diff --git a/nova/console/websocketproxy.py b/nova/console/websocketproxy.py
index 4d79f40c7fa..e13b3c0fe15 100644
--- a/nova/console/websocketproxy.py
+++ b/nova/console/websocketproxy.py
@@ -18,6 +18,7 @@
 Leverages websockify.py by Joel Martin
 '''
 
+import copy
 import socket
 import sys
 
@@ -220,7 +221,10 @@ def new_websocket_client(self):
                 detail = _("Origin header protocol does not match this host.")
                 raise exception.ValidationError(detail=detail)
 
-        self.msg(_('connect info: %s'), str(connect_info))
+        sanitized_info = copy.copy(connect_info)
+        sanitized_info.token = '***'
+        self.msg(_('connect info: %s'), sanitized_info)
+
         host = connect_info.host
         port = connect_info.port
 
diff --git a/nova/tests/unit/console/test_websocketproxy.py b/nova/tests/unit/console/test_websocketproxy.py
index ce0c924cf41..98e162d59cb 100644
--- a/nova/tests/unit/console/test_websocketproxy.py
+++ b/nova/tests/unit/console/test_websocketproxy.py
@@ -219,6 +219,9 @@ def test_new_websocket_client(self, validate, check_port):
         validate.assert_called_with(mock.ANY, "123-456-789")
         self.wh.socket.assert_called_with('node1', 10000, connect=True)
         self.wh.do_proxy.assert_called_with('<socket>')
+        # ensure that token is masked when logged
+        connection_info = self.wh.msg.mock_calls[0][1][1]
+        self.assertEqual('***', connection_info.token)
 
     @mock.patch('nova.console.websocketproxy.NovaProxyRequestHandlerBase.'
                 '_check_console_port')