Private Dynamic Header Value in API Request

Is is possible to dynamically add a private value to an API request header?

I’m accessing the shopify API during a workflow. Shopify requires an access token (acquired during oauth and stored in the DB) to be sent in the header when making the request.

I’m able to dynamically populate this access token when the value is not marked as “private” in Bubble’s api connector. However, Bubble’s api docs mentions:

Note that even though by default, API calls are made from the server, a description of the call is sent to the browser and are thus visible to a savvy user. This means that any sensitive parts of the call, especially secrets / tokens, should be in fields marked “Private”.

I obviously don’t want to reveal a store’s access token because then anyone can access the data for that store. However, marking that field as “private” does not allow me to dynamically populate a store’s token.

How do I go about getting this to work properly?

Bumping this. I’m working with more API integrations and really need a way to hide client secrets and tokens

Bumping

Looks like no one ever answered this. I can’t find an answer online myself.

I’m in the same boat.

Anyone figure this out?

The answer is no it’s not possible
However, this is not an issue if the dynamic value you are sending belong to the current user. The privacy rules need to be set correctly so only the user that use this API key should get access to it.