From a8faa6edd33e3969d725cce3063bc1574bc93e4d Mon Sep 17 00:00:00 2001
From: Sreekanth Vadigi <sreekanth.vadigi@databricks.com>
Date: Wed, 17 Jun 2026 14:31:24 +0000
Subject: [PATCH] Redact access token before logging in setClientInfoProperty

The token-rotation block now runs before the DEBUG log line, so the
access token is masked to **** before it is logged. resetAccessToken
still receives the real token.

Co-authored-by: Isaac
Signed-off-by: Sreekanth Vadigi <sreekanth.vadigi@databricks.com>
---
 NEXT_CHANGELOG.md                                      |  1 +
 .../databricks/jdbc/api/impl/DatabricksSession.java    | 10 +++++-----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
index a972de65e..4f6a9ea2f 100644
--- a/NEXT_CHANGELOG.md
+++ b/NEXT_CHANGELOG.md
@@ -7,6 +7,7 @@
 ### Updated
 
 ### Fixed
+- Fixed access token exposure in DEBUG logs.
 - Fixed `setCatalog()` and `setSchema()` producing invalid SQL (e.g. `SET CATALOG ``name``) when the catalog or schema name was passed already wrapped in backticks. Backticks are now stripped before wrapping, and `getCatalog()`/`getSchema()` return the bare identifier name.
 - Fixed metadata SQL generation for catalog, schema, and table identifiers containing backticks.
 - Fixed SEA result truncation when direct results are disabled. Large, highly-compressible results that span multiple chunks were delivered inline via the old hybrid path and truncated to the first chunk. The SQL Execution path now uses an async (`0s`) wait timeout when direct results are disabled, so results are returned via external links and fetched in full.
diff --git a/src/main/java/com/databricks/jdbc/api/impl/DatabricksSession.java b/src/main/java/com/databricks/jdbc/api/impl/DatabricksSession.java
index f2fb6eb07..5de9ba1cf 100644
--- a/src/main/java/com/databricks/jdbc/api/impl/DatabricksSession.java
+++ b/src/main/java/com/databricks/jdbc/api/impl/DatabricksSession.java
@@ -326,15 +326,15 @@ public String getConfigValue(String name) {
 
   @Override
   public void setClientInfoProperty(String name, String value) {
-    LOGGER.debug(
-        String.format(
-            "public void setClientInfoProperty(String name = {%s}, String value = {%s})",
-            name, value));
     if (name.equalsIgnoreCase(DatabricksJdbcUrlParams.AUTH_ACCESS_TOKEN.getParamName())) {
       // refresh the access token if provided a new value in client info
       this.databricksClient.resetAccessToken(value);
-      value = REDACTED_TOKEN; // mask access token
+      value = REDACTED_TOKEN; // mask access token before it is logged
     }
+    LOGGER.debug(
+        String.format(
+            "public void setClientInfoProperty(String name = {%s}, String value = {%s})",
+            name, value));
 
     // If application name is being set, update both telemetry and user agent
     if (name.equalsIgnoreCase(DatabricksJdbcUrlParams.APPLICATION_NAME.getParamName())) {