Masking

Secret Masking¶

Automatic detection and masking of secret values.

Automatic Detection¶

Secrets are automatically detected for keys containing: - secret - key - token - password - pwd - credential - auth - api[_-]?key

Masking Behavior¶

Safe Representation¶

config = load_env()

# Safe for logging (secrets masked)
safe = config.safe_repr()
print(safe)
# {"API_KEY": "****1234", "PORT": 8080, "DB_PASSWORD": "****"}

Masking Format¶

Values ≤ 4 chars: Fully masked (****)
Values > 4 chars: Last 4 visible (****1234)

Full Access¶

# Full access (use with caution)
value = config["API_KEY"]  # Full value, not masked

Custom Secret Patterns¶

Mark as Secret¶

from env_loader_pro.utils import mark_as_secret

config = load_env(
    custom_secrets=[mark_as_secret("CUSTOM_SECRET")]
)

Custom Patterns¶

from env_loader_pro.utils import is_secret_key

# Check if key is secret
if is_secret_key("MY_API_KEY"):
    print("This is a secret")

Export Safety¶

JSON Export¶

config = load_env()

# Safe export (secrets masked)
config.save("config.json", format="json", safe=True)

YAML Export¶

# Safe export (secrets masked)
config.save("config.yaml", format="yaml", safe=True)

Logging Safety¶

Safe Logging¶

import logging

config = load_env()

# Safe for logging
logging.info(f"Config: {config.safe_repr()}")
# Secrets are masked

Unsafe Logging¶

# NEVER do this:
logging.info(f"API Key: {config['API_KEY']}")  # ❌ Exposes secret

Best Practices¶

Always use safe_repr() for logging
Never log secrets directly
Use custom patterns for project-specific secrets
Enable audit trail to track secret access
Review logs to ensure no secrets leaked

Masking

Secret Masking¶

Automatic Detection¶

Masking Behavior¶

Safe Representation¶

Masking Format¶

Full Access¶

Custom Secret Patterns¶

Mark as Secret¶

Custom Patterns¶

Export Safety¶

JSON Export¶

YAML Export¶

Logging Safety¶

Safe Logging¶

Unsafe Logging¶

Best Practices¶

Related Topics¶