diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
index a972de65e..4f6a9ea2f 100644
--- a/NEXT_CHANGELOG.md
+++ b/NEXT_CHANGELOG.md
@@ -7,6 +7,7 @@
 ### Updated
 
 ### Fixed
+- Fixed access token exposure in DEBUG logs.
 - Fixed `setCatalog()` and `setSchema()` producing invalid SQL (e.g. `SET CATALOG ``name``) when the catalog or schema name was passed already wrapped in backticks. Backticks are now stripped before wrapping, and `getCatalog()`/`getSchema()` return the bare identifier name.
 - Fixed metadata SQL generation for catalog, schema, and table identifiers containing backticks.
 - Fixed SEA result truncation when direct results are disabled. Large, highly-compressible results that span multiple chunks were delivered inline via the old hybrid path and truncated to the first chunk. The SQL Execution path now uses an async (`0s`) wait timeout when direct results are disabled, so results are returned via external links and fetched in full.
diff --git a/src/main/java/com/databricks/jdbc/api/impl/DatabricksSession.java b/src/main/java/com/databricks/jdbc/api/impl/DatabricksSession.java
index f2fb6eb07..5de9ba1cf 100644
--- a/src/main/java/com/databricks/jdbc/api/impl/DatabricksSession.java
+++ b/src/main/java/com/databricks/jdbc/api/impl/DatabricksSession.java
@@ -326,15 +326,15 @@ public String getConfigValue(String name) {
 
   @Override
   public void setClientInfoProperty(String name, String value) {
-    LOGGER.debug(
-        String.format(
-            "public void setClientInfoProperty(String name = {%s}, String value = {%s})",
-            name, value));
     if (name.equalsIgnoreCase(DatabricksJdbcUrlParams.AUTH_ACCESS_TOKEN.getParamName())) {
       // refresh the access token if provided a new value in client info
       this.databricksClient.resetAccessToken(value);
-      value = REDACTED_TOKEN; // mask access token
+      value = REDACTED_TOKEN; // mask access token before it is logged
     }
+    LOGGER.debug(
+        String.format(
+            "public void setClientInfoProperty(String name = {%s}, String value = {%s})",
+            name, value));
 
     // If application name is being set, update both telemetry and user agent
     if (name.equalsIgnoreCase(DatabricksJdbcUrlParams.APPLICATION_NAME.getParamName())) {