diff --git a/src/openapi-mcp-server/client/http-client.ts b/src/openapi-mcp-server/client/http-client.ts
index 58bf803b..ce0bdbd2 100644
--- a/src/openapi-mcp-server/client/http-client.ts
+++ b/src/openapi-mcp-server/client/http-client.ts
@@ -177,7 +177,12 @@ export class HttpClient {
       }
     } catch (error: any) {
       if (error.response) {
-        console.error('Error in http client', error)
+        // Log safe properties instead of full error to prevent leaking secrets in config/headers
+        console.error('Error in http client', {
+          message: error.message,
+          name: error.name,
+          status: error.response?.status,
+        })
         const headers = new Headers()
         Object.entries(error.response.headers).forEach(([key, value]) => {
           if (value) headers.append(key, value.toString())
diff --git a/src/openapi-mcp-server/mcp/proxy.ts b/src/openapi-mcp-server/mcp/proxy.ts
index 60269664..fbeee953 100644
--- a/src/openapi-mcp-server/mcp/proxy.ts
+++ b/src/openapi-mcp-server/mcp/proxy.ts
@@ -97,10 +97,18 @@ export class MCPProxy {
             },
           ],
         }
-      } catch (error) {
-        console.error('Error in tool call', error)
+      } catch (error: any) {
+        // Log safe properties instead of full error to prevent leaking secrets in config/headers
+        console.error('Error in tool call', {
+          message: error.message,
+          name: error.name,
+          status: error.response?.status || (error instanceof HttpClientError ? error.status : undefined),
+        })
         if (error instanceof HttpClientError) {
-          console.error('HttpClientError encountered, returning structured error', error)
+          console.error('HttpClientError encountered, returning structured error', {
+            message: error.message,
+            status: error.status,
+          })
           const data = error.data?.response?.data ?? error.data ?? {}
           return {
             content: [