Skip to content
OpenGuard
Docs
credential_filter

credential_filter

Credential detection guard: scans messages for API keys, tokens, and secrets using the detect-secrets library (12 credential families). Default action: block (raises 403). Set action=redact to sanitize in-place.

Credential detection guard: scans messages for API keys, tokens, and secrets using the detect-secrets library (12 credential families). Default action: block (raises 403). Set action=redact to sanitize in-place.

Covers AWS IAM keys, GitHub/GitLab tokens, JWTs, Slack tokens, PEM private keys, OpenAI keys, Stripe keys, Twilio, Discord, npm, Azure Storage keys.

Options

  • action: block (default) / redact / log
  • credential_types: list of specific types to check; omit for all 12.

Available types: aws_key, github_token, gitlab_token, jwt, slack_token, private_key, openai_key, stripe_key, twilio_key, discord_token, npm_token, azure_storage_key.

Configuration

Section titled “Configuration”
FieldTypeDefaultDescription
actionstring"block"Action when credentials are detected. 'block' rejects the request with a 403 (default — mirrors KeywordFilter). 'redact' replaces credentials with [protected:TYPE] and lets the request through. 'log' only records the finding without modifying or blocking.
credential_types`arraynull`None

Examples

Section titled “Examples”
# Example 1
type: credential_filter
config:
  action: block
# Example 2
type: credential_filter
config:
  action: block
  credential_types:
  - aws_key
  - github_token
  - jwt
  - private_key
# Example 3
type: credential_filter
config:
  action: redact
# Example 4
type: credential_filter
config:
  action: log
Home Home Docs Blog
Getting Started
Configuration

Guards

Content Filter credential_filter Keyword Filter LLM Input Inspection llm_tool_inspection Max Tokens Guard PII Filter tool_filter