Guide

How to hide API keys & secrets while streaming on OBS

By Todd Edwards · For developers who code on camera

If you code on stream, one careless moment — a cat .env, an alt-tab to a dashboard, a paste into the wrong window — can put an API key, password, or token in front of everyone watching. And unlike a typo, it's permanent: someone clips it, and that key is compromised the second it airs. A leaked stream key lets a stranger broadcast as you; a leaked cloud key can run up real money.

Here's how to actually protect yourself — the manual playbook every streamer should run, where it falls short, and how to automate the part you can't catch by hand.

What actually leaks (and where)

It's rarely the browser. The dangerous spots are the ones you stop thinking about:

Your terminal — printing a variable, cat-ing a .env, shell history.
Your editor — an open .env, a config file, a hard-coded token.
Database GUIs, environment panels, and dashboards you alt-tab to.
Notification banners — a Slack DM, an iMessage, a 2FA code popping mid-stream.
Password managers and email you flash for a half-second.

The manual playbook (do these regardless)

Keep secrets out of sight. Use environment variables and a git-ignored .env; reference secrets, never echo or cat them on stream.
Capture a window, not your whole display. In OBS, use Window Capture for just your editor or terminal, so a stray dashboard or notification never enters the scene.
Silence notifications. Turn on Do Not Disturb / Focus so 2FA codes and DMs don't pop on screen.
Add a stream delay. A short delay in OBS or your encoder buys a few seconds to react if something slips.
Have a panic scene. Bind a hotkey to a "BRB"/blur scene you can hit the instant you see something.
Manual blur filters. OBS can blur a fixed region — handy for a known static spot, useless for a key that appears somewhere you didn't expect.

Why the manual approach isn't enough

Every method above depends on you noticing in time. But the leaks that hurt are the ones you don't see coming: a key that scrolls past, a value you forgot was on screen, a notification at the worst possible moment. A fixed blur box can't cover a secret that shows up somewhere new, and human reaction time is slower than a single video frame. For something as costly as a leaked key, you want a safety net that doesn't rely on you catching it.

Automate the part you can't catch

This is exactly why I built Censr. It watches your screen on-device (nothing is ever uploaded), detects API keys, tokens, passwords, and PII the instant they appear — anywhere on screen, not just a browser — and blacks them out before the frame reaches your audience. It shows up as a virtual camera in OBS, Zoom, Meet & Discord, runs a short zero-leak buffer so a freshly-typed key is sealed before it airs, and includes a panic hotkey for everything else.

Honest about the one thing that matters: no detector catches 100% of everything. Censr is defense in depth — automatic detection + a safety buffer + a panic key + an always-blur list — layered on top of the habits above, not a replacement for them.

Stream your code. Not your secrets.

Try Censr free for 14 days — no card. It blacks out API keys and passwords on your screen before they hit your stream.

Download the free trial →