I spent 45 minutes trying to figure out why my Proxmox API token kept getting exposed in logs. Turns out, it wasn't a security hole — it was Bash history expansion eating my token string and spitting it back in plaintext.
The thing: Bash history expansion interprets ! as a history reference. When you paste an API token into a script or command line, any ! in the token gets expanded to a previous command. This is a problem when your token contains ! — which some Proxmox API tokens do.
# This will fail because Bash tries to expand the ! in the token
curl -u "user:my-token!123" https://proxmox.example.com/api2/json/nodes
# Fix it by quoting the token or escaping the !
curl -u "user:my-token\!123" https://proxmox.example.com/api2/json/nodes
The fix is simple but easy to miss: quote the token or escape any ! characters. I learned this the hard way after seeing my-token!123 show up in my shell history and logs after a failed API call.
Done: Bash history expansion is a gotcha for anyone using ! in API tokens — quote or escape them to avoid surprises.
Top comments (0)