diff --git a/command/agent/http.go b/command/agent/http.go
index 52e75e6eee..24e0879fdf 100644
--- a/command/agent/http.go
+++ b/command/agent/http.go
@@ -282,17 +282,26 @@ func (s *HTTPServer) wrap(handler func(resp http.ResponseWriter, req *http.Reque
 	f := func(resp http.ResponseWriter, req *http.Request) {
 		setHeaders(resp, s.agent.config.HTTPAPIResponseHeaders)
 
+		// Obfuscate any tokens from appearing in the logs
+		req.ParseForm()
+		logURL := req.URL.String()
+		if tokens, ok := req.Form["token"]; ok {
+			for _, token := range tokens {
+				logURL = strings.Replace(logURL, token, "<hidden>", -1)
+			}
+		}
+
 		// Invoke the handler
 		start := time.Now()
 		defer func() {
-			s.logger.Printf("[DEBUG] http: Request %v (%v)", req.URL, time.Now().Sub(start))
+			s.logger.Printf("[DEBUG] http: Request %v (%v)", logURL, time.Now().Sub(start))
 		}()
 		obj, err := handler(resp, req)
 
 		// Check for an error
 	HAS_ERR:
 		if err != nil {
-			s.logger.Printf("[ERR] http: Request %v, error: %v", req.URL, err)
+			s.logger.Printf("[ERR] http: Request %v, error: %v", logURL, err)
 			code := 500
 			errMsg := err.Error()
 			if strings.Contains(errMsg, "Permission denied") || strings.Contains(errMsg, "ACL not found") {
diff --git a/command/agent/http_test.go b/command/agent/http_test.go
index 1faa4ac992..7adff75fb7 100644
--- a/command/agent/http_test.go
+++ b/command/agent/http_test.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
+	"log"
 	"net"
 	"net/http"
 	"net/http/httptest"
@@ -13,6 +14,7 @@ import (
 	"path/filepath"
 	"runtime"
 	"strconv"
+	"strings"
 	"testing"
 	"time"
 
@@ -274,6 +276,30 @@ func TestContentTypeIsJSON(t *testing.T) {
 	}
 }
 
+func TestHTTP_wrap_obfuscateLog(t *testing.T) {
+	dir, srv := makeHTTPServer(t)
+	defer os.RemoveAll(dir)
+	defer srv.Shutdown()
+	defer srv.agent.Shutdown()
+
+	// Attach a custom logger so we can inspect it
+	buf := &bytes.Buffer{}
+	srv.logger = log.New(buf, "", log.LstdFlags)
+
+	resp := httptest.NewRecorder()
+	req, _ := http.NewRequest("GET", "/some/url?token=secret1&token=secret2", nil)
+
+	handler := func(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
+		return nil, nil
+	}
+	srv.wrap(handler)(resp, req)
+
+	// Make sure no tokens from the URL show up in the log
+	if strings.Contains(buf.String(), "secret") {
+		t.Fatalf("bad: %s", buf.String())
+	}
+}
+
 func TestPrettyPrint(t *testing.T) {
 	testPrettyPrint("pretty=1", t)
 }