Hey @jaysudo,

I believe you're referring to the masking of the value in the Apigee Trace/Debug tool, correct? This is expected behaviour because the Authorization header contains sensitive data and is one of the only headers that Apigee masks by default.

Even though you see it masked (as "*******") during debugging, this does not mean that it will be returned as asterisks to the client. The client will receive the actual value of the Authorization header unless there is specific logic in your proxy or policies that modifies it before sending the response.

I also want to pay your attention to the fact that in general, returning the Authorization header to the client is not the best practice. This header is meant for the client to send authentication information to the server, not the other way around. Its primary purpose is to facilitate the authentication process where the client proves its identity to the server. Sending this header back to the client can create confusion and potential misuse.

Additionally, reassigning it to another header could potentially expose access tokens contained within, which could lead to significant security vulnerabilities. This practice can make sensitive data accessible in places where it should not be, increasing the risk of token leakage or unauthorised access.

Be cautious when handling or exposing headers containing sensitive authentication information.

Hope this helps clarify things!