Any API must have it's caller with authorization bearer credentials decrypted outside of the scope of the client, and cannot be even sent the results of an encrypting/decrypting service (to protect the API user from theft).
If a private decryption method can hide the result from the public client caller (function), wouldn't a nice proposal be to have a new global method that decrypts for the Authorization headers of a W3C fetch request? This way we can have logic on the client (cloudflare edge service worker tokenize, no redirect nor digital ocean second POST needed perhaps just GET from such a service hosting an API key to be held privately). Here, the service decrypts instead of the potential new private caller, but encryption of the Authorization header can be called by a method that is private from the client AND the Network tab in Chrome devtools inspect, perhaps only when finally sending to HTTP (as I imagine the code the data populating devtools happens within the block before return).