Hi, does this actually work? Currently it appears that the Authorization header is part of the blocked list and so this comes back as a denied custom header. I've noticed that if you don't set HTTP_ACCEPT then it silently fails. Apologies if this has been discussed already but I would really love to use this feature. Currently the only way I can see this working is if I intercept the incoming request on my server and setting the Authorization header manually based on a token input.