> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fiddler.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Secrets

> Learn to detect credentials, API keys, and tokens in text using Fiddler's Centor Secret Detection guardrail to prevent secret leakage in LLM applications.

Get your secret detection running in **minutes** with Fiddler's Centor Secret Detection Guardrail. This guide walks you through detecting API keys, credentials, and tokens to prevent sensitive secrets from leaking through your LLM applications.

## What You'll Build

In this quick start, you'll implement a secret detection system that:

* Detects \~42 known credential formats (Anthropic, OpenAI, AWS, GitHub, Slack, and more)
* Catches unknown secrets using Shannon entropy analysis
* Returns character-level spans so you can locate and redact secrets in your text
* Provides real-time detection with sub-second latency

## Prerequisites

* Fiddler account with [access token](/reference/administration/settings#credentials)
* Python 3.10+ environment

## Overview

Fiddler's Centor Secret Detection guardrail scans text for credentials before they reach your LLM or get logged, delivering deterministic, low-latency results with no GPU required.

### Key Capabilities

* **Pattern-based detection**: \~42 known credential formats covering major providers and platforms
* **Entropy analysis**: Catches high-entropy strings that match unknown or custom secret formats (labeled as `Possible Secret`)
* **Character-level spans**: Returns `start` and `end` offsets for precise redaction
* **Fast**: Sub-millisecond detection latency, CPU-only

<Steps>
  <Step title="Set Up Your Environment">
    Configure the Secret Detection Guardrail API:

    ```python theme={null}
    import requests
    import time

    # Replace with your actual values
    URL = 'https://your_company.fiddler.ai'
    TOKEN = 'your_token_here'

    # API Configuration
    SECRET_DETECTION_URL = f"{URL}/v3/guardrails/secret-detection"
    FIDDLER_HEADERS = {
        "Authorization": f"Bearer {TOKEN}",
        "Content-Type": "application/json",
    }
    ```
  </Step>

  <Step title="Define Helper Functions">
    Create reusable functions for interacting with the API:

    ```python theme={null}
    def detect_secrets(text: str):
        """
        Detect secrets and credentials in text.

        Args:
            text: Input text to scan

        Returns:
            Tuple of (API response dict, latency in seconds)
        """
        start_time = time.monotonic()

        try:
            response = requests.post(
                SECRET_DETECTION_URL,
                headers=FIDDLER_HEADERS,
                json={"data": {"input": text}},
            )
            response.raise_for_status()
            return response.json(), (time.monotonic() - start_time)

        except requests.exceptions.RequestException as e:
            print(f"❌ API call failed: {e}")
            return {}, (time.monotonic() - start_time)

    def print_detection_results(response, latency):
        """Display detection results in a formatted way."""
        secrets = response.get("fdl_secret_detection_scores", [])

        print(f"\n🔍 Detection Results (⏱️ {latency:.3f}s)")
        print(f"📊 Total Secrets Found: {len(secrets)}\n")

        if not secrets:
            print("✅ No secrets detected.")
            return

        for secret in secrets:
            print(f"🔑 {secret['label']}")
            print(f"   Position: {secret['start']}–{secret['end']}")
            print()

    def redact_secrets(text: str, secrets: list) -> str:
        """Apply redactions right-to-left to preserve offsets."""
        for secret in sorted(secrets, key=lambda s: s["start"], reverse=True):
            label = secret["label"].upper().replace(" ", "_")
            text = text[: secret["start"]] + f"[REDACTED {label}]" + text[secret["end"] :]
        return text
    ```
  </Step>

  <Step title="Example 1: API Key Detection">
    Detect common API keys and credentials:

    ```python theme={null}
    sample_text = """
    Setting up the integration. My Anthropic key is sk-ant-api03-abcdefghijklmnopqrstu
    and the OpenAI key is sk-proj-ABCDEFGHIJKLMNOPQRSTUVWXYZabcde.
    GitHub token: ghp_ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
    """

    print("🧪 Testing API Key Detection")
    response, latency = detect_secrets(sample_text)
    print_detection_results(response, latency)

    # Redact detected secrets
    secrets = response.get("fdl_secret_detection_scores", [])
    redacted = redact_secrets(sample_text, secrets)
    print("📝 Redacted text:")
    print(redacted)
    ```

    **Expected Output:**

    ```
    🔍 Detection Results (⏱️ 0.008s)
    📊 Total Secrets Found: 3

    🔑 Anthropic API Key
    🔑 OpenAI Project Key
    🔑 GitHub Personal Access Token

    📝 Redacted text:

    Setting up the integration. My Anthropic key is [REDACTED ANTHROPIC_API_KEY]
    and the OpenAI key is [REDACTED OPENAI_PROJECT_KEY].
    GitHub token: [REDACTED GITHUB_PERSONAL_ACCESS_TOKEN]
    ```

    > Exact character positions (`start`/`end`) vary by input and are returned by the API. The redaction helper uses API-returned offsets, not hardcoded values.
  </Step>

  <Step title="Example 2: Cloud & Infrastructure Credentials">
    Detect AWS access keys and other infrastructure secrets:

