diff --git a/dashboard/package-lock.json b/dashboard/package-lock.json
index 47d01eaeb..716ddfc4f 100644
--- a/dashboard/package-lock.json
+++ b/dashboard/package-lock.json
@@ -6,7 +6,7 @@
   "packages": {
     "": {
       "dependencies": {
-        "@cloudron/pankow": "^3.4.2",
+        "@cloudron/pankow": "^3.5.0",
         "@fontsource/inter": "^5.2.8",
         "@fortawesome/fontawesome-free": "^7.1.0",
         "@vitejs/plugin-vue": "^6.0.1",
@@ -76,9 +76,9 @@
       }
     },
     "node_modules/@cloudron/pankow": {
-      "version": "3.4.2",
-      "resolved": "https://registry.npmjs.org/@cloudron/pankow/-/pankow-3.4.2.tgz",
-      "integrity": "sha512-hEEm8b5jPZGc6TBo0rU20EsodZhE5Yljl/U9v+SJf+d6skt5i2wIDsmRYcAox61RrLOP/NkFLfWT31Yyxr2+PA==",
+      "version": "3.5.0",
+      "resolved": "https://registry.npmjs.org/@cloudron/pankow/-/pankow-3.5.0.tgz",
+      "integrity": "sha512-/CBSCMKP8m29WlzAls5ulHaUk19ZgOknwpdWxdzaACvcahn7VE/UUqnvOWMeYlGSuTa5G6toLbIad9DBFqtVkw==",
       "license": "ISC",
       "dependencies": {
         "@fontsource/inter": "^5.2.8",
@@ -2655,9 +2655,9 @@
       }
     },
     "@cloudron/pankow": {
-      "version": "3.4.2",
-      "resolved": "https://registry.npmjs.org/@cloudron/pankow/-/pankow-3.4.2.tgz",
-      "integrity": "sha512-hEEm8b5jPZGc6TBo0rU20EsodZhE5Yljl/U9v+SJf+d6skt5i2wIDsmRYcAox61RrLOP/NkFLfWT31Yyxr2+PA==",
+      "version": "3.5.0",
+      "resolved": "https://registry.npmjs.org/@cloudron/pankow/-/pankow-3.5.0.tgz",
+      "integrity": "sha512-/CBSCMKP8m29WlzAls5ulHaUk19ZgOknwpdWxdzaACvcahn7VE/UUqnvOWMeYlGSuTa5G6toLbIad9DBFqtVkw==",
       "requires": {
         "@fontsource/inter": "^5.2.8",
         "@fortawesome/fontawesome-free": "^7.1.0",
diff --git a/dashboard/package.json b/dashboard/package.json
index 258ec613c..fffc1a210 100644
--- a/dashboard/package.json
+++ b/dashboard/package.json
@@ -7,7 +7,7 @@
   },
   "type": "module",
   "dependencies": {
-    "@cloudron/pankow": "^3.4.2",
+    "@cloudron/pankow": "^3.5.0",
     "@fontsource/inter": "^5.2.8",
     "@fortawesome/fontawesome-free": "^7.1.0",
     "@vitejs/plugin-vue": "^6.0.1",
diff --git a/dashboard/src/components/DomainProviderForm.vue b/dashboard/src/components/DomainProviderForm.vue
index bc28b1835..c69fdc2ab 100644
--- a/dashboard/src/components/DomainProviderForm.vue
+++ b/dashboard/src/components/DomainProviderForm.vue
@@ -5,7 +5,7 @@ const i18n = useI18n();
 const t = i18n.t;
 
 import { ref } from 'vue';
-import { TextInput, InputGroup, Button, FormGroup, Checkbox, SingleSelect } from '@cloudron/pankow';
+import { TextInput, InputGroup, MaskedInput, Button, FormGroup, Checkbox, SingleSelect } from '@cloudron/pankow';
 import { ENDPOINTS_OVH } from '../constants.js';
 import DomainsModel from '../models/DomainsModel.js';
 
@@ -138,7 +138,7 @@ function onGcdnsFileInputChange(event) {
     </FormGroup>
     <FormGroup v-if="provider === 'route53'">
       <label for="secretAccessKeyInput">{{ $t('domains.domainDialog.route53SecretAccessKey') }}</label>
-      <TextInput id="secretAccessKeyInput" v-model="dnsConfig.secretAccessKey" required />
+      <MaskedInput id="secretAccessKeyInput" v-model="dnsConfig.secretAccessKey" required />
     </FormGroup>
 
     <!-- Google Cloud DNS -->
@@ -155,7 +155,7 @@ function onGcdnsFileInputChange(event) {
     <!-- DigitalOcean -->
     <FormGroup v-if="provider === 'digitalocean'">
       <label for="digitalOceanTokenInput">{{ $t('domains.domainDialog.digitalOceanToken') }}</label>
-      <TextInput id="digitalOceanTokenInput" v-model="dnsConfig.token" required />
+      <MaskedInput id="digitalOceanTokenInput" v-model="dnsConfig.token" required />
     </FormGroup>
 
