What it is
OAuth token leakage occurs when access or refresh tokens are unintentionally exposed through logs, URLs, client-side code, browser storage, or third-party integrations. Leaked tokens can allow attackers to impersonate users without needing passwords.
Why it matters
OAuth tokens often grant direct access to APIs, user data, or administrative actions. If leaked, attackers can bypass authentication controls entirely, making token exposure as dangerous as credential compromise.
How to reduce risk
- Avoid storing tokens in URLs or client-side storage.
- Use short-lived access tokens with rotation.
- Secure logs and monitoring systems.
- Apply strict scopes and least-privilege access.