From 81669e7e6f8344ee9a9344aec202a867e4498c85 Mon Sep 17 00:00:00 2001
From: vincerevu <118267358+vincerevu@users.noreply.github.com>
Date: Fri, 10 Apr 2026 19:49:46 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITICAL]?=
 =?UTF-8?q?=20Prevent=20leaking=20Azure=20OpenAI=20API=20key=20in=20logs?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When `OPENAI_LOG` is configured, `HttpLoggingInterceptor` logs HTTP requests/responses. Previously, only the `Authorization` header was redacted. This commit also redacts the `api-key` header to ensure Azure API keys are not exposed in application logs.
---
 .../src/main/kotlin/com/openai/client/okhttp/OkHttpClient.kt | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/openai-java-client-okhttp/src/main/kotlin/com/openai/client/okhttp/OkHttpClient.kt b/openai-java-client-okhttp/src/main/kotlin/com/openai/client/okhttp/OkHttpClient.kt
index 51c32b0c..cd981f8f 100644
--- a/openai-java-client-okhttp/src/main/kotlin/com/openai/client/okhttp/OkHttpClient.kt
+++ b/openai-java-client-okhttp/src/main/kotlin/com/openai/client/okhttp/OkHttpClient.kt
@@ -95,7 +95,10 @@ internal constructor(@JvmSynthetic internal val okHttpClient: okhttp3.OkHttpClie
             }
         if (logLevel != null) {
             clientBuilder.addNetworkInterceptor(
-                HttpLoggingInterceptor().setLevel(logLevel).apply { redactHeader("Authorization") }
+                HttpLoggingInterceptor().setLevel(logLevel).apply {
+                    redactHeader("Authorization")
+                    redactHeader("api-key")
+                }
             )
         }