06
Blog
FIELD NOTES / PRACTICE
API key security in practice: leaks, AI agents, proxy tokens.
-
TELEGRAM
ART.04
Telegram bots
2026-07-06
Telegram bot tokens leak more than any other API key: how to hide yours
The token lives right in the URL and settles into every log. What a leak costs, why a BotFather revoke isn't a fix, and how to hide the token without breaking aiogram or grammY.
-
FIELD
ART.05
Case study · field report
2026-07-06
Case study: moving two production Telegram bots to proxy tokens in one evening
Three migration rakes — aiogram format validation, long-polling cutoffs and the IP-rebind foot-gun — plus a before/after table.
-
INCIDENT
ART.01
Incident
2026-07-05
Your OpenAI API key leaked: what to do in the first 10 minutes
Revoke, assess the damage, find the source, clean git history — and make the next leak worthless.
-
AGENTS
ART.02
AI agents · MCP
2026-07-05
How to give an AI agent API access without handing over your key
Why anything that enters a model's context counts as published — and the schemes that work: proxy tokens, MCP, deferred secrets.
-
PROXY
ART.03
Fundamentals
2026-07-05
What is an API key proxy and how does it work
How a credential proxy is built, how it differs from a secrets manager, and the two-line code switch.