@kaavee315checks…claude/redact-jwt-in-dashboard-logs → main2 files · +181 −1review: @shamsharoonupdated 2d agoLive OIDC ID-token JWTs were being printed to Datadog under service:dashboard (51 hits / 24h). Root cause: the structured logger's url field logs the full proxied URL including the query string, and the OAuth authorize proxy's URL carries id_token_hint=<JWT>. formatLog() spread every field to the Datadog HTTP intake and stdout with no redaction. Six call sites log url: target (the auth / backend / token / register proxies).
This adds a log-boundary redactor in src/lib/datadog/logger.ts:
redactSensitive() scrubs (a) sensitive query-param values (id_token_hint, id_token, access_token, refresh_token, token, code, client_secret, assertion, password, api_key, secret) -> name=***, while preserving non-secret params (client_id, redirect_uri, scope, state, response_type, code_challenge); and (b) bare JWTs -> eyJ.<redacted-jwt>.formatLog() to every string field before the payload ships, so all six url: sites and any future leak are covered at one chokepoint.Mirrors the May-2026 incident remediation principle: redact at the log boundary so no call site can leak a secret value.
Out of scope (follow-ups): Vercel/platform request logs ([GET] /...?id_token_hint=) bypass the app logger and need a Datadog Sensitive Data Scanner rule; sentry.server.config.ts has sendDefaultPii: true with no beforeSend scrubber.
src/lib/datadog/logger.redact.test.ts (vitest, 8 cases): id_token_hint+JWT redaction, non-secret param preservation, no over-redaction of response_type=code / scope=...+refresh_token / code_challenge, code/client_secret/access_token/token redaction, bare-JWT-in-message, plain strings unchanged, idempotency, and empty/non-string safety.The latest updates on your projects. Learn more about Vercel for GitHub.
| Project | Deployment | Actions | Updated (UTC) |
|---|---|---|---|
| dashboard |  Ready | Preview, Comment | Jun 11, 2026 8:55am |
🔑 No new secrets detected
on GitHub: label o:CryogenicPlanet + assignee