Support Custom Headers (e.g., Authorization) in Document Preview Form Element #1428
Description
Is your feature request related to a problem? Please describe.
Currently, the Document Preview form element in Camunda Web Modeler does not support sending custom headers (e.g., Authorization: Bearer ) when fetching documents.
This creates a limitation when trying to preview or download documents from secure endpoints that require authentication, such as those protected by OAuth2 or other token-based schemes.
It prevents us from fully integrating secure document APIs with Camunda forms.
Describe the solution you'd like
Add support for configuring custom HTTP headers in the Document Preview component, specifically to allow setting an Authorization header.
Ideally, headers could be dynamically evaluated via FEEL expressions or variables (e.g., ${bearerToken}), just like other form elements support dynamic values.
Example structure:
{
"documentId": "u123",
"endpoint": "https://api.example.com/documents/u123",
"headers": {
"Authorization": "Bearer ${bearerToken}"
},
"metadata": {
"fileName": "Document.pdf",
"contentType": "application/pdf"
}
}
Describe alternatives you've considered
Using a proxy server to inject the Authorization header server-side. This approach increases complexity and adds an extra infrastructure dependency.
Embedding static tokens in the document endpoint URL (which is insecure and not maintainable).
Avoiding secure endpoints entirely and exposing documents publicly, which is not acceptable for sensitive data.
Additional context
This limitation affects compliance and security in enterprise setups.