Security: REDCap API token is exposed in assertion error message

## Security: REDCap API token is exposed in assertion error message

Hi — thanks for maintaining PyCap.

I noticed a potential security issue in the token validation logic that can cause REDCap API tokens to be printed in plain text when validation fails.

In `_validate_url_and_token` (in `redcap/methods/base.py`), the token is interpolated directly into an `AssertionError` message:

```python
assert actual_token_len == expected_token_len, (
    f"Incorrect token format '{token}', token must be",
    f"{expected_token_len} characters long",
)
```

If the token is malformed (e.g., wrong length, trailing newline), this assertion prints the full token to stdout/logs. This can leak secrets into CI logs, terminals, or shared debugging output.

Even though this only occurs on error paths, the token may still be mostly or entirely valid, and error logs are a common source of credential leakage.

### Suggested fix

Avoid interpolating secrets into exception messages. Replace `assert` with an explicit exception (e.g., `ValueError`) and use a generic message, for example:

```python
if len(token) != 32:
    raise ValueError("Invalid REDCap token format (expected 32 characters)")
```

Thanks for your work on the project.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security: REDCap API token is exposed in assertion error message #315