diff --git a/internal/federationdomain/endpoints/auth/auth_handler_test.go b/internal/federationdomain/endpoints/auth/auth_handler_test.go
index 8b8350d61..5e911063f 100644
--- a/internal/federationdomain/endpoints/auth/auth_handler_test.go
+++ b/internal/federationdomain/endpoints/auth/auth_handler_test.go
@@ -4431,3 +4431,32 @@ func requireEqualURLsIgnoringState(t *testing.T, actualURL string, expectedURL s
 
 	require.Equal(t, expectedLocationQuery, actualLocationQuery)
 }
+
+// TestParamsSafeToLog only exists to ensure that paramsSafeToLog will not be accidentally updated.
+func TestParamsSafeToLog(t *testing.T) {
+	wantParams := []string{
+		"access_type",
+		"acr_values",
+		"claims",
+		"claims_locales",
+		"client_id",
+		"code_challenge_method",
+		"display",
+		"id_token_hint",
+		"login_hint",
+		"max_age",
+		"pinniped_idp_name",
+		"pinniped_idp_type",
+		"prompt",
+		"redirect_uri",
+		"registration",
+		"request",
+		"request_uri",
+		"response_mode",
+		"response_type",
+		"scope",
+		"ui_locales",
+	}
+
+	require.ElementsMatch(t, wantParams, paramsSafeToLog().UnsortedList())
+}
diff --git a/internal/federationdomain/endpoints/callback/callback_handler_test.go b/internal/federationdomain/endpoints/callback/callback_handler_test.go
index d20a157c4..6dd419553 100644
--- a/internal/federationdomain/endpoints/callback/callback_handler_test.go
+++ b/internal/federationdomain/endpoints/callback/callback_handler_test.go
@@ -2206,3 +2206,14 @@ func shallowCopyAndModifyQuery(query url.Values, modifications map[string]string
 	}
 	return copied
 }
+
+// TestParamsSafeToLog only exists to ensure that paramsSafeToLog will not be accidentally updated.
+func TestParamsSafeToLog(t *testing.T) {
+	wantParams := []string{
+		"error",
+		"error_description",
+		"error_uri",
+	}
+
+	require.ElementsMatch(t, wantParams, paramsSafeToLog().UnsortedList())
+}
diff --git a/internal/federationdomain/endpoints/login/login_handler_test.go b/internal/federationdomain/endpoints/login/login_handler_test.go
index 75fa5cce9..243f5da14 100644
--- a/internal/federationdomain/endpoints/login/login_handler_test.go
+++ b/internal/federationdomain/endpoints/login/login_handler_test.go
@@ -553,3 +553,12 @@ func (r *requestPath) String() string {
 	}
 	return path + params.Encode()
 }
+
+// TestParamsSafeToLog only exists to ensure that paramsSafeToLog will not be accidentally updated.
+func TestParamsSafeToLog(t *testing.T) {
+	wantParams := []string{
+		"err",
+	}
+
+	require.ElementsMatch(t, wantParams, paramsSafeToLog().UnsortedList())
+}
diff --git a/internal/federationdomain/endpoints/token/token_handler.go b/internal/federationdomain/endpoints/token/token_handler.go
index c09925797..86909c9c9 100644
--- a/internal/federationdomain/endpoints/token/token_handler.go
+++ b/internal/federationdomain/endpoints/token/token_handler.go
@@ -36,10 +36,11 @@ func paramsSafeToLog() sets.Set[string] {
 		// Standard params from https://openid.net/specs/openid-connect-core-1_0.html for authcode and refresh grants.
 		// Redacting code, client_secret, refresh_token, and PKCE code_verifier params.
 		"grant_type", "client_id", "redirect_uri", "scope",
-		// Token exchange params from https://datatracker.ietf.org/doc/html/rfc8693.
+		// Token exchange params from https://datatracker.ietf.org/doc/html/rfc8693#section-2.1.
 		// Redact subject_token and actor_token.
 		// We don't allow all of these, but they should be safe to log.
-		"audience", "resource", "scope", "requested_token_type", "actor_token_type", "subject_token_type",
+		// "scope" is already included from the authcode grant.
+		"audience", "resource", "requested_token_type", "actor_token_type", "subject_token_type",
 	)
 }
 
diff --git a/internal/federationdomain/endpoints/token/token_handler_test.go b/internal/federationdomain/endpoints/token/token_handler_test.go
index 9f0773fc3..2c5174790 100644
--- a/internal/federationdomain/endpoints/token/token_handler_test.go
+++ b/internal/federationdomain/endpoints/token/token_handler_test.go
@@ -5996,3 +5996,20 @@ func getSecretNameFromSignature(t *testing.T, signature string, typeLabel string
 	signatureAsValidName := strings.ToLower(b32.EncodeToString(signatureBytes))
 	return fmt.Sprintf("pinniped-storage-%s-%s", typeLabel, signatureAsValidName)
 }
+
+// TestParamsSafeToLog only exists to ensure that paramsSafeToLog will not be accidentally updated.
+func TestParamsSafeToLog(t *testing.T) {
+	wantParams := []string{
+		"actor_token_type",
+		"audience",
+		"client_id",
+		"grant_type",
+		"redirect_uri",
+		"requested_token_type",
+		"resource",
+		"scope",
+		"subject_token_type",
+	}
+
+	require.ElementsMatch(t, wantParams, paramsSafeToLog().UnsortedList())
+}