Built-in pattern types, one scanner.
The scanner ships a focused set of built-in pattern types, all listed in the table below. Each match returns a label, a severity, and a position. When matches overlap, the higher-severity one wins. The same scanner runs everywhere: supported AI sites, the sidepanel Redactor, and the generic adapter on the sites you add yourself.
| Category | Severity | Matches |
|---|---|---|
| JWT | HIGH | Three base64url segments separated by dots; header must decode to a JWT shape. |
| API keys (vendor prefix) | HIGH | Known vendor prefixes: sk_live_, pk_live_, AKIA…, ghp_, glpat-, xox[bpaors]-, hf_, npm_, shpat_, dckr_pat_, plus several more — and Telegram bot tokens. |
| AWS access keys | HIGH | Matches the AKIA prefix used by all AWS access key IDs. |
| PEM private keys | HIGH | -----BEGIN … PRIVATE KEY----- through the matching end block. Covers OpenSSH via the generic header regex. |
| Passwords | HIGH | Keyword-anchored matches like password: …, pwd=…, passphrase …. |
| Credentials in token-URLs | HIGH | URLs carrying credentials inline (user:pass@host) or as query params (token=, access_token=, auth=). |
| Credit card numbers | HIGH | 13–19 digits, Luhn-validated. May false-positive on long numeric IDs that happen to satisfy Luhn. |
| SSN (US format) | HIGH | US Social Security Numbers in DDD-DD-DDDD format with invalid area/group number rejection. |
| Database credentials | HIGH | postgresql://, mysql://, mongodb(+srv)://, redis://, amqp(s)://, mssql://. |
| Discord tokens | HIGH | Discord bot and user tokens — three base64url-encoded segments separated by dots. A leaked token gives full API access to a bot or account. |
| National ID numbers | HIGH | UK National Insurance, Canadian SIN, Australian TFN, Indian PAN, Brazil CPF, Italian Codice Fiscale, Singapore NRIC, South Korea RRN, Sweden Personnummer, Ireland PPS, Spain DNI, Mexico CURP, Finland HETU, Hong Kong HKID, New Zealand IRD. |
| Crypto wallet addresses | HIGH | Bitcoin (legacy 1…/3… and bech32 bc1…) and Ethereum (0x… + 40 hex) wallet addresses. Pasting one into an AI can deanonymize your holdings. |
| IBAN (bank account) | HIGH | International Bank Account Numbers (DE89…) identifying a specific account. Validated with the ISO 13616 mod-97 checksum to keep false positives near 1%. |
| Bank routing numbers (US) | HIGH | US bank routing (ABA) numbers. Context-anchored — a routing/aba/rtn keyword must precede the digits — and checksum-validated, so it does not flag every 9-digit number. |
| Webhook URLs | HIGH | Slack and Discord webhook URLs carrying a secret in the path. Anyone holding the URL can post messages to your channel. |
| Email addresses | MED | Standard RFC-shaped addresses with a TLD. |
| Phone numbers (US) | MED | US 10-digit formats with at least one separator. |
| International phone | MED | Numbers starting with + followed by a country code and subscriber number. Covers most international formats. |
| Private IP addresses | MED | RFC 1918 ranges: 10.x.x.x, 172.16–31.x.x, 192.168.x.x, and loopback 127.x.x.x / ::1. |
| Internal URLs | MED | Hostnames ending in .local or .internal, and bare localhost references. |
| Secret-like strings (entropy) | MED | Long random-looking strings that don't match a vendor pattern. Two confidence tiers: strong tier blocks the send, weak tier flags but passes through. |
| AWS ARNs | MED | Amazon Resource Names (arn:aws:…) that identify a cloud resource and embed your 12-digit AWS account ID. |
Severity controls the color of the inline marker (red for high, orange for standard) and how urgently each finding is flagged in the warning modal. Every finding pauses your send regardless of severity. LOW means less critical, not ignorable. The one exception is the entropy detector’s weak-confidence tier, described below.
About the entropy detector. Vendor-prefixed keys are easy. For random-looking strings that don't match a known prefix, Shannon entropy with an alphabet-aware threshold and nearby context words (secret, token, key, bearer) takes over. Two confidence tiers: strong pauses the send, weak just flags, so prose-heavy content doesn't constantly trip the modal.
