Yooo—real talk for a second.
If you’ve ever logged an API token “just for debugging” and immediately promised yourself you’d remove it later… this post is for you. Tokens are short, powerful, and absolutely not something you want hanging around in logs, UIs, or error traces.
mask-token is a tiny TypeScript utility built for one simple job: hide sensitive tokens without breaking developer ergonomics. It doesn’t try to guess what your token is or where it came from. It just masks it, predictably, safely, and with defaults that make sense.
Basic usage
maskToken('sk_live_1234567890abcdef')
// sk_live_***************cdef
You still recognize the token. Attackers don’t. Everyone wins.
The API stays intentionally flat and boring (again: a compliment). You control how much is visible at the start or end, what character is used for masking, and nothing more than that.
maskToken('ghp_abcdef1234567890', {
showFirst: 4,
showLast: 4,
})
// ghp_************7890
No config objects the size of a novel. No security theater. Just enough flexibility to cover logs, dashboards, and admin panels.
This example shows where mask-token goes a step further than simple string masking. By enabling includeMetadata, the function doesn’t just hide the sensitive parts of the token—it explains what it’s looking at. The result includes a safely masked value for logs or UI, plus structured metadata that identifies the token type (here, an NPM token), its prefix, and a confidence score indicating how likely this string is a real secret. On top of that, you get lightweight validation and risk signals without exposing the original value. It’s a very dev-friendly balance: your app stays privacy-safe, while you still get enough context to debug, audit, or alert intelligently—without ever printing the actual secret.
import { maskToken } from '@ekaone/mask-token';
const result = maskToken('npm_secret123', { includeMetadata: true }); console.log(result);
// {
// masked: 'npm_••••••••t123',
// metadata: {
// type: 'NPM Token',
// prefix: 'npm_',
// confidence: 1.0,
// isLikelyToken: true
// }, // validation: {
// valid: true,
// warnings: [],
// riskScore: 0
// },
// original: {
// length: 17,
// hasPrefix: true
// }
// }
JWT style
For JWT, this example gets even more interesting with structured secrets like JWTs. Instead of treating the token as one long opaque string, mask-token can switch modes and mask by segment. With mode: 'jwt', each part of the token (header, payload, signature) is partially revealed and safely obscured in a way that’s still recognizable to developers.
maskToken(jwt, { mode: 'jwt' });
// → 'eyJ•••.eyJ•••.doz•••'
Recognize 40+ token formats
One of the quietly powerful parts of mask-token is its built-in awareness of real-world secrets. It can automatically recognize 40+ token formats across version control, CI/CD, payments, cloud providers, and AI platforms—everything from npm_ and ghp_ to Stripe, AWS, Slack, and OpenAI keys. This means the library doesn’t just mask strings blindly; it understands what kind of secret it’s dealing with and reacts accordingly. For developers, that translates to smarter masking, better metadata, and fewer false positives—without maintaining a growing pile of regexes that everyone is afraid to touch.
NPM (npm_)
GitHub (ghp_, gho_, ghu_, ghs_, ghr_)
GitLab (glpat-, gldt-)
Docker Hub (dckr_pat_)
Payment & Commerce
Stripe (sk_test_, sk_live_, pk_test_, pk_live_)
Shopify (shpat_, shpca_, shpss_)
Communication
Slack (xoxb-, xoxp-, xoxa-, xoxr-)
Twilio (SK*, AC*)
SendGrid (SG.)
Cloud Providers
AWS (AKIA, ASIA)
Google Cloud (AIza)
DigitalOcean (dop_v1_)
AI/ML Services
OpenAI (sk-, sk-proj-)
Anthropic (sk-ant-)
Under the hood, mask-token is dependency-free and defensive by default. Short tokens stay readable, absurd option values won’t leak data, and edge cases won’t surprise you in production. Privacy-friendly by design, it helps you stay aligned with GDPR and general data-protection best practices—without pretending to be a full security framework.
Install it, no judgment here:
npm install @ekaone/mask-token
# or
yarn add @ekaone/mask-token
# or
pnpm add @ekaone/mask-token
The code lives here, fully open, zero drama:
👉 GitHub: https://github.com/ekaone/mask-token
Top comments (0)