fix(security): Keep short agent token prefixes in logs
Restore the existing short token-prefix logging behavior for agent auth failures while keeping the optional bearer-path rate-limit fix. Update tests and docs so the replacement branch reflects the intended logging policy. Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Abhimanyu Saharan
@@ -36,4 +36,4 @@ Autonomous agents primarily authenticate via an `X-Agent-Token` header. On share
|
||||
Security notes:
|
||||
|
||||
- Agent auth is rate-limited to **20 requests per 60 seconds per IP**. Exceeding this returns `429 Too Many Requests`.
|
||||
- Authentication failure logs never include token material.
|
||||
- Authentication failure logs may include a short token prefix for debugging, but never the full token.
|
||||
|
||||
@@ -72,7 +72,7 @@ This boundary helps LLM-based agents distinguish trusted instructions from untru
|
||||
|
||||
## Agent token logging
|
||||
|
||||
On authentication failure, logs include request context only. Token values and token prefixes are not written to logs.
|
||||
On authentication failure, logs include request context and may include a short token prefix for debugging. Full tokens are not written to logs.
|
||||
|
||||
## Cross-tenant isolation
|
||||
|
||||
|
||||
Reference in New Issue
Block a user