AccessToken header automatically gets changed to *****

Not applicable

We are trying to make an apiproxy, where most calls need a header called AccessToken. This header is just supposed to pass through to the backend system, which needs it for authorization, but for some reason apigee changes the value to ***** (5 stars). We tried using another header and copying the value, since it only changes the header called "AccessToken", but it immediately reverts to *****.

Unfortunately we do not have the option of renaming the header in the backend system.

Why is this exact header changed and how do we avoid it.

Note that we are not using any OAuth and the api is protected with another header called apikey.

Solved Solved
3 2 986
1 ACCEPTED SOLUTION

@Alexander Bang Welcome to Apigee Community,

I am sure you are referring to trace tool & Authorization header displayed in trace tool. It's by design. The Authorization header value is masked in the Edge trace UI since it contains sensitive data. The actual header value is sent to target server. Apigee Edge doesn't change any request / response until or unless you configure it to do so in the API Proxy. Apigee Edge works as a passthrough by default.

Hope it helps. Keep us posted if any further questions.

View solution in original post

2 REPLIES 2

@Alexander Bang Welcome to Apigee Community,

I am sure you are referring to trace tool & Authorization header displayed in trace tool. It's by design. The Authorization header value is masked in the Edge trace UI since it contains sensitive data. The actual header value is sent to target server. Apigee Edge doesn't change any request / response until or unless you configure it to do so in the API Proxy. Apigee Edge works as a passthrough by default.

Hope it helps. Keep us posted if any further questions.

adas
Participant V

By default we mask the Authorization header, so that's the reason you might be seeing *****. You can assign that header value to another variable and it would show up in trace. Its just the masked value in trace but Apigee is actually not changing the values of your request or response unless you specifically set policies to do that.

If you are saying your header name is called "AccessToken" and that is also being masked, then your org might have debug mask enabled for specific request/response patterns. The debug masking related feature is documented here:

You can do this at an api level, org level or env level.