Data masking in API test results

API test requests and responses may contain sensitive data, such as access tokens, refresh tokens, and authorization used to access services. To avoid accidental exposure of these secrets, we have updated API test screens to mask sensitive information when a user views results for a particular step.

When you review results on the Test Output page and in the API Test Editor, the values of sensitive properties or headers are replaced with a ***** placeholder. This initial release covers the Auth, Headers, and JSON Body tabs.

Showing values

If you want to view the masked values in a specific tab, you can click on the Show icon in the upper right corner.


Initial view with masked values

Hiding values

When sensitive values are revealed in that particular tab, the Show button changes to Hide. To mask values again, click on the Hide button.


View with revealed values

If you navigate away from a tab where values are revealed and return to it later, the sensitive values will be masked again when tab is reopened.


Sensitive values that are being masked

  • authorization
  • proxy-authorization
  • access_token
  • refresh_token

Note that names are case insensitive.

For more information on reviewing API tests, check out our docs.