diff --git a/static/js/core/settings-manager.js b/static/js/core/settings-manager.js
index 68558fd..777be7e 100644
--- a/static/js/core/settings-manager.js
+++ b/static/js/core/settings-manager.js
@@ -226,8 +226,12 @@ const Settings = {
     async _save(key, value) {
         this._cache[key] = value;
 
-        // Save to localStorage as backup
-        localStorage.setItem('intercept_settings', JSON.stringify(this._cache));
+        // Save to localStorage as backup (exclude sensitive keys)
+        const SENSITIVE_KEYS = ['offline.stadia_key'];
+        const toStore = Object.fromEntries(
+            Object.entries(this._cache).filter(([k]) => !SENSITIVE_KEYS.includes(k))
+        );
+        localStorage.setItem('intercept_settings', JSON.stringify(toStore));
 
         // Save to server
         try {
diff --git a/tests/test_stadia_settings.py b/tests/test_stadia_settings.py
index e6f89f6..b26a049 100644
--- a/tests/test_stadia_settings.py
+++ b/tests/test_stadia_settings.py
@@ -34,8 +34,8 @@ def test_stadia_key_can_be_saved(auth_client):
     assert data["value"] == "test-key-123"
 
 
-def test_stadia_key_rejects_non_string(auth_client):
-    """POST /offline/settings rejects non-string stadia_key."""
+def test_stadia_key_coerces_non_string(auth_client):
+    """POST /offline/settings coerces non-string stadia_key to string."""
     resp = auth_client.post("/offline/settings", json={"key": "offline.stadia_key", "value": 42})
     # Should coerce to string '42' (type matches str default) — not 400
     assert resp.status_code == 200