From f412896e9a86c52b10d4bc67469815243e31a94d Mon Sep 17 00:00:00 2001
From: Jesse Wright <63333554+jeswr@users.noreply.github.com>
Date: Thu, 11 Jun 2026 16:14:17 +0100
Subject: [PATCH] fix: stop logging the client registration (it contains
 client_secret)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ClientCredentialsTokenProvider.upgrade() console.log'd the oauth.Client
object — including the client secret — into every consumer's console on
every token mint. Debug leftover; removed.
---
 src/ClientCredentialsTokenProvider.ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/ClientCredentialsTokenProvider.ts b/src/ClientCredentialsTokenProvider.ts
index b6af58f..2bc32b5 100644
--- a/src/ClientCredentialsTokenProvider.ts
+++ b/src/ClientCredentialsTokenProvider.ts
@@ -40,7 +40,6 @@ export class ClientCredentialsTokenProvider implements TokenProvider {
         const authorizationServer = await oauth.processDiscoveryResponse(issuer, discoveryResponse)
 
         const clientRegistration: oauth.Client = {client_id: this.clientId, client_secret: this.clientSecret}
-        console.log(clientRegistration)
 
         const dpopKey = await oauth.generateKeyPair("ES256", {extractable: false}) // TODO: Align with dpop_signing_alg_values_supported and fallback
         const dpop = oauth.DPoP({}, dpopKey)