    ```python theme={null}
    infra_text = """
    AWS credentials for the prod account:
    Access Key ID: AKIAIOSFODNN7EXAMPLE
    Slack webhook: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
    HashiCorp Vault token: hvs.CAESIJlU9eFfaBcDeFgHiJkLmNoPqRsTuVwXyZ01234567890123
    """

    print("☁️ Testing Infrastructure Secret Detection")
    response, latency = detect_secrets(infra_text)
    print_detection_results(response, latency)
    ```

    **Expected Output:**

    ```
    🔍 Detection Results (⏱️ 0.006s)
    📊 Total Secrets Found: 3

    🔑 AWS Access Key ID
    🔑 Slack Webhook URL
    🔑 HashiCorp Vault Token
    ```
  </Step>
</Steps>

## API Reference

### Endpoint

```
POST /v3/guardrails/secret-detection
```

### Request Format

```json theme={null}
{
  "data": {
    "input": "Text to scan for secrets and credentials"
  }
}
```

### Request Parameters

| Parameter | Type   | Description              | Default  |
| --------- | ------ | ------------------------ | -------- |
| `input`   | string | Text to scan for secrets | Required |

### Response Format

```json theme={null}
{
  "fdl_secret_detection_scores": [
    {
      "label": "Anthropic API Key",
      "start": 10,
      "end": 44
    }
  ]
}
```

### Response Fields

| Field   | Type    | Description                              |
| ------- | ------- | ---------------------------------------- |
| `label` | string  | Secret type (e.g. `"Anthropic API Key"`) |
| `start` | integer | Character position where secret starts   |
| `end`   | integer | Character position where secret ends     |

### Detected Secret Types

#### LLM Provider Keys

`Anthropic API Key`, `OpenAI Project Key`, `OpenAI/Stripe Secret Key`, `Hugging Face Token`, `Replicate API Token`

#### Cloud Platforms

`AWS Access Key ID`, `AWS Secret Access Key`, `Google API Key`, `Google OAuth Client Secret`, `Azure Credential`, `DigitalOcean PAT`, `DigitalOcean OAuth Token`, `Heroku API Key`, `Datadog API Key`

#### Source Control

`GitHub Fine-grained PAT`, `GitHub Personal Access Token`, `GitHub OAuth Token`, `GitHub Server Token`, `GitLab Personal Access Token`, `GitLab Pipeline Token`, `Bitbucket App Password`

#### Package Registries

`npm Access Token`, `PyPI API Token`, `NuGet API Key`

#### Communication & Messaging

`Slack Bot Token`, `Slack User Token`, `Slack App Token`, `Slack Webhook URL`, `Discord Bot Token`, `SendGrid API Key`, `Twilio Account SID`, `Mailgun API Key`

#### Developer Tools

`Postman API Key`, `HashiCorp Vault Token`, `Terraform Cloud Token`, `Supabase Token`, `Vercel Token`

#### Generic Formats

`JWT Token`, `HTTP Basic Auth`, `HTTP Bearer Token`, `PEM Private Key`, `Database Connection String`

#### Entropy-based Detection

High-entropy alphanumeric, hex, and base64 strings that don't match a known prefix pattern but exceed entropy thresholds. These are labeled as `Possible Secret`.

### Code Examples

<Tabs>
  <Tab title="Python - Requests">
    ```python theme={null}
    import requests

    url = "https://your_company.fiddler.ai/v3/guardrails/secret-detection"
    headers = {
        "Authorization": "Bearer YOUR_TOKEN",
        "Content-Type": "application/json"
    }

    payload = {
        "data": {
            "input": "My key is sk-ant-api03-abcdefghijklmnopqrstu"
        }
    }

    response = requests.post(url, json=payload, headers=headers)
    secrets = response.json().get("fdl_secret_detection_scores", [])

    for secret in secrets:
        print(f"Found {secret['label']} at positions {secret['start']}–{secret['end']}")
    ```
  </Tab>

  <Tab title="cURL">
    ```bash theme={null}
    curl -X POST 'https://your_company.fiddler.ai/v3/guardrails/secret-detection' \
      -H 'Content-Type: application/json' \
      -H 'Authorization: Bearer YOUR_TOKEN' \
      -d '{
        "data": {
          "input": "My key is sk-ant-api03-abcdefghijklmnopqrstu"
        }
      }'
    ```
  </Tab>
</Tabs>

## Next Steps

* Use the [LiteLLM Guardrails](/protection/litellm-guardrails) integration to automatically block or redact secrets in real-time LLM proxy traffic
* Explore other [Fiddler guardrails](/protection/guardrails) for comprehensive AI safety
* Review the [Secret Detection Evaluator](/sdk-api/evals/ftl-secret-detection) for use with the Fiddler Evals SDK

## Summary

You've learned how to:

* ✅ Detect \~42 known credential formats using pattern matching
* ✅ Catch unknown high-entropy secrets using entropy analysis
* ✅ Locate secrets precisely using character-level `start`/`end` spans
* ✅ Redact secrets from text before forwarding to an LLM
