JSON Sanitizer Paste
Automatically redacts sensitive fields from JSON, YAML, and XML when you paste into Cursor or VS Code — and can restore them later.
Usage
One shortcut for everything:
- Mac:
Cmd+Shift+V
- Windows/Linux:
Ctrl+Shift+V
The extension looks at what's in your clipboard and decides what to do automatically.
How it works
Paste original data (clipboard has real values)
Sensitive values are replaced with [REDACTED] and the originals are saved to a local vault, keyed by the structure of the data.
{ "allowFrom": ["[REDACTED]"], "auth": { "token": "[REDACTED]" }, "contact": "[REDACTED]" }
auth:
token: [REDACTED]
phone: [REDACTED]
contact: [REDACTED]
<auth>
<token>[REDACTED]</token>
<phone>[REDACTED]</phone>
<contact>[REDACTED]</contact>
</auth>
Status bar: 🛡 Sensitive values redacted & saved to vault
Paste redacted data (clipboard has [REDACTED])
After sending redacted data to Claude and getting it back — paste the response and all original values are restored by matching the vault using the data's structure.
Status bar: 🔓 Original values restored from vault
No vault match
If [REDACTED] data doesn't match anything saved (unknown source or vault cleared), it pastes as-is without modification.
What gets redacted
By field / tag / attribute name (case-insensitive)
Works across JSON keys, YAML keys, XML tags, and XML attributes:
phone, phoneNumber, phone_number, token, accessToken, access_token, refreshToken, refresh_token, apiKey, api_key, email
By value pattern (any field name, including arrays and list items)
Phone numbers:
+4123577834776 — international with country code+1-800-555-1234 — international with dashes+44 7911 123456 — international with spaces(555) 123-4567 — US local with parentheses555-123-4567 — US local with dashes
Tokens / secrets / API keys:
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.SflKx... — JWT (three dot-separated base64 segments)sk-abc123XYZ789longapikeystring00001 — API key (20+ alphanumeric chars)a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 — hex secret (16+ hex chars)Bearer eyJhbGciOiJSUzI1NiJ9... — Bearer token
Email addresses:
user@example.comfirstname.lastname@company.org
What is NOT redacted
URLs, ISO dates, version strings (e.g. 2026.2.27), model names (e.g. anthropic/claude-sonnet-4-6), booleans, short numbers, colour codes, plain text strings.
| Format |
Comment style |
Behaviour |
| JSON |
// line comment |
Stripped before parsing |
| YAML |
# inline or full-line comment |
Stripped from output |
| XML |
<!-- block comment --> |
Stripped from output |
| Feature |
JSON |
YAML |
XML |
| Redact by field name |
✅ |
✅ |
✅ |
| Redact by value pattern |
✅ |
✅ |
✅ |
| Arrays / list items |
✅ |
✅ |
— |
| Attributes |
— |
— |
✅ |
| Comment stripping |
✅ |
✅ |
✅ |
| Round-trip rehydration |
✅ |
✅ |
✅ |
Format is detected automatically from clipboard content.
Vault storage
Original values are saved in two places (primary + fallback):
- VS Code Secret Storage (primary) — encrypted, never written to disk, works locally and over Remote SSH
~/.json-sanitizer-vault.json (fallback) — plain file in home directory, used if secret storage is unavailable. Over Remote SSH this resolves to the remote home directory.
Each vault entry is keyed by the sorted dot-paths of all redacted fields, so multiple different files can be saved and matched independently.
Customization
Settings → Extensions → JSON Sanitizer:
jsonSanitizer.fieldsToRedact — add/remove field names to redact by namejsonSanitizer.redactValue — change the placeholder (default: [REDACTED])
Installation
- Download
json-sanitizer-0.1.0.vsix
- Command Palette (
Cmd+Shift+P) → Extensions: Install from VSIX...
- Select the file and restart Cursor / VS Code
