Skip to content

Secret redaction, explained

While Streaming Mode is on, Mastery HQ masks secret-shaped text at the moment it renders — an echoed API key shows as sk-a…••••, a cat .env shows variable names with hidden values — across the terminal, agent transcripts, and the audit log. It’s render-time only: your data is never modified, and leaving Streaming Mode restores every character instantly.

  • Recognized key formats: sk-… (OpenAI/Anthropic/OpenRouter), xai-…, GitHub (ghp_, github_pat_…), AWS (AKIA…), Slack (xox…), Google (AIza…), npm, JWTs (eyJ…), and Bearer tokens.
  • Env-style dumps: any SOMETHING_KEY= / _TOKEN= / _SECRET= / _PASSWORD= line gets its value masked — printenv, set, .env contents.
  • Unknown formats: long, random-looking mixed-case strings are masked by a fallback pattern (git commit hashes deliberately survive — they’re lowercase hex).
  • Surfaces beyond text: the license account e-mail is masked and minted codes hidden; Open .env file is disabled; the Spotify connect-diagnostics row is hidden; copying a secret-shaped selection warns you.

What’s NOT covered — and the answer to it

Section titled “What’s NOT covered — and the answer to it”

Web pages in the Browser pane render arbitrary content that text-masking can’t reach. That’s the job of the privacy scene: with OBS/Streamlabs connected, Mastery HQ jumps your stream to a safe scene whenever a sensitive pane opens (details). Belt and suspenders.

Redaction is integral to Streaming Mode rather than a separate toggle for one reason: a safety layer you can forget to enable is a safety layer that fails exactly once. If you need the full text, leave Streaming Mode — the two states are one click apart.