I have a REST API resource for a public app that contains an auth key header I don't want to expose. If I just create a resource and add it to the headers it can been seen in the browser developer tools.
I know using custom auth might be a solution, but it doesn't work with public apps. What are my options?
It turns out Retool has a convention that if a resource's request header is named
Authorization it will sanitise it and not return it to the browser.
Will that always be supported as I can't find any official information in the docs about it?
Hi @vangelov, The Authorization header should always be sanitized when REST queries are run. However when queries are previewed the Authorization header will be visible in the response in Retool.