Starting from March 6, 2026, the Secret Obfuscation feature is being deprecated and replaced by the new Credentials Manager. While your existing configurations will continue to function, the ability to toggle this legacy setting is being phased out. We recommend using the Credentials Manager for all new targets to ensure a more secure, centralized experience. Learn how to use the Credentials Manager.
Sensitive information includes data such as passwords, API keys, and other credentials. The platform uses a combination of two settings to give you granular control over this data:
Sensitive Fields: A setting on individual fields (such as a password or an authentication token) that you can mark as 'sensitive'.
Global Secret Obfuscation: An account-wide setting that determines whether the values of 'sensitive' fields can ever be retrieved after they are saved.
Prerequisites
To enable or disable the global Secret Obfuscation setting, you must have the Account Owner role. Other users can view the setting but cannot change it.
Part 1: Configure global Secret Obfuscation
The global Secret Obfuscation setting acts as a master switch for how all sensitive data is handled across your account.
Understand the Obfuscation setting
When Obfuscation is disabled (Default): Fields you mark as 'sensitive' are masked (e.g., ********), but users with the correct permissions can click an icon to view the value. This provides a balance between security and convenience.
When Obfuscation is enabled: Fields you mark as 'sensitive' are permanently masked. The value cannot be viewed or retrieved by any user after it is saved. This offers the highest level of security.
Steps
From the side menu, navigate to Settings > Authentication.
Locate the Secret Obfuscation section.
Use the toggle to enable or disable the feature.
Important: Changes to this setting are recorded in the audit log. Fields that are already non-retrievable (like previously generated API keys) always remain hidden, regardless of this setting.
Part 2: Mark a field as sensitive
You can mark any supported field as 'sensitive' to ensure its value is always masked in the UI and the API.
Navigate to a configuration page that contains a potentially sensitive field (see list below for examples).
Next to the field where you enter a credential or secret, select the Mark as sensitive checkbox.
Save your changes. The field value will now appear masked.
Note: Once a field is marked as sensitive, this setting cannot be reversed. To change a sensitive field back to non-sensitive, you must delete the field and create it again without the checkbox selected.
Potentially sensitive fields
You can find the Mark as sensitive checkbox on fields in the following locations:
Target Settings > Authentication: Login Form fields, Authentication Payloads, Static Headers/Cookies.
Target Settings > Scanner: Custom Headers and Cookies, API Parameter Custom Values, Postman Environment Values.
Target Settings > Extra Hosts: Custom Headers and Cookies.
Part 3: Use sensitive values in Login Sequences
Login Sequences require a special workflow to protect sensitive data. Instead of recording the secret directly in the sequence, you create a custom variable to represent it.
When adding or editing a Login Sequence, go to the Custom fields section to configure custom fields.
Create a new custom variable:
Field Name: Enter a descriptive name for your secret (e.g., password). This is automatically converted into a variable format like
[CUSTOM_PASSWORD].Field Value: Enter the actual secret value (e.g., P4s$w@rD).
Select the Mark as sensitive checkbox for this variable.
Manually edit your Login Sequence file, replacing the hard-coded secret value with your new variable name.
Change this:
"value": "P4s$w@rD"To this:
"value": "[CUSTOM_PASSWORD]"
Save the variable and the updated sequence. The secret is now stored securely as a variable.