     <!-- Gandi -->
@@ -165,7 +165,7 @@ function onGcdnsFileInputChange(event) {
     </FormGroup>
     <FormGroup v-if="provider === 'gandi'">
       <label for="gandiApiKeyInput">{{ $t('domains.domainDialog.gandiApiKey') }}</label>
-      <TextInput id="gandiApiKeyInput" v-model="dnsConfig.token" required />
+      <MaskedInput id="gandiApiKeyInput" v-model="dnsConfig.token" required />
     </FormGroup>
 
     <!-- GoDaddy -->
@@ -175,7 +175,7 @@ function onGcdnsFileInputChange(event) {
     </FormGroup>
     <FormGroup v-if="provider === 'godaddy'">
       <label for="godaddyApiSecretInput">{{ $t('domains.domainDialog.goDaddyApiSecret') }}</label>
-      <TextInput for="godaddyApiSecretInput" v-model="dnsConfig.apiSecret" required />
+      <MaskedInput for="godaddyApiSecretInput" v-model="dnsConfig.apiSecret" required />
     </FormGroup>
 
     <!-- Netcup -->
@@ -189,7 +189,7 @@ function onGcdnsFileInputChange(event) {
     </FormGroup>
     <FormGroup v-if="provider === 'netcup'">
       <label for="netcupApiPasswordInput">{{ $t('domains.domainDialog.netcupApiPassword') }}</label>
-      <TextInput id="netcupApiPasswordInput" v-model="dnsConfig.apiPassword" required />
+      <MaskedInput id="netcupApiPasswordInput" v-model="dnsConfig.apiPassword" required />
     </FormGroup>
 
     <!-- OVH -->
@@ -207,7 +207,7 @@ function onGcdnsFileInputChange(event) {
     </FormGroup>
     <FormGroup v-if="provider === 'ovh'">
       <label for="ovhAppSecretInput">{{ $t('domains.domainDialog.ovhAppSecret') }}</label>
-      <TextInput id="ovhAppSecretInput" v-model="dnsConfig.appSecret" required />
+      <MaskedInput id="ovhAppSecretInput" v-model="dnsConfig.appSecret" required />
     </FormGroup>
 
     <!-- Porkbun -->
@@ -217,7 +217,7 @@ function onGcdnsFileInputChange(event) {
     </FormGroup>
     <FormGroup v-if="provider === 'porkbun'">
       <label for="porkbunSecretapikeyInput">{{ $t('domains.domainDialog.porkbunSecretapikey') }}</label>
-      <TextInput id="porkbunSecretapikeyInput" v-model="dnsConfig.secretapikey" required />
+      <MaskedInput id="porkbunSecretapikeyInput" v-model="dnsConfig.secretapikey" required />
     </FormGroup>
 
     <!-- Cloudflare -->
@@ -228,7 +228,7 @@ function onGcdnsFileInputChange(event) {
     <FormGroup v-if="provider === 'cloudflare' && dnsConfig.tokenType === 'GlobalApiKey' || dnsConfig.tokenType === 'ApiToken'">
       <label for="cloudflareTokenInput" v-show="dnsConfig.tokenType === 'GlobalApiKey'">{{ $t('domains.domainDialog.cloudflareTokenTypeGlobalApiKey') }}</label>
       <label for="cloudflareTokenInput" v-show="dnsConfig.tokenType === 'ApiToken'">{{ $t('domains.domainDialog.cloudflareTokenTypeApiToken') }}</label>
-      <TextInput id="cloudflareTokenInput" v-model="dnsConfig.token" required />
+      <MaskedInput id="cloudflareTokenInput" v-model="dnsConfig.token" required />
     </FormGroup>
     <FormGroup v-if="provider === 'cloudflare' && dnsConfig.tokenType === 'GlobalApiKey'">
       <label for="cloudflareEmailInput">{{ $t('domains.domainDialog.cloudflareEmail') }}</label>
@@ -241,37 +241,37 @@ function onGcdnsFileInputChange(event) {
     <!-- Linode -->
     <FormGroup v-if="provider === 'linode'">
       <label for="linodeTokenInput">{{ $t('domains.domainDialog.linodeToken') }}</label>
-      <TextInput id="linodeTokenInput" v-model="dnsConfig.token" required />
+      <MaskedInput id="linodeTokenInput" v-model="dnsConfig.token" required />
     </FormGroup>
 
     <!-- Bunny -->
     <FormGroup v-if="provider === 'bunny'">
       <label for="bunnyAccessKeyInput">{{ $t('domains.domainDialog.bunnyAccessKey') }}</label>
-      <TextInput id="bunnyAccessKeyInput" v-model="dnsConfig.accessKey" required />
+      <MaskedInput id="bunnyAccessKeyInput" v-model="dnsConfig.accessKey" required />
     </FormGroup>
 
     <!-- dnsimple -->
     <FormGroup v-if="provider === 'dnsimple'">
       <label for="dnsimpleAccessTokenInput">{{ $t('domains.domainDialog.dnsimpleAccessToken') }}</label>
-      <TextInput id="dnsimpleAccessTokenInput" v-model="dnsConfig.accessToken" required />
+      <MaskedInput id="dnsimpleAccessTokenInput" v-model="dnsConfig.accessToken" required />
     </FormGroup>
 
