Is it safe to share a screenshot if I have blurred the API key?

Only if the key is gone for good. A light blur can be partially reversed by software, because the original characters are still mathematically present. Pixelating the key straight into the image with ScrubShot rewrites those pixels, so there is no underlying token left to recover.

I already shared a screenshot with a live token in it. Is redacting a new copy enough?

No. Once a real secret has been seen by anyone unredacted, treat it as compromised and rotate or revoke it at the source. Redaction protects the next screenshot, not the one that already went out. Editing the image does not un-send it from a chat, an issue tracker or an email.

What should I scrub in a terminal or .env screenshot?

Anything that grants access or identifies a person: API keys, bearer and access tokens, client secrets, database connection strings, passwords, internal hostnames and URLs, email addresses, and customer or account identifiers. If you would not paste it into a public chat, scrub it before the screenshot goes anywhere.

How do I hide a secret in a screenshot without uploading the image somewhere?

Capture and redact on your own Mac in one pass. With ScrubShot you press the shortcut, drag the Scrub tool over the secret to pixelate it into the image, then copy or save. Nothing is sent to a server, so the only version that leaves your Mac is the cleaned one.

← Resources

The fastest way to hide API keys and emails in Mac screenshots

Short answer: take the screenshot, then pixelate the secret straight into the image before it goes anywhere, and do it inside the same capture-to-share loop so the safe move is also the fast one. The trap is that the careful version is usually slower than just hitting paste, so people skip it. The fix is a tool where scrubbing a key or an email takes a single drag, not a detour into a separate editor. Here is what leaks, why speed decides whether you bother, and the exact steps.

Why secrets leak into screenshots

When you grab a terminal, a dashboard or your inbox to drop into a bug report or a chat, the secret is rarely the thing you are pointing at. It is sitting next to it, in frame, by accident.

A key printed three commands up in your scrollback, still visible when you snap the whole window.
A bearer token in the headers of a request you were debugging in the network panel.
A database connection string in a .env file or a config block, password and host included.
An email address, an internal hostname, or a customer identifier in the corner of an admin screen you only opened to show one button.

None of these are the point of the screenshot, which is exactly why they get missed. You are focused on the error, not the line above it.

Speed is the whole game

The honest reason secrets leak is not that people do not care. It is that the careful path is slower than the careless one. If hiding a key means saving the screenshot, opening another app, finding a redaction tool, doing the edit and re-exporting, you will do it the first time and skip it the tenth, especially mid-debug when you just want to paste the thing and move on.

So the safe move only happens if it is faster than the unsafe move. That means the redaction has to live inside the capture-to-share loop itself: shortcut, scrub the secret, copy. No separate editor, no round trip to a website. When covering a token costs you one drag instead of a context switch, you actually do it every time, and that consistency is what protects you. A tool that uploads your image to redact it fails this test twice over: it is slower, and it sends the unredacted original to a server first. There is more on why on-device matters in the guide to redacting screenshots without uploading them.

The fastest way to do it on a Mac

With ScrubShot the whole thing is one uninterrupted loop:

Press the shortcut. ScrubShot captures the screen you are looking at.
Drag the Scrub tool over the key, the token, the connection string, the email. It is pixelated straight into the image as you go.
Scan the rest of the frame for anything you missed in the corners or the scrollback, and scrub that too.
Use the Marker to circle the actual error, or Text to label it, so the person you are sending it to looks where you want.
Copy it to the clipboard or let it save to your Pictures folder, then paste it into the chat, issue or email.

The Scrub tool rewrites the underlying pixels, so a scrubbed area cannot be lifted off or un-scrubbed later. If you over-scrub or miss the mark, there is Undo. None of it touches the network, so the redaction happens in the half-second between capturing and pasting rather than as a separate task you have to remember to do.

A checklist of what to scrub

Before you send any screenshot of a terminal, config, dashboard or inbox, run your eye over the frame for these:

API keys and anything that looks like a long random string with a recognizable prefix.
Tokens: bearer, access, refresh and session tokens, in headers, URLs or cookies.
Secrets and passwords: client secrets, signing keys, anything from a .env file.
Connection strings that bundle a username, password and host into one line.
Internal URLs and hostnames that reveal staging environments or internal infrastructure.
Email addresses, including the ones in headers, CC lines and account menus.
Customer and account identifiers: names, user IDs, order numbers, anything that ties the shot to a real person.

The same instinct applies when the sensitive part is a name, an address or a bank detail rather than a credential, which is its own can of worms covered in hiding bank details and personal information in screenshots.

One caveat: redaction is not revocation

This is the part people get wrong, so I will be blunt about it. If a real, live secret has already been shared somewhere unredacted, pasted into a chat, attached to an issue, sent in an email, then editing a clean copy afterwards does nothing for the original. It is already out. Anyone who saw it has it, and you cannot recall a message reliably.

At that point the only safe move is to rotate or revoke the secret at the source: regenerate the key, invalidate the token, change the password, rotate the connection string. Treat it as compromised. Redaction is for the screenshots you are about to send, not the ones that already went out. Scrubbing the image is what keeps the secret from leaking in the first place; rotating it is what you do once it has.

FAQ

Is it safe to share a screenshot if I have blurred the API key?: Only if the key is gone for good. A light blur can be partially reversed by software, because the original characters are still mathematically present. Pixelating the key straight into the image with ScrubShot rewrites those pixels, so there is no underlying token left to recover.
I already shared a screenshot with a live token in it. Is redacting a new copy enough?: No. Once a real secret has been seen by anyone unredacted, treat it as compromised and rotate or revoke it at the source. Redaction protects the next screenshot, not the one that already went out. Editing the image does not un-send it from a chat, an issue tracker or an email.
What should I scrub in a terminal or .env screenshot?: Anything that grants access or identifies a person: API keys, bearer and access tokens, client secrets, database connection strings, passwords, internal hostnames and URLs, email addresses, and customer or account identifiers. If you would not paste it into a public chat, scrub it before the screenshot goes anywhere.
How do I hide a secret in a screenshot without uploading the image somewhere?: Capture and redact on your own Mac in one pass. With ScrubShot you press the shortcut, drag the Scrub tool over the secret to pixelate it into the image, then copy or save. Nothing is sent to a server, so the only version that leaves your Mac is the cleaned one.

Try it

ScrubShot is a Mac app built for exactly this: press the shortcut, drag over the key or the email to pixelate it into the image, then copy or save. The cleaned screenshot is the only version that ever leaves your Mac. There is a free 7-day trial with no card required. After that it is $30 once.

Try ScrubShot free →