Should the "code" parameter be filtered out of the logs in the oauth2 flow?

I'am implementing a login flow based on oauth2.

When the user grants the permission on the oauth2 provider side, the server gets a callback with a code that can be used to retrieve the access token.

The code is by definition very short lived, but I still wonder if it is considered sensitive data that should not end in the application logs (like the password param that is sent when a user logs in via a regular form)

One time codes sent in URLs are considered safe to log. Usually they are short lived also. Other examples include nonce values sent in 'magic' email links. Once used they are removed from backend data and cannot be replayed. If not used they expire soon anyway.

The authorization code typically has a lifetime of a minute or two, determined by state stored in the authorization server. In any up to date code flow, redeeming a code for tokens also requires a client secret, a PKCE code verifier or both. The authorization code alone thus cannot be used to get access tokens.

Also. it is possible to send the response_mode=form_post parameter in the authorization request, if you prefer to receive the code in a POST response. This may have slightly worse usability though, if the user clicks the back button after login, resulting in a form resubmission warning.