diff --git a/packages/cli-kit/src/private/node/api/urls.test.ts b/packages/cli-kit/src/private/node/api/urls.test.ts
index 62492fb2eb7..e85c4f08453 100644
--- a/packages/cli-kit/src/private/node/api/urls.test.ts
+++ b/packages/cli-kit/src/private/node/api/urls.test.ts
@@ -79,4 +79,26 @@ describe('sanitizeURL', () => {
       'https://example.com/?access_token=****&refresh_token=****&device_code=****&subject_token=****&other=keep',
     )
   })
+
+  test('sanitizes URL credentials', () => {
+    // Given
+    const url = 'https://user:pass@example.com'
+
+    // When
+    const sanitizedUrl = sanitizeURL(url)
+
+    // Then
+    expect(sanitizedUrl).toBe('https://****:****@example.com/')
+  })
+
+  test('sanitizes case-insensitive query parameters', () => {
+    // Given
+    const url = 'https://example.com?TOKEN=secret&Access_Token=hidden'
+
+    // When
+    const sanitizedUrl = sanitizeURL(url)
+
+    // Then
+    expect(sanitizedUrl).toBe('https://example.com/?TOKEN=****&Access_Token=****')
+  })
 })
diff --git a/packages/cli-kit/src/private/node/api/urls.ts b/packages/cli-kit/src/private/node/api/urls.ts
index fd1297f7c58..7d559e72cf5 100644
--- a/packages/cli-kit/src/private/node/api/urls.ts
+++ b/packages/cli-kit/src/private/node/api/urls.ts
@@ -21,10 +21,19 @@ const SENSITIVE_QUERY_PARAMS = [
  */
 export function sanitizeURL(url: string): string {
   const parsedUrl = new URL(url)
-  for (const param of SENSITIVE_QUERY_PARAMS) {
-    if (parsedUrl.searchParams.has(param)) {
-      parsedUrl.searchParams.set(param, '****')
+
+  if (parsedUrl.username) {
+    parsedUrl.username = '****'
+  }
+  if (parsedUrl.password) {
+    parsedUrl.password = '****'
+  }
+
+  for (const [key] of parsedUrl.searchParams) {
+    if (SENSITIVE_QUERY_PARAMS.includes(key.toLowerCase())) {
+      parsedUrl.searchParams.set(key, '****')
     }
   }
+
   return parsedUrl.toString()
 }