In the provider configuration UI, sensitive fields such as bot_token (e.g., in the Telegram provider) are correctly rendered with type="password" to hide their values. However, the actual token value is still visible in the DOM (e.g., through browser dev tools), defeating the purpose of marking it as sensitive.