I have been wondering recently - how secure are URLs? For example Telegram's bot API is authenticated with a token which has to be included in the URL for any request.
What kind of failure modes are there regarding this?
If they click on the URL while their internet is out, then the URL may remain in their browser's search history. The search history may sync between the devices, so if someone has access to your phone, they may get the secret URL when your internet resumes (and you haven't clicked yet).
If you use HTTPS, they're pretty much as secure as HTTPS itself is. Anything that would let you obtain or modify the token at that point would be a break of HTTPS.
(Unless you're using some weird system where the secret is in the domain name, in which case it can be a bit more complicated, but who does that?)
This probably isn't terrible though.