canto-saas-api: OAuth credentials exposed in URL query string and exception messages