Skip to content
BlurFirst

The Fastest Way to Hide API Keys in a Tutorial Video

6 min read

Blur API keys, tokens and .env values before you record a Loom or YouTube tutorial — auto-detect them in one click, or panic-blur mid-recording — so secrets never make it into the video.

The fastest way to keep API keys out of a tutorial video is to blur them in the page before you hit record. Click Scan to auto-detect and blur keys, tokens, JWTs and private keys in one pass, or element-blur a single value — and keep the panic shortcut ready. Because the blur is baked into the page as real pixels, the recording only ever captures the blurred version.

This matters because leaked keys in tutorials get scraped fast. Bots crawl public videos and repos for sk_live_…, AKIA… and GitHub tokens within minutes of publishing — and a single exposed key can mean a surprise bill or a breach. Blurring before you record is far cheaper than rotating after.

The fastest method, step by step

  1. 1

    Open the page with the keys

    Your AWS/Stripe/GCP console, a web IDE (CodeSandbox, Replit), GitHub, or a dashboard showing tokens.

  2. 2

    Click Scan to auto-blur keys

    Open BlurFirst and click Scan. It detects and blurs AWS, Stripe, Google, Slack and GitHub tokens, JWTs and PEM private keys automatically — entirely in your browser.

  3. 3

    Element-blur anything specific

    Click a single .env line, an Authorization header, or a config value to blur exactly that — no guessing whether the scan caught it.

  4. 4

    Keep panic ready, then record

    If a key appears unexpectedly mid-recording, press Ctrl/⌘ ⇧ H to blur the whole page instantly. Now start Loom, OBS or your recorder.

Where keys hide in a recording

  • Cloud dashboards — AWS, Stripe, GCP, Twilio: key lists, “reveal” buttons, webhook secrets.
  • Web IDEs and `.env` files — CodeSandbox, Replit, the GitHub file viewer, web terminals.
  • Network tab and request headersAuthorization: Bearer … is right there in DevTools.
  • Autocomplete and URL params — keys pasted into a field, or ?token=… in the address bar.
  • Git history and Actions secrets — a .env committed by mistake, or secret names in CI logs.

A pre-record checklist for developers

  1. Open the pages you’ll show and click Scan on each.
  2. Element-blur any .env lines, headers or tokens the scan can’t pattern-match.
  3. Close the Network tab, or blur it before opening DevTools on camera.
  4. Keep the panic shortcut in muscle memory.
  5. Record — and if a key ever flashed clear in a take, rotate it before publishing.

Frequently asked questions

Which key types does it detect automatically?

AWS access key IDs, Stripe keys, Google API keys, Slack and GitHub tokens, JWTs and PEM private keys, plus emails, phone numbers, cards and SSNs. Detection runs locally in your browser; nothing is uploaded.

Does it work with Loom, YouTube and OBS?

Yes. The blur is rendered into the web page as real pixels, so any recorder capturing the page — Loom, OBS, QuickTime, your conferencing tool — records the blurred version.

What about keys in a native terminal or desktop app?

A browser extension only covers content inside a browser tab — which includes web IDEs, web terminals and dashboards. For a native terminal or desktop app you’d need a desktop app (BlurFirst’s is in development).

If I blur a key, do I still need to rotate it?

If the key was only ever shown blurred, no. If it appeared unblurred in any frame — even a discarded take — rotate it. Blur prevents future exposure; it can’t reverse a recording that already captured the key.

Blur it before you share it.

Hide any field, region or message on a page before your next call. Nothing you blur leaves your browser.

Add to Chrome

Keep reading