How detections show up
Detection runs locally as you type. Each match gets a thin, color-coded outline right in your prompt — red for high-severity items, orange for standard ones — so the text stays readable and you can see exactly what was caught. A small lock-and-count pill sits in the top-right corner of the composer; the lock turns red when anything high-severity is present. Hover any finding to see what category it is and why it was caught. Click its label to redact just that one, or click the pill to open the full review. On send, the warning modal still steps in if anything sensitive is there, regardless of the on-page cues.
Custom redaction labels (Pro). When you hover a finding, you can also type exactly what it should redact to and apply it right there — swap the default [email redacted] for [client], a ticket code, or whatever fits. Your label is checked so it can’t itself contain something flaggable, and it sticks to that value for the rest of the session, so every other place it appears redacts the same way.
Prefer a clean composer while drafting? Open the gear menu (Settings) in the side panel and turn off Highlight detections in the text. That hides the inline outlines only — the count pill and the send-time check stay on, so you’re never left without a heads-up.
Redaction style: Label or Coded (Pro)
By default a redaction becomes a plain placeholder like [email redacted]. On Pro you can switch to Coded style (gear menu → Settings → Redaction style), which replaces each value with a consistent numbered token instead: [EMAIL_1], [EMAIL_2], [PHONE_1]. The same value always maps to the same token, so the AI can still tell two different people (or two different keys) apart — something a row of identical [email redacted] labels would erase. The mapping lives in memory only and is never saved.
Per-site detection rules (Pro)
Different sites want different setups: stricter on a work tool, lighter on a personal chat. On Pro, the Detection card follows whichever AI site is in the tab in front of you — its name sits at the top (“ChatGPT”, “Claude”, and so on). Hit Customize and any category you change from then on applies to that site alone; every other site keeps your default. The header flips to “Custom” with a one-tap Undo, and Reset clears the site’s rules to send it back to your default. Two tabs on different sites run their own rules at the same time. To edit the shared default that uncustomized sites inherit, open the card on a non-AI page or pick Edit default rules from the ··· menu. You can also turn Redactopia off for a single site from that menu without disabling it everywhere.
Toolbar badge
When findings are present, the extension icon shows a count badge. Amber means at least one HIGH-severity finding; blue means STANDARD only. The badge clears when you dismiss the warning modal or leave the page.
Usage stats
The gear icon at the bottom of the side panel opens the Settings popover. The Your usage section shows total scans run, total findings caught, and when you first started. All local — nothing is sent anywhere.
Detect the things we don't ship with.
The built-ins cover the common cases. For everything else (your company's internal ticket IDs, a partner's API token format, a naming convention only your project uses), there are custom patterns.
Side panel → Custom patterns → Add. Each pattern needs a name, a JavaScript regex source, and a severity. Validation runs before save: the source has to compile, it can't exceed 200 characters, and the heuristic guards reject nested quantifiers ((a+)+, (.*)*) that could lock up the scanner on adversarial input.
Patterns persist locally and run after the built-ins. When a custom match overlaps a built-in, the higher-severity match wins. Same modal, same flow, everywhere the scanner runs.
Starter library
Don't want to write regex from scratch? The Custom Patterns card has a Browse library button with a growing set of dev-audited starter patterns — customizable templates plus ready-to-use entries. GitHub, GitLab, Asana, Linear, and Trello URLs; AWS ARNs and S3 / CloudFront / ECR; Stripe object IDs; RFC1918 IPs; Kubernetes URIs; MAC addresses; observability URLs (Sentry, Datadog, PagerDuty, Splunk); masked credit cards; Bitcoin addresses; UK NI numbers; and more. One-click add — then rename, retune, or delete to taste.
Add any AI chat yourself.
The default list covers the popular AI chats. For everything else (Mistral, Pi, Leonardo, the internal LLM dashboard at your company, the new chat product that launched last week), use Custom AI sites.
Side panel → Custom AI sites → type a hostname → Add. If the Visual Redactor is on, the broad all-sites permission already covers the new site and no prompt appears. If it is off, your browser asks for that specific origin. Once added, a generic adapter loads on every visit. It finds the largest visible textarea or contenteditable element (preferring larger areas lower on the page, peeking one level into open Shadow DOM), attaches listeners, runs the same scanner, and traps the send button in the capture phase. If no input shows up within ~3 seconds, a 5-minute MutationObserver waits for late-mounting composers.
