decryption for fetch before W3C calls

Any API must have it's caller with authorization bearer credentials decrypted outside of the scope of the client, and cannot be even sent the results of an encrypting/decrypting service (to protect the API user from theft).

If a private decryption method can hide the result from the public client caller (function), wouldn't a nice proposal be to have a new global method that decrypts for the Authorization headers of a W3C fetch request? This way we can have logic on the client (cloudflare edge service worker tokenize, no redirect nor digital ocean second POST needed perhaps just GET from such a service hosting an API key to be held privately). Here, the service decrypts instead of the potential new private caller, but encryption of the Authorization header can be called by a method that is private from the client AND the Network tab in Chrome devtools inspect, perhaps only when finally sending to HTTP (as I imagine the code the data populating devtools happens within the block before return).

This discourse is for the JS language - fetch is specified in HTML.