Sanitize resource headers


I have a REST API resource for a public app that contains an auth key header I don't want to expose. If I just create a resource and add it to the headers it can been seen in the browser developer tools.

I know using custom auth might be a solution, but it doesn't work with public apps. What are my options?

It turns out Retool has a convention that if a resource's request header is named Authorization it will sanitise it and not return it to the browser.

Will that always be supported as I can't find any official information in the docs about it?

Hi @vangelov, The Authorization header should always be sanitized when REST queries are run. However when queries are previewed the Authorization header will be visible in the response in Retool.