub Personal Access Token

πŸ“ Redacted text:

Setting up the integration. My Anthropic key is [REDACTED ANTHROPIC_API_KEY]
and the OpenAI key is [REDACTED OPENAI_PROJECT_KEY].
GitHub token: [REDACTED GITHUB_PERSONAL_ACCESS_TOKEN]
Exact character positions (start/end) vary by input and are returned by the API. The redaction helper uses API-returned offsets, not hardcoded values.
4

Example 2: Cloud & Infrastructure Credentials

Detect AWS access keys and other infrastructure secrets:
infra_text = """
AWS credentials for the prod account:
Access Key ID: AKIAIOSFODNN7EXAMPLE
Slack webhook: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
HashiCorp Vault token: hvs.CAESIJlU9eFfaBcDeFgHiJkLmNoPqRsTuVwXyZ01234567890123
"""

print("☁️ Testing Infrastructure Secret Detection")
response, latency = detect_secrets(infra_text)
print_detection_results(response, latency)
Expected Output:
πŸ” Detection Results (⏱️ 0.006s)
πŸ“Š Total Secrets Found: 3

πŸ”‘ AWS Access Key ID
πŸ”‘ Slack Webhook URL
πŸ”‘ HashiCorp Vault Token

​
API Reference

​
Endpoint

POST /v3/guardrails/secret-detection

​
Request Format

{
  "data": {
    "input": "Text to scan for secrets and credentials"
  }
}

​
Request Parameters

ParameterTypeDescriptionDefault
inputstringText to scan for secretsRequired

​
Response Format

{
  "fdl_secret_detection_scores": [
    {
      "label": "Anthropic API Key",
      "start": 10,
      "end": 44
    }
  ]
}

​
Response Fields

FieldTypeDescription
labelstringSecret type (e.g. "Anthropic API Key")
startintegerCharacter position where secret starts
endintegerCharacter position where secret ends

​
Detected Secret Types

​
LLM Provider Keys

Anthropic API Key, OpenAI Project Key, OpenAI/Stripe Secret Key, Hugging Face Token, Replicate API Token

​
Cloud Platforms

AWS Access Key ID, AWS Secret Access Key, Google API Key, Google OAuth Client Secret, Azure Credential, DigitalOcean PAT, DigitalOcean OAuth Token, Heroku API Key, Datadog API Key

​
Source Control

GitHub Fine-grained PAT, GitHub Personal Access Token, GitHub OAuth Token, GitHub Server Token, GitLab Personal Access Token, GitLab Pipeline Token, Bitbucket App Password

​
Package Registries

npm Access Token, PyPI API Token, NuGet API Key

​
Communication & Messaging

Slack Bot Token, Slack User Token, Slack App Token, Slack Webhook URL, Discord Bot Token, SendGrid API Key, Twilio Account SID, Mailgun API Key

​
Developer Tools

Postman API Key, HashiCorp Vault Token, Terraform Cloud Token, Supabase Token, Vercel Token

​
Generic Formats

JWT Token, HTTP Basic Auth, HTTP Bearer Token, PEM Private Key, Database Connection String

​
Entropy-based Detection

High-entropy alphanumeric, hex, and base64 strings that don’t match a known prefix pattern but exceed entropy thresholds. These are labeled as Possible Secret.

​
Code Examples

import requests

url = "https://your_company.fiddler.ai/v3/guardrails/secret-detection"
headers = {
    "Authorization": "Bearer YOUR_TOKEN",
    "Content-Type": "application/json"
}

payload = {
    "data": {
        "input": "My key is sk-ant-api03-abcdefghijklmnopqrstu"
    }
}

response = requests.post(url, json=payload, headers=headers)
secrets = response.json().get("fdl_secret_detection_scores", [])

for secret in secrets:
    print(f"Found {secret['label']} at positions {secret['start']}–{secret['end']}")

​
Next Steps

​
Summary

You’ve learned how to:
  • βœ… Detect ~42 known credential formats using pattern matching
  • βœ… Catch unknown high-entropy secrets using entropy analysis
  • βœ… Locate secrets precisely using character-level start/end spans
  • βœ… Redact secrets from text before forwarding to an LLM