     <!-- Hetzner -->
     <FormGroup v-if="provider === 'hetzner'">
       <label for="hetznerTokenInput">{{ $t('domains.domainDialog.hetznerToken') }}</label>
-      <TextInput id="hetznerTokenInput" v-model="dnsConfig.token" required />
+      <MaskedInput id="hetznerTokenInput" v-model="dnsConfig.token" required />
     </FormGroup>
 
     <!-- Vultr -->
     <FormGroup v-if="provider === 'vultr'">
       <label for="vultrTokenInput">{{ $t('domains.domainDialog.vultrToken') }}</label>
-      <TextInput id="vultrTokenInput" v-model="dnsConfig.token" required />
+      <MaskedInput id="vultrTokenInput" v-model="dnsConfig.token" required />
     </FormGroup>
 
     <!-- deSEC -->
     <FormGroup v-if="provider === 'desec'">
       <label for="deSecTokenInput">{{ $t('domains.domainDialog.deSecToken') }}</label>
-      <TextInput id="deSecTokenInput" v-model="dnsConfig.token" required />
+      <MaskedInput id="deSecTokenInput" v-model="dnsConfig.token" required />
     </FormGroup>
 
     <!-- Name.com -->
@@ -281,7 +281,7 @@ function onGcdnsFileInputChange(event) {
     </FormGroup>
     <FormGroup v-if="provider === 'namecom'">
       <label for="nameComTokenInput">{{ $t('domains.domainDialog.nameComApiToken') }}</label>
-      <TextInput id="nameComTokenInput" v-model="dnsConfig.token" required />
+      <MaskedInput id="nameComTokenInput" v-model="dnsConfig.token" required />
     </FormGroup>
 
     <!-- Namecheap -->
@@ -291,7 +291,7 @@ function onGcdnsFileInputChange(event) {
     </FormGroup>
     <FormGroup v-if="provider === 'namecheap'">
       <label for="namecheapApiKeyInput">{{ $t('domains.domainDialog.namecheapApiKey') }}</label>
-      <TextInput id="namecheapApiKeyInput" v-model="dnsConfig.token" required />
+      <MaskedInput id="namecheapApiKeyInput" v-model="dnsConfig.token" required />
       <div class="warning-label" v-if="provider === 'namecheap'" v-html="$t('domains.domainDialog.namecheapInfo')"></div>
     </FormGroup>
 
@@ -302,7 +302,7 @@ function onGcdnsFileInputChange(event) {
     </FormGroup>
     <FormGroup v-if="provider === 'inwx'">
       <label for="inwxPasswordInput">{{ $t('domains.domainDialog.inwxPassword') }}</label>
-      <TextInput id="inwxPasswordInput" v-model="dnsConfig.password" required />
+      <MaskedInput id="inwxPasswordInput" v-model="dnsConfig.password" required />
     </FormGroup>
 
     <FormGroup v-if="showAdvanced">
diff --git a/src/dns/bunny.js b/src/dns/bunny.js
index b10f948d0..9bf6d06c4 100644
--- a/src/dns/bunny.js
+++ b/src/dns/bunny.js
@@ -1,15 +1,5 @@
 'use strict';
 
-exports = module.exports = {
-    removePrivateFields,
-    injectPrivateFields,
-    upsert,
-    get,
-    del,
-    wait,
-    verifyDomainConfig
-};
-
 const assert = require('node:assert'),
     BoxError = require('../boxerror.js'),
     constants = require('../constants.js'),
@@ -36,12 +26,12 @@ function formatError(response) {
 }
 
 function removePrivateFields(domainObject) {
-    domainObject.config.accessKey = constants.SECRET_PLACEHOLDER;
+    delete domainObject.config.accessKey;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.accessKey === constants.SECRET_PLACEHOLDER) newConfig.accessKey = currentConfig.accessKey;
+    if (!Object.hasOwn(newConfig, 'accessKey')) newConfig.accessKey = currentConfig.accessKey;
 }
 
 async function getZoneId(domainConfig, zoneName) {
@@ -255,3 +245,13 @@ async function verifyDomainConfig(domainObject) {
 
     return credentials;
 }
+
+exports = module.exports = {
+    removePrivateFields,
+    injectPrivateFields,
+    upsert,
+    get,
+    del,
+    wait,
+    verifyDomainConfig
+};
diff --git a/src/dns/cloudflare.js b/src/dns/cloudflare.js
index 0e784642c..7efde9ea9 100644
--- a/src/dns/cloudflare.js
+++ b/src/dns/cloudflare.js
@@ -1,15 +1,5 @@
 'use strict';
 
