An API's internal authorization tokens must not be provided back to the user because exposing these tokens increases the risk of unauthorized access to sensitive backend systems or services. Internal tokens are meant to authenticate and authorize the API's internal operations and must remain private to maintain the security of the application architecture. If these tokens are leaked or made accessible to users, malicious actors could exploit them to gain elevated privileges, bypass security mechanisms, or launch attacks such as privilege escalation or token reuse. By keeping internal tokens hidden from the user, potential misuse is prevented, and the integrity of application's security model is protected.
Check
Verify the API's internal authorization tokens are not provided back to the user.
Inspect API responses: Look at the API responses for any authorization tokens (e.g., JSON Web Tokens [JWT] tokens, session tokens, API keys) that may be included in the response body or headers. Verify sensitive tokens are not being returned as part of a successful request or error response.
Audit API documentation: Review the API documentation to see if the token is explicitly mentioned as being returned to the user.
If internal tokens are part of any public documentation for user-facing APIs, this is a finding.
Fix
Review the API and authentication codebase. Remove internal tokens being passed around or exposed at any point in the code.