Description:
Hi Team,
We’ve identified a limitation related to header injection when configuring API calls via button actions in Harness.
Issue:
Currently, we are unable to pass the logged-in user’s email dynamically in the API request header from a button action.
Impact:
This restriction is preventing us from implementing fine-grained access control based on the logged-in user context.
Without this capability, we are unable to enforce proper authorization logic in downstream services.
Current Workaround:
We are passing the user email via query parameters instead of headers.
However, this is not ideal due to:
Security concerns (query params are more exposed/logged)
Standard API design practices prefer headers for identity/context propagation
Request: Introduce support for injecting logged-in user attributes (e.g., email) into API request headers for button-triggered actions.
Ideally,this should align with how user context is exposed in formContext or similar constructs and allow consistent usage across API