Problem
The provider admin APIs currently return provider credentials in plaintext.
Observed responses from provider endpoints include raw sensitive values such as:
api_keyaccess_tokenrefresh_token
This means upstream provider credentials are being returned as ordinary API response fields through the admin surface.
Observations
GET /api/v1/providers returns plaintext credential fieldsGET /api/v1/providers/:id returns plaintext credential fields- API-key-based providers return raw
api_key
- OAuth-based providers return raw
access_token and refresh_token
Why this is concerning
Provider credentials are highly sensitive and should not be exposed as ordinary admin API response data.
Returning these values directly increases the chance of accidental disclosure through:
- WebUI rendering
- browser developer tools / network inspection
- logs and debugging output
- config export/import flows
- any other consumer of the admin APIs
Question
Should provider admin APIs return raw credential values at all?
At minimum, this behavior appears to warrant a dedicated security review.
Problem
The provider admin APIs currently return provider credentials in plaintext.
Observed responses from provider endpoints include raw sensitive values such as:
api_keyaccess_tokenrefresh_tokenThis means upstream provider credentials are being returned as ordinary API response fields through the admin surface.
Observations
GET /api/v1/providersreturns plaintext credential fieldsGET /api/v1/providers/:idreturns plaintext credential fieldsapi_keyaccess_tokenandrefresh_tokenWhy this is concerning
Provider credentials are highly sensitive and should not be exposed as ordinary admin API response data.
Returning these values directly increases the chance of accidental disclosure through:
Question
Should provider admin APIs return raw credential values at all?
At minimum, this behavior appears to warrant a dedicated security review.