-exports = module.exports = {
-    removePrivateFields,
-    injectPrivateFields,
-    upsert,
-    get,
-    del,
-    wait,
-    verifyDomainConfig
-};
-
 const assert = require('node:assert'),
     BoxError = require('../boxerror.js'),
     constants = require('../constants.js'),
@@ -25,12 +15,12 @@ const assert = require('node:assert'),
 const CLOUDFLARE_ENDPOINT = 'https://api.cloudflare.com/client/v4';
 
 function removePrivateFields(domainObject) {
-    domainObject.config.token = constants.SECRET_PLACEHOLDER;
+    delete domainObject.config.token;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.token === constants.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
+    if (!Object.hasOwn(newConfig, 'token')) newConfig.token = currentConfig.token;
 }
 
 function translateResponseError(response) {
@@ -291,3 +281,13 @@ async function verifyDomainConfig(domainObject) {
 
     return sanitizedConfig;
 }
+
+exports = module.exports = {
+    removePrivateFields,
+    injectPrivateFields,
+    upsert,
+    get,
+    del,
+    wait,
+    verifyDomainConfig
+};
diff --git a/src/dns/desec.js b/src/dns/desec.js
index 076f18f3a..8ed26debc 100644
--- a/src/dns/desec.js
+++ b/src/dns/desec.js
@@ -1,15 +1,5 @@
 'use strict';
 
-exports = module.exports = {
-    removePrivateFields,
-    injectPrivateFields,
-    upsert,
-    get,
-    del,
-    wait,
-    verifyDomainConfig
-};
-
 const assert = require('node:assert'),
     constants = require('../constants.js'),
     BoxError = require('../boxerror.js'),
@@ -28,12 +18,12 @@ function formatError(response) {
 }
 
 function removePrivateFields(domainObject) {
-    domainObject.config.token = constants.SECRET_PLACEHOLDER;
+    delete domainObject.config.token;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.token === constants.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
+    if (!Object.hasOwn(newConfig, 'token')) newConfig.token = currentConfig.token;
 }
 
 async function get(domainObject, location, type) {
@@ -62,6 +52,29 @@ async function get(domainObject, location, type) {
     return response.body.records;
 }
 
+async function del(domainObject, location, type, values) {
+    assert.strictEqual(typeof domainObject, 'object');
+    assert.strictEqual(typeof location, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert(Array.isArray(values));
+
+    const domainConfig = domainObject.config,
+        zoneName = domainObject.zoneName,
+        name = dns.getName(domainObject, location, type) || '@';
+
+    await timers.setTimeout(1000); // https://desec.readthedocs.io/en/latest/rate-limits.html
+    const [error, response] = await safe(superagent.del(`${DESEC_ENDPOINT}/domains/${zoneName}/rrsets/${name}/${type}/`)
+        .set('Authorization', `Token ${domainConfig.token}`)
+        .timeout(30 * 1000)
+        .retry(5)
+        .ok(() => true));
+
+    if (error) throw new BoxError(BoxError.NETWORK_ERROR, error);
+    if (response.status === 404) return;
+    if (response.status === 403 || response.status === 401) throw new BoxError(BoxError.ACCESS_DENIED, formatError(response));
+    if (response.status !== 204) throw new BoxError(BoxError.EXTERNAL_ERROR, formatError(response));
+}
+
 async function upsert(domainObject, location, type, values) {
     assert.strictEqual(typeof domainObject, 'object');
     assert.strictEqual(typeof location, 'string');
@@ -94,29 +107,6 @@ async function upsert(domainObject, location, type, values) {
     if (response.status !== 201) throw new BoxError(BoxError.EXTERNAL_ERROR, formatError(response));
 }
 
-async function del(domainObject, location, type, values) {
-    assert.strictEqual(typeof domainObject, 'object');
-    assert.strictEqual(typeof location, 'string');
-    assert.strictEqual(typeof type, 'string');
-    assert(Array.isArray(values));
-
-    const domainConfig = domainObject.config,
-        zoneName = domainObject.zoneName,
-        name = dns.getName(domainObject, location, type) || '@';
-
-    await timers.setTimeout(1000); // https://desec.readthedocs.io/en/latest/rate-limits.html
-    const [error, response] = await safe(superagent.del(`${DESEC_ENDPOINT}/domains/${zoneName}/rrsets/${name}/${type}/`)
-        .set('Authorization', `Token ${domainConfig.token}`)
-        .timeout(30 * 1000)
-        .retry(5)
-        .ok(() => true));
-
-    if (error) throw new BoxError(BoxError.NETWORK_ERROR, error);
-    if (response.status === 404) return;
-    if (response.status === 403 || response.status === 401) throw new BoxError(BoxError.ACCESS_DENIED, formatError(response));
-    if (response.status !== 204) throw new BoxError(BoxError.EXTERNAL_ERROR, formatError(response));
-}
-
 async function wait(domainObject, subdomain, type, value, options) {
     assert.strictEqual(typeof domainObject, 'object');
     assert.strictEqual(typeof subdomain, 'string');
@@ -166,3 +156,13 @@ async function verifyDomainConfig(domainObject) {
 
     return credentials;
 }
+
+exports = module.exports = {
+    removePrivateFields,
+    injectPrivateFields,
+    upsert,
+    get,
+    del,
+    wait,
+    verifyDomainConfig
+};
diff --git a/src/dns/digitalocean.js b/src/dns/digitalocean.js
index 33bfca2e5..515ae2693 100644
--- a/src/dns/digitalocean.js
+++ b/src/dns/digitalocean.js
@@ -1,15 +1,5 @@
 'use strict';
 
