Somehow, the access token for managing my account for a private podcast feed found it’s way into Google’s search index. A complete stranger emailed me about it, which I very much appreciated. Turns out they were searching for one of the query parameters involved in an OAuth 2 exchange: not something super common, yet common enough to be a problem.
The issue is resolved now but I’m wondering how it leaked. I’m usually pretty good at trying to keep links to private feeds private. The only thing I can think of is that I tried making a clip of that show using Pocketcasts. And since Pocketcasts now generates hosted clip pages rather than rendering a video, the tokenised link would’ve appeared there, along with the rest of the show notes. I didn’t post the clip, but maybe it made it’s way to Google’s index via that feature in some other manner. Some discovery thing, perhaps?
Anyway, I have alternative means of making my clips now, but for anyone else using Pocketcasts, just keep this in mind when making clips of private shows.