Three tiers of send-button resilience
Finding "the send button" on an arbitrary AI site is the hard part. Products name it differently, hide it in Shadow DOM, render it icon-only with no aria-label, or sit it next to dozens of other buttons in an app-shell layout. The fallback chain:
- User calibration (✦) — your personal pin. Click ✦ on the site's row, the page dims, and the next button you click becomes the calibrated send. Stored locally. Wins over everything else. Shift-click ✦ to clear.
- Bundled calibrations — a JSON registry that ships with the extension, covering a growing list of popular AI sites. When you add a site that's in the registry, the selector auto-applies with an Auto badge. No manual step.
- Heuristic fallback — if neither resolves, the adapter walks up from the composer input and treats any button inside the composer container as a send candidate. Clean on simple layouts. Over-traps on richer app-shells until you calibrate.
If a stored selector becomes stale (a site update changed the markup), the adapter falls back to the heuristic so detection keeps working. Redactopia also flags the stale calibration so you aren’t falsely confident: the on-page count pill gets louder and a ⚠ chip appears on that site’s row in the side panel. Click the ⚠ (or ✦) to re-pin the real send button.
Removing a site
The × on a site row revokes the per-origin permission, unregisters the content script, and removes the record. If you'd rather keep the permission and just pause scanning, use the mini-toggle on the row instead.
Redact anything, anywhere.
A floating dock that hides content on any page. Enable it once, grant one permission, and the dock is ready everywhere. Each redaction is persisted per-URL and comes back on reload, until you delete it.
The dock actions
- Element (ELEM)
- Click any element to redact it. A CSS blur filter applies inline; a transparent shell hosts the trash icon at the element's bounds for one-click removal. The picker distinguishes a click from a drag-select via mouse distance, so accidental selections don't commit.
- Text (TEXT)
- Drag-select text inside any element. The selection wraps in a hidden-visibility span (preserving layout space) and an absolute overlay sits over it with the original font and color, blurred. Short mouseups are treated as clicks or word-double-clicks and don't commit.
- Area (AREA)
- Drag a rectangle anywhere on the page. The dock hides for a moment, a screenshot of what's behind gets cropped to your rect with soft padding so the blur halo bleeds outward instead of cutting off. If capture isn't possible (off-screen content, restricted pages), the picker falls back to
backdrop-filter. - Auto-redact (wand)
- One click scans every visible text node on the page through the same detector that guards your AI prompts, then redacts each match in place — up to 300 at once. The fast way to clear a whole screenshot before a screen-share. It's also available from the right-click menu as Redact detected items on this page.
- Review page
- Rather see what's exposed before anything changes? Review page scans the whole page and shows a grouped list of every sensitive value it finds — by category, high-severity first. Tick the ones you want and redact them in one go, or expand a group to choose individually. The scan and the list are free; redacting from here shares the auto-redact preview allowance, then is unlimited on Pro.
Right-click redaction
You don't always need the dock. Select text on any page, right-click, and choose Redact selection with Redactopia: with the Visual Redactor enabled it redacts the selection in place; otherwise it opens the side panel's Redactor with your text already scanned. A second item, Redact detected items on this page, runs the auto-redact wand across the whole page.
Element redaction is free. The text, area, and auto-redact tools each give you three free previews to try them; after that they're part of Pro. Detection and the pre-send warning are always free.
Dock controls
The − / + density buttons set the blur strength for the next redaction (range 3–50, default 18; large headings auto-scale up). A click-through toggle decides whether overlays block clicks (the default, with the trash icon hidden until hover) or pass clicks through (trash always faintly visible). Clear all wipes every redaction on the current page. Close removes the dock — existing redactions stay.
Persistence
Each record is keyed by origin + pathname (no query string, no hash) and stored locally. On reload, the auto-restore script re-applies every redaction. Redactions re-find their target via a small fallback chain: stored selector → bounding-rect intersection → text-substring re-locate with surrounding context. For single-page apps, the restore script watches history.pushState, history.replaceState, and popstate; on route change it tears down the current page's blurs and re-renders the new route's stored ones.
How permissions work
Enabling the Visual Redactor requests one broad permission from your browser. The native prompt reads something like "Read and change all your data on all websites." That single grant is all it ever needs: the dock opens on any page you visit without further prompts or site-by-site requests.
