🛡️ Sentinel: [CRITICAL] Prevent leaking Azure OpenAI API key in logs

vincerevu · vincerevu · commit 81669e7e6f83 · 2026-04-10T19:49:46.000Z
When `OPENAI_LOG` is configured, `HttpLoggingInterceptor` logs HTTP requests/responses. Previously, only the `Authorization` header was redacted. This commit also redacts the `api-key` header to ensure Azure API keys are not exposed in application logs.
diff --git a/openai-java-client-okhttp/src/main/kotlin/com/openai/client/okhttp/OkHttpClient.kt b/openai-java-client-okhttp/src/main/kotlin/com/openai/client/okhttp/OkHttpClient.kt
@@ -95,7 +95,10 @@ internal constructor(@JvmSynthetic internal val okHttpClient: okhttp3.OkHttpClie
             }
         if (logLevel != null) {
             clientBuilder.addNetworkInterceptor(
-                HttpLoggingInterceptor().setLevel(logLevel).apply { redactHeader("Authorization") }
+                HttpLoggingInterceptor().setLevel(logLevel).apply {
+                    redactHeader("Authorization")
+                    redactHeader("api-key")
+                }
             )
         }
 

Original file line number	Diff line number	Diff line change
`@@ -95,7 +95,10 @@ internal constructor(@JvmSynthetic internal val okHttpClient: okhttp3.OkHttpClie`
`95`	`95`	`}`
`96`	`96`	`if (logLevel != null) {`
`97`	`97`	`clientBuilder.addNetworkInterceptor(`
`98`		`- HttpLoggingInterceptor().setLevel(logLevel).apply { redactHeader("Authorization") }`
	`98`	`+ HttpLoggingInterceptor().setLevel(logLevel).apply {`
	`99`	`+ redactHeader("Authorization")`
	`100`	`+ redactHeader("api-key")`
	`101`	`+ }`
`99`	`102`	`)`
`100`	`103`	`}`
`101`	`104`