-exports = module.exports = {
-    removePrivateFields,
-    injectPrivateFields,
-    upsert,
-    get,
-    del,
-    wait,
-    verifyDomainConfig
-};
-
 const assert = require('node:assert'),
     BoxError = require('../boxerror.js'),
     constants = require('../constants.js'),
@@ -27,12 +17,12 @@ function formatError(response) {
 }
 
 function removePrivateFields(domainObject) {
-    domainObject.config.token = constants.SECRET_PLACEHOLDER;
+    delete domainObject.config.token;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.token === constants.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
+    if (!Object.hasOwn(newConfig, 'token')) newConfig.token = currentConfig.token;
 }
 
 async function getZoneRecords(domainConfig, zoneName, name, type) {
@@ -252,3 +242,13 @@ async function verifyDomainConfig(domainObject) {
 
     return credentials;
 }
+
+exports = module.exports = {
+    removePrivateFields,
+    injectPrivateFields,
+    upsert,
+    get,
+    del,
+    wait,
+    verifyDomainConfig
+};
diff --git a/src/dns/dnsimple.js b/src/dns/dnsimple.js
index f7e7bd291..3b855d114 100644
--- a/src/dns/dnsimple.js
+++ b/src/dns/dnsimple.js
@@ -1,15 +1,5 @@
 'use strict';
 
-exports = module.exports = {
-    removePrivateFields,
-    injectPrivateFields,
-    upsert,
-    get,
-    del,
-    wait,
-    verifyDomainConfig
-};
-
 const assert = require('node:assert'),
     BoxError = require('../boxerror.js'),
     constants = require('../constants.js'),
@@ -27,12 +17,12 @@ function formatError(response) {
 }
 
 function removePrivateFields(domainObject) {
-    domainObject.config.accessToken = constants.SECRET_PLACEHOLDER;
+    delete domainObject.config.accessToken;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.accessToken === constants.SECRET_PLACEHOLDER) newConfig.accessToken = currentConfig.accessToken;
+    if (!Object.hasOwn(newConfig, 'accessToken')) newConfig.accessToken = currentConfig.accessToken;
 }
 
 async function getAccountId(domainConfig) {
@@ -264,3 +254,13 @@ async function verifyDomainConfig(domainObject) {
 
     return credentials;
 }
+
+exports = module.exports = {
+    removePrivateFields,
+    injectPrivateFields,
+    upsert,
+    get,
+    del,
+    wait,
+    verifyDomainConfig
+};
diff --git a/src/dns/gandi.js b/src/dns/gandi.js
index 60e66de91..782895b76 100644
--- a/src/dns/gandi.js
+++ b/src/dns/gandi.js
@@ -1,15 +1,5 @@
 'use strict';
 
-exports = module.exports = {
-    removePrivateFields,
-    injectPrivateFields,
-    upsert,
-    get,
-    del,
-    wait,
-    verifyDomainConfig
-};
-
 const assert = require('node:assert'),
     BoxError = require('../boxerror.js'),
     constants = require('../constants.js'),
@@ -27,12 +17,12 @@ function formatError(response) {
 }
 
 function removePrivateFields(domainObject) {
-    domainObject.config.token = constants.SECRET_PLACEHOLDER;
+    delete domainObject.config.token;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.token === constants.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
+    if (!Object.hasOwn(newConfig, 'token')) newConfig.token = currentConfig.token;
 }
 
 function createRequest(method, url, domainConfig) {
@@ -171,3 +161,13 @@ async function verifyDomainConfig(domainObject) {
 
     return credentials;
 }
+
+exports = module.exports = {
+    removePrivateFields,
+    injectPrivateFields,
+    upsert,
+    get,
+    del,
+    wait,
+    verifyDomainConfig
+};
diff --git a/src/dns/gcdns.js b/src/dns/gcdns.js
index a0d241294..1fa20ff4b 100644
--- a/src/dns/gcdns.js
+++ b/src/dns/gcdns.js
@@ -1,17 +1,5 @@
 'use strict';
 
-const safe = require('safetydance');
-
-exports = module.exports = {
-    removePrivateFields,
-    injectPrivateFields,
-    upsert,
-    get,
-    del,
-    wait,
-    verifyDomainConfig
-};
-
 const assert = require('node:assert'),
     BoxError = require('../boxerror.js'),
     constants = require('../constants.js'),
@@ -19,16 +7,17 @@ const assert = require('node:assert'),
     dig = require('../dig.js'),
     dns = require('../dns.js'),
     GCDNS = require('@google-cloud/dns').DNS,
+    safe = require('safetydance'),
     waitForDns = require('./waitfordns.js'),
     _ = require('../underscore.js');
 
 function removePrivateFields(domainObject) {
-    domainObject.config.credentials.private_key = constants.SECRET_PLACEHOLDER;
+    delete domainObject.config.credentials.private_key;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.credentials.private_key === constants.SECRET_PLACEHOLDER && currentConfig.credentials) newConfig.credentials.private_key = currentConfig.credentials.private_key;
+    if (!Object.hasOwn(newConfig.credentials, 'private_key') && currentConfig.credentials) newConfig.credentials.private_key = currentConfig.credentials.private_key;
 }
 
 function getDnsCredentials(domainConfig) {
@@ -193,3 +182,13 @@ async function verifyDomainConfig(domainObject) {
 
     return credentials;
 }
+
+exports = module.exports = {
+    removePrivateFields,
+    injectPrivateFields,
+    upsert,
+    get,
+    del,
+    wait,
+    verifyDomainConfig
+};
diff --git a/src/dns/godaddy.js b/src/dns/godaddy.js
index c68d81582..fc7516761 100644
--- a/src/dns/godaddy.js
+++ b/src/dns/godaddy.js
@@ -1,15 +1,5 @@
 'use strict';
 