Custom AI sites you add while the Visual Redactor is on are also covered by that same broad permission. Redactopia requests the site-specific permission behind the scenes, but Chrome sees the broader grant already covers it and silently accepts with no second prompt shown to you. If you add a Custom AI site while the Visual Redactor is off, your browser will ask for that specific site's permission instead, one at a time.
Disabling the Visual Redactor revokes that broad permission. If you still have Custom AI sites active, the permission stays so their chat protection keeps working. It's fully revoked only once all Custom AI sites are removed or the Visual Redactor is turned off with no active custom sites.
About browser permission memory
Chromium (the engine Chrome and Edge share) remembers earlier consent across browser restarts. If you turn the Visual Redactor off and on again, the permission prompt may not reappear; your browser silently re-grants based on your earlier choice. This is a Chromium behavior, not something Redactopia controls. To force a fresh prompt or fully revoke, manage Redactopia from chrome://extensions or edge://extensions → Site access.
Tips worth knowing.
- Calibrate before you trust.
- First time adding a Custom AI site, calibrate the send button with ✦. The heuristic-only fallback over-traps on rich app-shell layouts (Search button, attach, model picker). One calibration fixes it permanently.
- Fill the composer before pinning.
- Some AI chats grey out their send button when the composer is empty — drop any short prompt in first, then ✦ → click send.
- Bind Alt + Shift + B once.
- Browsers don't auto-assign shortcuts added in extension updates. If the dock shortcut shows "Not set," visit
chrome://extensions/shortcutsoredge://extensions/shortcutsand bind it. Fresh installs honor the suggested key unless another extension's already claimed it. - Use Browse library before writing regex.
- The starter pattern library covers most common shapes. Pick one, then rename or tune to fit your project — usually faster than writing from scratch.
- Density 18 is the default.
- Bump to 25–30 for screenshots you'll share publicly. Drop to 8–12 for a subtle hint of blur that still suggests the content shape.
- Per-site toggle pauses one site at a time.
- The status bar at the top of the side panel has a per-site toggle when you're on a supported AI site. Flip it off and protection pauses for that site only. No need to disable globally if one chat is in the way.
- Esc is a fast Review.
- Same effect as clicking Review in the warning modal — closes the modal, leaves your prompt intact, returns focus to the composer.
- Sync your setup across devices.
- The gear menu has a Sync toggle (off by default). Turn it on and your custom patterns and AI site list mirror to your other devices through your browser's own encrypted sync — never our servers, and your prompts, findings, and page content never sync. Flip it on wherever you want the same setup. Site permissions don't travel, so you'll re-grant a synced custom site once on each new device.
When something doesn't work.
Common issues (modal not appearing, Redact not committing, keyboard shortcut "Not set") live on the Support page. The items below are tied to the surfaces this guide covers.
- My custom pattern won't save.
- The validator rejects for three reasons: syntax error, over 200 characters of source, or a nested-quantifier shape like
(.+)+that the structural guard blocks to prevent scanner lockup. Use the Test against sample text box right under the regex field to see what it matches before saving — or test in regex101 with the ECMAScript flavor. - I added a Custom AI site but the warning modal never fires when I send.
- Two layers to check. Composer detection: type a known pattern like
sk_live_TEST00000000000000000000into the site's input — if a detection outline shows up, the adapter found the composer and the scanner is running. Send-button detection: click ✦ on the site's row, then click the actual send button when prompted. That pins the right element. If a site that used to work suddenly stops, look for a ⚠ chip on its row in the side panel — that means a saved calibration went stale; click it to re-pin. If no outline appeared in step one, the input is probably behind closed Shadow DOM, and no current adapter can reach it. - The modal fires when I click buttons that aren't send.
- The heuristic is over-trapping on that site's layout. Click ✦ on the site's row and pin the real send button. After that, the trap only fires on the calibrated element. Shift-click ✦ to clear if you want to revert.
- The side panel says Auto next to a custom site I never calibrated.
- That site is in the bundled JSON registry — the selector was applied automatically when you added it. You can still calibrate ✦ to override; user calibration always wins.
The other docs.
The Privacy Policy covers storage, network, and what's never collected. The Terms of Use covers the legal contract. The Support page has the common-question FAQ and the everyday troubleshooting list. If anything in this guide is wrong, missing, or unclear, write to support@redactopia.com.