When using ui:field: HarnessAuthToken in an IDP workflow input form, the token appears masked correctly in the review screen. However, if the token is passed to a backend pipeline through a trigger pipeline step, the token is exposed in plaintext within the pipeline execution logs under the Inputs section.

This does not happen with fields that use ui:field: Secret, which are masked end-to-end as expected.