Please do not report security vulnerabilities through public GitHub issues.
Instead, email security concerns to the maintainers directly. You should receive a response within 48 hours.
This plugin handles OAuth tokens for Qwen API access. Security measures include:
- Storage: Tokens stored in
~/.config/opencode/qwen-auth-accounts.jsonwith 0600 permissions (owner read/write only) - Refresh: Access tokens are short-lived; refresh tokens are used to obtain new access tokens
- No logging: Authorization headers and tokens are never logged, even in debug mode
- Local only: Tokens are never transmitted except to Qwen's official OAuth endpoints
- Never commit
qwen-auth-accounts.jsonto version control - Add to .gitignore:
**/qwen-auth-accounts.json - Secure your config directory: Ensure
~/.config/opencode/has appropriate permissions - Rotate accounts: If you suspect token compromise, re-authenticate with
/auth
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
Security fixes will be released as patch versions and announced in the changelog.