Hi,

We want to use an app to expose a single admin-restricted API endpoint to non-admin users, so we want to give the app a secure setting that contains a token created by one of our admins and call it with {{setting.token}} (in client.request, with secure: true and cors: false). However, when we do this, we get an error "could not authenticate you".

Using the same setting in a request to https://webhook.site/ shows that the correct token is sent (this token is also working fine when manually used in the app locally, so its not an issue with the token).

I have noticed that external urls sent with client.request show in the network log as encoded with a proxy url, but zendesk urls even if they are fully quantified (https://subdomain.zendesk.com/api/endpoint) are never passed like this, and I'm wondering if maybe Zendesk urls don't go through the proxy that applies the secure parameters? Can I not use secure params in client.request calls to Zendesk apis?

Thanks,

Cheryl