Masking JWTs in log

I’ve recently implemented a workflow using the HTTP command. The service that I am interacting with uses a API key to obtain a JWT. The API key is masked in the logs. However, subsequent HTTP commands expose the JWT in the logs. I’d like this JWT to be masked.

I can think of three approaches:

  • Adding a mask checkbox for each HTTP header
  • Mask the second token of any “Authorization” headers
  • Use regex to mask any word that looks like a JWT: eyJ[0-9A-Za-z_-]+.[0-9A-Za-z_-]+.[0-9A-Za-z_-]+

Thank you for the feedback @chas, we will look into this!

1 Like