-exports = module.exports = {
-    removePrivateFields,
-    injectPrivateFields,
-    upsert,
-    get,
-    del,
-    wait,
-    verifyDomainConfig
-};
-
 const assert = require('node:assert'),
     BoxError = require('../boxerror.js'),
     constants = require('../constants.js'),
@@ -28,12 +18,12 @@ function formatError(response) {
 }
 
 function removePrivateFields(domainObject) {
-    domainObject.config.apiSecret = constants.SECRET_PLACEHOLDER;
+    delete domainObject.config.apiSecret;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.apiSecret === constants.SECRET_PLACEHOLDER) newConfig.apiSecret = currentConfig.apiSecret;
+    if (!Object.hasOwn(newConfig, 'apiSecret')) newConfig.apiSecret = currentConfig.apiSecret;
 }
 
 async function upsert(domainObject, location, type, values) {
@@ -192,3 +182,13 @@ async function verifyDomainConfig(domainObject) {
 
     return credentials;
 }
+
+exports = module.exports = {
+    removePrivateFields,
+    injectPrivateFields,
+    upsert,
+    get,
+    del,
+    wait,
+    verifyDomainConfig
+};
diff --git a/src/dns/hetzner.js b/src/dns/hetzner.js
index cd44edb2a..edf6e3ba3 100644
--- a/src/dns/hetzner.js
+++ b/src/dns/hetzner.js
@@ -1,15 +1,5 @@
 'use strict';
 
-exports = module.exports = {
-    removePrivateFields,
-    injectPrivateFields,
-    upsert,
-    get,
-    del,
-    wait,
-    verifyDomainConfig
-};
-
 const assert = require('node:assert'),
     BoxError = require('../boxerror.js'),
     constants = require('../constants.js'),
@@ -27,12 +17,12 @@ function formatError(response) {
 }
 
 function removePrivateFields(domainObject) {
-    domainObject.config.token = constants.SECRET_PLACEHOLDER;
+    delete domainObject.config.token;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.token === constants.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
+    if (!Object.hasOwn(newConfig, 'token')) newConfig.token = currentConfig.token;
 }
 
 async function getZone(domainConfig, zoneName) {
@@ -258,3 +248,13 @@ async function verifyDomainConfig(domainObject) {
 
     return credentials;
 }
+
+exports = module.exports = {
+    removePrivateFields,
+    injectPrivateFields,
+    upsert,
+    get,
+    del,
+    wait,
+    verifyDomainConfig
+};
diff --git a/src/dns/inwx.js b/src/dns/inwx.js
index 5c17f5101..09caf99a2 100644
--- a/src/dns/inwx.js
+++ b/src/dns/inwx.js
@@ -1,15 +1,5 @@
 'use strict';
 
-exports = module.exports = {
-    removePrivateFields,
-    injectPrivateFields,
-    upsert,
-    get,
-    del,
-    wait,
-    verifyDomainConfig
-};
-
 const { ApiClient, Language } = require('domrobot-client'),
     assert = require('node:assert'),
     BoxError = require('../boxerror.js'),
@@ -25,12 +15,12 @@ function formatError(response) {
 }
 
 function removePrivateFields(domainObject) {
-    domainObject.config.password = constants.SECRET_PLACEHOLDER;
+    delete domainObject.config.password;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.password === constants.SECRET_PLACEHOLDER) newConfig.password = currentConfig.password;
+    if (!Object.hasOwn(newConfig, 'password')) newConfig.password = currentConfig.password;
 }
 
 // https://www.inwx.com/en/help/apidoc/f/ch04.html
@@ -217,3 +207,13 @@ async function verifyDomainConfig(domainObject) {
 
     return credentials;
 }
+
+exports = module.exports = {
+    removePrivateFields,
+    injectPrivateFields,
+    upsert,
+    get,
+    del,
+    wait,
+    verifyDomainConfig
+};
diff --git a/src/dns/linode.js b/src/dns/linode.js
index cb49d7679..87b501151 100644
--- a/src/dns/linode.js
+++ b/src/dns/linode.js
@@ -1,15 +1,5 @@
 'use strict';
 
