diff --git a/internal/pkg/config/config.go b/internal/pkg/config/config.go
index c7aeaf378..7bdc0df58 100644
--- a/internal/pkg/config/config.go
+++ b/internal/pkg/config/config.go
@@ -190,6 +190,14 @@ func redactServer(cfg *Config) Server {
 		redacted.TLS = &newTLS
 	}
 
+	if redacted.Instrumentation.APIKey != "" {
+		redacted.Instrumentation.APIKey = kRedacted
+	}
+
+	if redacted.Instrumentation.SecretToken != "" {
+		redacted.Instrumentation.SecretToken = kRedacted
+	}
+
 	return redacted
 }
 
diff --git a/internal/pkg/config/config_test.go b/internal/pkg/config/config_test.go
index 80efae473..384030996 100644
--- a/internal/pkg/config/config_test.go
+++ b/internal/pkg/config/config_test.go
@@ -308,6 +308,132 @@ func TestLoadServerLimits(t *testing.T) {
 
 }
 
+func TestConfigRedact(t *testing.T) {
+
+	testcases := []struct {
+		name        string
+		inputCfg    *Config
+		redactedCfg *Config
+	}{
+		{
+			name: "do not modify empty APM secrets",
+			inputCfg: &Config{
+				Inputs: []Input{
+					{
+						Type: "fleet-server",
+						Server: Server{
+							Instrumentation: Instrumentation{
+								SecretToken: "",
+								APIKey:      "",
+							},
+						},
+					},
+				},
+			},
+			redactedCfg: &Config{
+				Inputs: []Input{
+					{
+						Server: Server{
+							Instrumentation: Instrumentation{
+								SecretToken: "",
+								APIKey:      "",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "redact APM secret token",
+			inputCfg: &Config{
+				Inputs: []Input{
+					{
+						Type: "fleet-server",
+						Server: Server{
+							Instrumentation: Instrumentation{
+								SecretToken: "secret value that noone should know",
+							},
+						},
+					},
+				},
+			},
+			redactedCfg: &Config{
+				Inputs: []Input{
+					{
+						Server: Server{
+							Instrumentation: Instrumentation{
+								SecretToken: kRedacted,
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "redact APM API key",
+			inputCfg: &Config{
+				Inputs: []Input{
+					{
+						Type: "fleet-server",
+						Server: Server{
+							Instrumentation: Instrumentation{
+								APIKey: "secret value that noone should know",
+							},
+						},
+					},
+				},
+			},
+			redactedCfg: &Config{
+				Inputs: []Input{
+					{
+						Server: Server{
+							Instrumentation: Instrumentation{
+								APIKey: kRedacted,
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "redact both APM API key and secret token",
+			inputCfg: &Config{
+				Inputs: []Input{
+					{
+						Type: "fleet-server",
+						Server: Server{
+							Instrumentation: Instrumentation{
+								APIKey:      "secret value that noone should know",
+								SecretToken: "another value that noone should know",
+							},
+						},
+					},
+				},
+			},
+			redactedCfg: &Config{
+				Inputs: []Input{
+					{
+						Server: Server{
+							Instrumentation: Instrumentation{
+								APIKey:      kRedacted,
+								SecretToken: kRedacted,
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range testcases {
+		t.Run(tt.name, func(t *testing.T) {
+			require.NotNil(t, tt.inputCfg, "input config cannot be nil")
+			actualRedacted := tt.inputCfg.Redact()
+			assert.Equal(t, tt.redactedCfg, actualRedacted)
+		})
+	}
+}
+
 // Stub out the defaults so that the above is easier to maintain
 
 func defaultCache() Cache {