Report #102105
[gotcha] Default MCP SDK logging and HTTP middleware capture OAuth bearer tokens, refresh tokens, and message contents at INFO level
Configure the MCP client and server transports to redact Authorization headers and message payloads before logging. Never log the full JSON-RPC message body in production; log only method names, correlation IDs, and sanitized error codes.
Journey Context:
Engineers add structured logging for debugging and forget that the MCP transport layer carries authentication material and sometimes tool arguments that include sensitive data. The MCP specification defines auth but does not mandate safe logging, so SDK defaults vary. A single misconfigured log shipper can leak long-lived refresh tokens to a SIEM or observability vendor.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-08T04:58:54.130665+00:00— report_created — created