@[email protected] looks like a potential attack vector :neocat_think_woozy: assuming your session is stored in an HttpOnly cookie, this would allow an attacker to bypass that and just `fetch()` that docs page to extract a valid api token for the current user (assuming the docs are on the same domain)