#Anyone getting malformed requests to

could you show an example ?

@glass vault From API Gateway logs:

{
    "httpMethod": "GET",
    "path": "/prod/patient/validate%22,%22headers%22:%7B%22X-11labs-Conversation-ID%22:%22conv_0001kh4ens4kfzat59k2j3vvfpsa%22,%22x-api-key%22:%22%3CREDACTED%3E%22%7D,%22path_params%22:%7B%7D,%22query_params%22:%7B%7D,%22body%22:%22%7B/%22callerId",
    "protocol": "HTTP/1.1",
    "requestTime": "11/Feb/2026:16:10:26 +0000",
    "status": "403",
}

The part after /prod/patient/validate (my actual endpoint) URI-decoded is

","headers":{"X-11labs-Conversation-ID":"conv_0001kh4ens4kfzat59k2j3vvfpsa","x-api-key":"<REDACTED>"},"path_params":{},"query_params":{},"body":"{/"callerId

The headers are ones that my ElevenLabs tools are set up to include. The <REDACTED> is especially telling since this is the form that workspace Secrets take in post-call webhook events.

Some of these conversation IDs I'm seeing date back to a few months ago also FWIW

Only getting these on one of my APIs (we have multiple clients each with their own unique API URL) and the traffic isn't anything like a DOS attack (got about 25 from 2026-02-11T16:10:26.952Z to 2026-02-11T16:27:21.231Z, then nothing, then just got 2 more now); seems more like scanning for vulnerabilities to exploit. IPs are distributed totally randomly but they all have that same malformed path.