-exports = module.exports = {
-    removePrivateFields,
-    injectPrivateFields,
-    upsert,
-    get,
-    del,
-    wait,
-    verifyDomainConfig
-};
-
 const assert = require('node:assert'),
     constants = require('../constants.js'),
     BoxError = require('../boxerror.js'),
@@ -27,12 +17,12 @@ function formatError(response) {
 }
 
 function removePrivateFields(domainObject) {
-    domainObject.config.token = constants.SECRET_PLACEHOLDER;
+    delete domainObject.config.token;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.token === constants.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
+    if (!Object.hasOwn(newConfig, 'token')) newConfig.token = currentConfig.token;
 }
 
 async function getZoneId(domainConfig, zoneName) {
@@ -267,3 +257,13 @@ async function verifyDomainConfig(domainObject) {
 
     return credentials;
 }
+
+exports = module.exports = {
+    removePrivateFields,
+    injectPrivateFields,
+    upsert,
+    get,
+    del,
+    wait,
+    verifyDomainConfig
+};
diff --git a/src/dns/namecheap.js b/src/dns/namecheap.js
index 1f3df2982..4c514de10 100644
--- a/src/dns/namecheap.js
+++ b/src/dns/namecheap.js
@@ -1,15 +1,5 @@
 'use strict';
 
-exports = module.exports = {
-    removePrivateFields,
-    injectPrivateFields,
-    upsert,
-    get,
-    del,
-    verifyDomainConfig,
-    wait
-};
-
 const assert = require('node:assert'),
     BoxError = require('../boxerror.js'),
     constants = require('../constants.js'),
@@ -27,12 +17,12 @@ const assert = require('node:assert'),
 const ENDPOINT = 'https://api.namecheap.com/xml.response';
 
 function removePrivateFields(domainObject) {
-    domainObject.config.token = constants.SECRET_PLACEHOLDER;
+    delete domainObject.config.token;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.token === constants.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
+    if (!Object.hasOwn(newConfig, 'token')) newConfig.token = currentConfig.token;
 }
 
 async function getQuery(domainConfig) {
@@ -284,3 +274,13 @@ async function verifyDomainConfig(domainObject) {
 
     return credentials;
 }
+
+exports = module.exports = {
+    removePrivateFields,
+    injectPrivateFields,
+    upsert,
+    get,
+    del,
+    verifyDomainConfig,
+    wait
+};
diff --git a/src/dns/namecom.js b/src/dns/namecom.js
index 17ee6cc3a..d60b50dd1 100644
--- a/src/dns/namecom.js
+++ b/src/dns/namecom.js
@@ -1,15 +1,5 @@
 'use strict';
 
-exports = module.exports = {
-    removePrivateFields,
-    injectPrivateFields,
-    upsert,
-    get,
-    del,
-    wait,
-    verifyDomainConfig
-};
-
 const assert = require('node:assert'),
     BoxError = require('../boxerror.js'),
     constants = require('../constants.js'),
@@ -27,12 +17,12 @@ function formatError(response) {
 }
 
 function removePrivateFields(domainObject) {
-    domainObject.config.token = constants.SECRET_PLACEHOLDER;
+    delete domainObject.config.token;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.token === constants.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
+    if (!Object.hasOwn(newConfig, 'token')) newConfig.token = currentConfig.token;
 }
 
 async function addRecord(domainConfig, zoneName, name, type, values) {
@@ -250,3 +240,13 @@ async function verifyDomainConfig(domainObject) {
 
     return credentials;
 }
+
+exports = module.exports = {
+    removePrivateFields,
+    injectPrivateFields,
+    upsert,
+    get,
+    del,
+    wait,
+    verifyDomainConfig
+};
diff --git a/src/dns/netcup.js b/src/dns/netcup.js
index 48fcf0df2..6f70db011 100644
--- a/src/dns/netcup.js
+++ b/src/dns/netcup.js
@@ -1,15 +1,5 @@
 'use strict';
 
-exports = module.exports = {
-    removePrivateFields,
-    injectPrivateFields,
-    upsert,
-    get,
-    del,
-    wait,
-    verifyDomainConfig
-};
-
 const assert = require('node:assert'),
     BoxError = require('../boxerror.js'),
     constants = require('../constants.js'),
@@ -28,12 +18,12 @@ function formatError(response) {
 }
 
 function removePrivateFields(domainObject) {
-    domainObject.config.token = constants.SECRET_PLACEHOLDER;
+    delete domainObject.config.apiPassword;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.token === constants.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
+    if (!Object.hasOwn(newConfig, 'apiPassword')) newConfig.apiPassword = currentConfig.apiPassword;
 }
 
 // returns a api session id
@@ -262,3 +252,13 @@ async function verifyDomainConfig(domainObject) {
 
     return credentials;
 }
+
+exports = module.exports = {
+    removePrivateFields,
+    injectPrivateFields,
+    upsert,
+    get,
+    del,
+    wait,
+    verifyDomainConfig
+};
diff --git a/src/dns/ovh.js b/src/dns/ovh.js
index 1ec374806..cd42a3975 100644
--- a/src/dns/ovh.js
+++ b/src/dns/ovh.js
@@ -1,15 +1,5 @@
 'use strict';
 
