diff --git a/apps/chat/src/index.ts b/apps/chat/src/index.ts
index f808475..cd1f976 100644
--- a/apps/chat/src/index.ts
+++ b/apps/chat/src/index.ts
@@ -47,8 +47,11 @@ app.get(
       let apiKey: string | null = null;
       if (authHeader && authHeader.startsWith('Bearer ')) {
         apiKey = authHeader.substring(7);
-      } else if (botAuth) {
-        apiKey = botAuth;
+      } else if (botAuth && typeof botAuth === 'string' && botAuth.trim().length > 0) {
+        // Validate botAuth query parameter format
+        if (botAuth.startsWith('hctvb_')) {
+          apiKey = botAuth;
+        }
       }
 
       if (apiKey) {
diff --git a/apps/docs/src/content/docs/api/chat.mdx b/apps/docs/src/content/docs/api/chat.mdx
index 4325e66..bacbd72 100644
--- a/apps/docs/src/content/docs/api/chat.mdx
+++ b/apps/docs/src/content/docs/api/chat.mdx
@@ -15,9 +15,11 @@ You'll need to provide authentication, which can be done by providing an `auth_s
 
 <Aside type="tip">
 Bot accounts are now supported. You can choose to connect as a bot by providing a bot account's API key in one of two ways:
-- Using the `Authorization` header: `Bearer hctvb_xxxxxxx` (for server-side connections)
+- Using the `Authorization` header: `Bearer hctvb_xxxxxxx` (for server-side connections) **[Recommended]**
 - Using the `?botAuth=hctvb_xxxxxxx` query parameter (for browser-based connections, since browsers cannot set custom headers on WebSocket connections)
 
+**Security Note:** When using the `?botAuth=` query parameter, be aware that query parameters may be logged in browser history, server logs, and proxy logs. Use the `Authorization` header method whenever possible. The query parameter method should only be used when connecting from a browser environment where headers cannot be set.
+
 It is highly advised to use a bot account for any automated task, and to implement anything pointed out in this page.
 
 </Aside>