Skip to content

Show full access token instead of substring #878

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Show full access token instead of substring #878

wants to merge 2 commits into from
+1 −1

Conversation

@stdevi
Copy link

@stdevi stdevi commented Oct 17, 2025

An access token may be long depending on the claims. This PR updates the displayed value to show the full token.

Motivation and Context

Currently, the access_token.substring(0, 25) is shown. However, when the token is longer, showing only a substring is insufficient, as a user needs to navigate to the token response and copy the access token from there.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally

cliffhall
cliffhall approved these changes Oct 21, 2025
View reviewed changes
Copy link
Member

@cliffhall cliffhall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 👍

There is really no security reason to hide the entire token, which is visible further down in the OAuth debugger.

What's being fixed

Image

Where you can see the full value on the same page

Image

@cliffhall cliffhall enabled auto-merge October 21, 2025 16:50
@jstjoe
Copy link

jstjoe commented Oct 21, 2025

Sorry but doesn't the user need to click the carat to view the details of the Access Tokens in the current UI you referenced @cliffhall ?
By making the full access token visible on the page without requiring user interaction to reveal it (which is what the current UI does IIUC) I think this is absolutely a security issue. If a user is sharing their screen - either live or on a recording - showing the full access token by default opens them up to unintended credential exposure. Hiding it behind a click action would fix it.

@cliffhall
Copy link
Member

cliffhall commented Oct 21, 2025
edited
Loading

By making the full access token visible on the page without requiring user interaction to reveal it (which is what the current UI does IIUC) I think this is absolutely a security issue. If a user is sharing their screen - either live or on a recording - showing the full access token by default opens them up to unintended credential exposure. Hiding it behind a click action would fix it.

Sounds reasonable. The user can still go view / copy the token by opening the disclosure widget.

@cliffhall cliffhall closed this Oct 21, 2025
auto-merge was automatically disabled October 21, 2025 18:37

Pull request was closed

@stdevi stdevi mentioned this pull request Oct 21, 2025
Open
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cliffhall cliffhall cliffhall approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@stdevi @jstjoe @cliffhall