diff --git a/proto/common/v1/common.proto b/proto/common/v1/common.proto
index e360ef4..645971e 100644
--- a/proto/common/v1/common.proto
+++ b/proto/common/v1/common.proto
@@ -18,6 +18,7 @@ syntax = "proto3";
 package common;
 
 import "google/protobuf/timestamp.proto";
+import "storage/datapol/annotations/proto/semantic_annotations.proto";
 
 option go_package = "github.com/GoogleCloudPlatform/healthcare-federated-access-services/proto/common/v1";
 
@@ -148,8 +149,8 @@ message CliState {
   bytes encrypted_secret = 9;
   bytes encrypted_code = 10;
   string secret = 11;
-  string access_token = 12;
-  string refresh_token = 13;
+  string access_token = 12 [(datapol.semantic_type) = ST_ACCOUNT_CREDENTIAL];
+  string refresh_token = 13 [(datapol.semantic_type) = ST_ACCOUNT_CREDENTIAL];
   string state = 14;
   google.protobuf.Timestamp accepted_at = 15;
   map<string, string> user_profile = 16;
@@ -193,10 +194,16 @@ message OidcTokenResponse {
     string name = 1;
     string email = 2;
   }
-  string access_token = 1 [json_name = "access_token"];
+  string access_token = 1 [
+    json_name = "access_token",
+    (datapol.semantic_type) = ST_ACCOUNT_CREDENTIAL
+  ];
   string token_type = 2 [json_name = "token_type"];
   int32 expires_in = 3 [json_name = "expires_in"];
-  string refresh_token = 4 [json_name = "refresh_token"];
+  string refresh_token = 4 [
+    json_name = "refresh_token",
+    (datapol.semantic_type) = ST_ACCOUNT_CREDENTIAL
+  ];
   string id_token = 5 [json_name = "id_token"];
   string scope = 6;
   string uid = 7;
diff --git a/proto/common/v1/oauthclient.proto b/proto/common/v1/oauthclient.proto
index 5d13f83..9f9c6d2 100644
--- a/proto/common/v1/oauthclient.proto
+++ b/proto/common/v1/oauthclient.proto
@@ -17,6 +17,7 @@ syntax = "proto3";
 package common;
 
 import "google/rpc/status.proto";
+import "storage/datapol/annotations/proto/semantic_annotations.proto";
 
 option go_package = "github.com/GoogleCloudPlatform/healthcare-federated-access-services/proto/common/v1";
 
@@ -56,7 +57,10 @@ message ClientState {
 
 message ClientResponse {
   Client client = 1;
-  string client_secret = 2 [json_name = "client_secret"];
+  string client_secret = 2 [
+    json_name = "client_secret",
+    (datapol.semantic_type) = ST_SECURITY_MATERIAL
+  ];
 }
 
 message ConfigModification {
@@ -78,5 +82,8 @@ message ConfigClientRequest {
 
 message ConfigClientResponse {
   Client client = 1;
-  string client_secret = 2 [json_name = "client_secret"];
+  string client_secret = 2 [
+    json_name = "client_secret",
+    (datapol.semantic_type) = ST_SECURITY_MATERIAL
+  ];
 }