OAuth and API Token Interception - ATR-2026-00114 (ef1a2a22-71ab-56e3-b849-665c7e7ad76b)
Detects patterns indicating OAuth token interception, API key forwarding, or authorization header theft. Attackers may instruct agents to capture bearer tokens, refresh tokens, or client secrets and redirect them to attacker-controlled endpoints. This includes suspicious redirect_uri manipulation in OAuth flows and bulk token extraction from agent context.