-exports = module.exports = {
-    removePrivateFields,
-    injectPrivateFields,
-    upsert,
-    get,
-    del,
-    wait,
-    verifyDomainConfig
-};
-
 const assert = require('node:assert'),
     BoxError = require('../boxerror.js'),
     constants = require('../constants.js'),
@@ -25,12 +15,12 @@ function formatError(error) {
 }
 
 function removePrivateFields(domainObject) {
-    domainObject.config.appSecret = constants.SECRET_PLACEHOLDER;
+    delete domainObject.config.appSecret;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.appSecret === constants.SECRET_PLACEHOLDER) newConfig.appSecret = currentConfig.appSecret;
+    if (!Object.hasOwn(newConfig, 'appSecret')) newConfig.appSecret = currentConfig.appSecret;
 }
 
 function createClient(domainConfig) {
@@ -234,3 +224,13 @@ async function verifyDomainConfig(domainObject) {
 
     return credentials;
 }
+
+exports = module.exports = {
+    removePrivateFields,
+    injectPrivateFields,
+    upsert,
+    get,
+    del,
+    wait,
+    verifyDomainConfig
+};
diff --git a/src/dns/porkbun.js b/src/dns/porkbun.js
index 6ec3536b2..3a4ec75fb 100644
--- a/src/dns/porkbun.js
+++ b/src/dns/porkbun.js
@@ -1,15 +1,5 @@
 'use strict';
 
-exports = module.exports = {
-    removePrivateFields,
-    injectPrivateFields,
-    upsert,
-    get,
-    del,
-    wait,
-    verifyDomainConfig
-};
-
 const assert = require('node:assert'),
     BoxError = require('../boxerror.js'),
     constants = require('../constants.js'),
@@ -30,12 +20,12 @@ function formatError(response) {
 }
 
 function removePrivateFields(domainObject) {
-    domainObject.config.secretapikey = constants.SECRET_PLACEHOLDER;
+    delete domainObject.config.secretapikey;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.secretapikey === constants.SECRET_PLACEHOLDER) newConfig.secretapikey = currentConfig.secretapikey;
+    if (!Object.hasOwn(newConfig, 'secretapikey')) newConfig.secretapikey = currentConfig.secretapikey;
 }
 
 async function createRequest(method, url, data) {
@@ -226,3 +216,13 @@ async function verifyDomainConfig(domainObject) {
 
     return credentials;
 }
+
+exports = module.exports = {
+    removePrivateFields,
+    injectPrivateFields,
+    upsert,
+    get,
+    del,
+    wait,
+    verifyDomainConfig
+};
diff --git a/src/dns/route53.js b/src/dns/route53.js
index e4483de66..be78da39b 100644
--- a/src/dns/route53.js
+++ b/src/dns/route53.js
@@ -1,15 +1,5 @@
 'use strict';
 
-exports = module.exports = {
-    removePrivateFields,
-    injectPrivateFields,
-    upsert,
-    get,
-    del,
-    wait,
-    verifyDomainConfig,
-};
-
 const assert = require('node:assert'),
     BoxError = require('../boxerror.js'),
     { ConfiguredRetryStrategy } = require('@smithy/util-retry'),
@@ -23,12 +13,12 @@ const assert = require('node:assert'),
     _ = require('../underscore.js');
 
 function removePrivateFields(domainObject) {
-    domainObject.config.secretAccessKey = constants.SECRET_PLACEHOLDER;
+    delete domainObject.config.secretAccessKey;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.secretAccessKey === constants.SECRET_PLACEHOLDER) newConfig.secretAccessKey = currentConfig.secretAccessKey;
+    if (!Object.hasOwn(newConfig, 'secretAccessKey')) newConfig.secretAccessKey = currentConfig.secretAccessKey;
 }
 
 function createRoute53Client(domainConfig) {
@@ -270,3 +260,13 @@ async function verifyDomainConfig(domainObject) {
 
     return credentials;
 }
+
+exports = module.exports = {
+    removePrivateFields,
+    injectPrivateFields,
+    upsert,
+    get,
+    del,
+    wait,
+    verifyDomainConfig,
+};
diff --git a/src/dns/vultr.js b/src/dns/vultr.js
index 35d950ea0..b6a2beb3a 100644
--- a/src/dns/vultr.js
+++ b/src/dns/vultr.js
@@ -1,15 +1,5 @@
 'use strict';
 
-exports = module.exports = {
-    removePrivateFields,
-    injectPrivateFields,
-    upsert,
-    get,
-    del,
-    wait,
-    verifyDomainConfig
-};
-
 const assert = require('node:assert'),
     constants = require('../constants.js'),
     BoxError = require('../boxerror.js'),
@@ -27,12 +17,12 @@ function formatError(response) {
 }
 
 function removePrivateFields(domainObject) {
-    domainObject.config.token = constants.SECRET_PLACEHOLDER;
+    delete domainObject.config.token;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.token === constants.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
+    if (!Object.hasOwn(newConfig, 'token')) newConfig.token = currentConfig.token;
 }
 
 async function getZoneRecords(domainConfig, zoneName, name, type) {
@@ -237,3 +227,13 @@ async function verifyDomainConfig(domainObject) {
 
     return credentials;
 }
+
+exports = module.exports = {
+    removePrivateFields,
+    injectPrivateFields,
+    upsert,
+    get,
+    del,
+    wait,
+    verifyDomainConfig
+};