Spell-check for privacy
Product & engineering

API keys do not belong in an AI prompt

Engineers use AI coding tools all day. BeeSensible highlights API keys, tokens, and customer data in the text you write, before a prompt or message leaves the company.

  • Processing inside the EU
  • No content stored
  • Helps with GDPR

Who this is for

  • Engineers using AI coding tools against production systems
  • Product managers writing specs and tickets that carry customer data
  • Data teams using AI to analyse or describe sensitive datasets
  • Engineering leads, security, and CISOs overseeing AI use
Developer or product manager working at a laptop

20+

AI tools, email, and chat where the extension watches along

0 sec.

The text you type is processed and discarded at once

EU

Detection and storage stay inside the European Union

A stack trace, a log line, a snippet from production: exactly the text you paste into an AI tool to fix a bug faster. And exactly the text with an access token, a connection string, or a customer email in it. BeeSensible highlights that data while you type, so you can remove it before you send.

From the field

Three moments your policy never reaches.

In a bug report

Pasting a snippet to ask for help

An engineer is stuck on an error and pastes the whole code fragment into ChatGPT. That fragment holds a connection string with a password and an API key from the staging config. The answer is ready at once, but the key has now been processed by an outside tool and really needs to be rotated.

In a log or trace

A stack trace that carries too much

A developer asks AI to read a trace that breaks on an edge case. Between the lines sit an access token, a customer's email address, and an account number from the payload. The explanation is correct, but a real user's data has now left the company.

At the lead's standup

The question you cannot answer

After a report of a leaked key, the engineering lead wants to know which secrets and customer data ended up in which AI tools. A guideline on responsible AI use exists. Proof that developers got a warning at the moment itself does not.

Guidance while people write

API keys, passwords, and tokens are marked before the prompt is sent.

Engineers can remove credentials before asking an AI tool or teammate for help.

ChatGPT5
Summarise the last 3 support emails from this customer.
Start with the 500 in the logs. Remove the API key, the password, and the token before you share this or paste it into a ticket.
This deploy keeps throwing a 500. The logs show API key sk-live-9f2a7c1b4d, the database password Pr0d!2024#core, and token ghp_8Xk2pQ7vR1m. What is going wrong?
ChatGPT can make mistakes. Check important info.

Why this is hard

The risk sits in the moment someone types.

01

AI coding tools are always open

Engineers use Copilot, ChatGPT, and Claude to fix bugs, explain code, and write queries. Often with a snippet from production right next to them. Policy lags behind what happens every day.

02

A pasted key is an incident

An access token or connection string in a consumer AI tool means you have to rotate it and report it. Even when the developer acts in good faith, it is a breach.

03

Customer data leaks via debugging prompts

Logs, traces, and query results are full of names, email addresses, and account numbers of real users. In the rush of debugging, those go straight into a prompt.

04

Security cannot see it

AI tools in the browser leave no network trail that existing DLP tools can read. What developers paste into a prompt stays invisible until it causes a problem.

Across education

Recognisable wherever you work.

The same risk shows up in different files, from primary school to research.

Debugging

Snippets and error messages you paste into an AI tool, often with a key or password mixed in.

Code review

Diffs and pull requests you ask AI to summarise, config and credentials included.

Logs and traces

Stack traces and log lines full of access tokens and real users' data.

Incidents

Postmortems and reports where payloads with customer data get pasted in.

Data migrations

Sample rows and queries with names, email addresses, and account numbers.

How BeeSensible helps

A warning in the text field, before anything is sent.

Sensitive details get a highlight while staff write. They decide what to remove, replace, or mask.

Recognises secrets and customer data

Highlights API keys, JWT tokens, OAuth credentials, connection strings, and personal data such as names and email addresses while you type.

Works in the tools you already use

Runs in the browser, in AI tools, email, and chat. No IDE plugin, no proxy, no training up front.

You stay in control

You choose: remove, replace with a realistic alternative, or mask. The extension never changes your text on its own and never blocks sending.

Counts, not content

Security sees patterns by tool and category. What an individual developer writes is never stored and cannot be read.

For engineering leads, security, and CISOs

Show the control works, without looking over anyone's shoulder

BeeSensible gives you the evidence accountability asks for, while respecting the privacy of your own developers.

Total detections

12,438

Top apps

  • ChatGPT
  • Gmail
  • Gemini
  • Slack

Example dashboard. Counts and types only, never content.

Security officer

A control you can demonstrate

Show auditors and the wider organisation that developers get a warning at the moment of input, backed by counts of detections and handled prompts.

Engineering lead

No view into individuals

The dashboard shows no text and no single people. Groups smaller than ten users are not shown. Insight into patterns, not surveillance of people.

CISO and IT

Nothing changes in your stack

No proxy and no new application. The extension runs in Chrome and Edge. Detection and storage stay inside the EU, all traffic over TLS 1.3.

Honest answers

The questions we hear first.

If a tool cannot answer these, it does not belong on your browsers. Here is where BeeSensible stands.

Does BeeSensible watch everything developers type?

No. The extension analyses text in the input fields of supported tools to highlight sensitive data. That text travels to a BeeSensible server inside the EU, is processed in working memory, and is discarded at once. The content is never stored and cannot be read by anyone, not even an administrator.

Does it block AI tools or block sending?

No, BeeSensible blocks nothing. You see a highlight in the text and choose what to do: remove, replace, or mask. The developer stays in control, and security gets insight into patterns.

Does this make us GDPR compliant?

No tool makes you compliant on its own. BeeSensible helps with GDPR by covering the moment of input and supporting your accountability. Your organisation stays the controller, BeeSensible is the processor, and a processing agreement is signed.

Does detection work on Dutch data too?

Yes. The detection engine handles Dutch and English reliably and recognises both technical secrets and personal data, such as names, email addresses, and account numbers.

How much work is the rollout?

Limited. There is no proxy or new application to install and nothing changes in your network. The extension runs in the browser your team already uses and can be rolled out centrally through your management console.

Compliance

Built to support the checks you already have to show.

GDPR

Supports your accountability and covers the moment personal data is entered.

Secrets and credentials

Helps recognise API keys, tokens, and connection strings before they reach an AI tool or log.

Processing agreement

A processing agreement is signed with every customer. A product DPIA is available on request.

EU processing

Detection runs on the user's own machine, or on ISO 27001 certified EU infrastructure (API in the Netherlands, detection in Germany).

Give developers a signal at the moment that counts

BeeSensible works in the tools your team already uses. No rollout project, and you see your first detections in minutes.