All Docs
FeaturesMaking Tax DigitalUpdated February 27, 2026

Security Advisory: AgentOS API Key Moved to Authorization Header

Security Advisory: AgentOS API Key Moved to Authorization Header

Version: 1.0.164
Severity: High
Component: AgentOS API Client (src/lib/agentos/client.ts)

Summary

In v1.0.164 we resolved a security vulnerability in which the AgentOS API key was transmitted as a URL query parameter. The key is now passed exclusively via an HTTP Authorization header, preventing it from appearing in any server or proxy logs.

Background

The platform integrates with the AgentOS API to import landlord transaction records. Prior to this release, the AgentosClient constructed authenticated request URLs using an authUrl() helper that appended the key directly to the query string:

// Before (vulnerable)
https://api.agentos.com/endpoint?api_key=sk_live_xxxxxxxxxxxx

Query parameters are part of the URL and are routinely captured in:

  • Origin server access logs — the full request URI, including query string, is logged by default in most web servers and cloud platforms.
  • CDN and reverse-proxy logs — services such as Cloudflare, AWS CloudFront, and NGINX log the full URI.
  • Referer headers — when a redirect is followed, browsers and HTTP clients may forward the originating URL (including query string) in the Referer header of the subsequent request.

This meant that the AgentOS API key could be silently written to log files on multiple infrastructure tiers, creating an unacceptable risk of credential leakage.

Compliance Impact

This vulnerability was relevant to two regulatory frameworks:

FrameworkRequirement
HMRC Making Tax DigitalData submitted to or sourced for HMRC must be handled with appropriate security controls. Credential exposure in logs undermines the integrity of the data pipeline.
GDPRFinancial transaction data linked to landlord records constitutes personal data. Insecure API credentials increase the risk of unauthorised access to that data.

What Changed

The AgentosClient in src/lib/agentos/client.ts now authenticates all requests using an HTTP header rather than a URL query parameter:

// After (secure)
GET https://api.agentos.com/endpoint
Authorization: Bearer sk_live_xxxxxxxxxxxx

or, if the AgentOS API uses a custom key header:

GET https://api.agentos.com/endpoint
X-API-Key: sk_live_xxxxxxxxxxxx

HTTP request headers are not written to standard access logs and are not forwarded in Referer headers, eliminating the exposure vectors described above.

Action Required

End users and landlords

No action is required. The fix is applied automatically with the v1.0.164 deployment.

Self-hosted / custom integration operators

If you have built a direct integration with the AgentOS API using the AgentosClient or by mimicking its request pattern, update your code to:

  1. Remove api_key from all query strings.
  2. Add an Authorization: Bearer <api_key> header (or X-API-Key: <api_key> if specified by AgentOS) to every request.
  3. Rotate your AgentOS API key if it may have been captured in logs. Contact AgentOS support to issue a new key.
  4. Audit your log archives for any historical entries containing api_key= and redact or purge them in accordance with your data retention policy.

Responsible Disclosure

This issue was identified through internal code review. There is no evidence of the API key having been accessed by an unauthorised third party. The fix was applied and deployed as a priority security release.

Related Documentation