There is an expectation that proxies will not log information sent as headers.  However, in the case of the 3scale-istio-adapter, the user_key is logged in the event of an error calling the 3scale backend. This is true regardless of whether the user_key was sent via query parameter or header. The log also includes the API service token which is sensitive information.

There is currently no way to suppress this information from being logged.