diff --git a/apps/emqx_auth/src/emqx_authn/emqx_authn_api.erl b/apps/emqx_auth/src/emqx_authn/emqx_authn_api.erl
index 6404fed02..0f57c4e71 100644
--- a/apps/emqx_auth/src/emqx_authn/emqx_authn_api.erl
+++ b/apps/emqx_auth/src/emqx_authn/emqx_authn_api.erl
@@ -897,7 +897,7 @@ list_authenticators(ConfKeyPath) ->
         maps:put(
             id,
             emqx_authn_chains:authenticator_id(AuthenticatorConfig),
-            convert_certs(AuthenticatorConfig)
+            convert_certs(emqx_utils:redact(AuthenticatorConfig))
         )
      || AuthenticatorConfig <- AuthenticatorsConfig
     ],
@@ -907,7 +907,8 @@ list_authenticator(_, ConfKeyPath, AuthenticatorID) ->
     with_authenticator(
         AuthenticatorID,
         ConfKeyPath,
-        fun(AuthenticatorConfig) ->
+        fun(AuthenticatorConfig0) ->
+            AuthenticatorConfig = emqx_utils:redact(AuthenticatorConfig0),
             {200, maps:put(id, AuthenticatorID, convert_certs(AuthenticatorConfig))}
         end
     ).
@@ -1050,9 +1051,16 @@ is_ok(ResL) ->
 
 update_authenticator(ConfKeyPath, ChainName, AuthenticatorID, Config) ->
     case
-        update_config(
+        with_deobfuscate_update(
             ConfKeyPath,
-            {update_authenticator, ChainName, AuthenticatorID, Config}
+            AuthenticatorID,
+            Config,
+            fun(AuthenticatorConfig) ->
+                update_config(
+                    ConfKeyPath,
+                    {update_authenticator, ChainName, AuthenticatorID, AuthenticatorConfig}
+                )
+            end
         )
     of
         {ok, _} ->
@@ -1160,6 +1168,15 @@ list_users(ChainName, AuthenticatorID, QueryString) ->
             {200, Result}
     end.
 
+with_deobfuscate_update(ConfKeyPath, AuthenticatorID, NewConf, Fun) ->
+    case find_authenticator_config(AuthenticatorID, ConfKeyPath) of
+        {ok, RawConf} ->
+            Conf = emqx_utils:deobfuscate(NewConf, RawConf),
+            Fun(Conf);
+        {error, _} = Error ->
+            Error
+    end.
+
 update_config(Path, ConfigRequest) ->
     emqx_conf:update(Path, ConfigRequest, #{
         rawconf_with_defaults => true,
diff --git a/apps/emqx_auth/src/emqx_authz/emqx_authz_api_sources.erl b/apps/emqx_auth/src/emqx_authz/emqx_authz_api_sources.erl
index 27ef53d14..cb7c1664f 100644
--- a/apps/emqx_auth/src/emqx_authz/emqx_authz_api_sources.erl
+++ b/apps/emqx_auth/src/emqx_authz/emqx_authz_api_sources.erl
@@ -244,7 +244,8 @@ sources(get, _) ->
         fun(Source0, AccIn) ->
             try emqx_authz:maybe_read_source_files(Source0) of
                 Source1 ->
-                    lists:append(AccIn, [Source1])
+                    Source2 = emqx_utils:redact(Source1),
+                    lists:append(AccIn, [Source2])
             catch
                 _Error:_Reason ->
                     lists:append(AccIn, [Source0])
@@ -267,7 +268,8 @@ source(get, #{bindings := #{type := Type}}) ->
         fun(Source0) ->
             try emqx_authz:maybe_read_source_files(Source0) of
                 Source1 ->
-                    {200, Source1}
+                    Source2 = emqx_utils:redact(Source1),
+                    {200, Source2}
             catch
                 _Error:Reason ->
                     {500, #{
@@ -280,8 +282,9 @@ source(get, #{bindings := #{type := Type}}) ->
 source(put, #{bindings := #{type := Type}, body := #{<<"type">> := Type} = Body}) ->
     with_source(
         Type,
-        fun(_) ->
-            update_config({?CMD_REPLACE, Type}, Body)
+        fun(RawConf) ->
+            Conf = emqx_utils:deobfuscate(Body, RawConf),
+            update_config({?CMD_REPLACE, Type}, Conf)
         end
     );
 source(put, #{bindings := #{type := Type}, body := #{<<"type">> := _OtherType}}) ->
diff --git a/changes/ce/fix-13225.en.md b/changes/ce/fix-13225.en.md
new file mode 100644
index 000000000..d57d0c5e9
--- /dev/null
+++ b/changes/ce/fix-13225.en.md
@@ -0,0 +1 @@
+Redacted sensitive data from authentication and authorization APIs.