We have Apigee passing calls directly to our backend services. However Apigee seems to remove the headers for Authorization: Bearer
How can I force Apigee to keep Authorization headers and not strip them out
Try to check in your service, in Remove Header Authorization (it is policy that auto created by apigee) you will see the code below:
<Remove>
<Headers>
<Header name="Authorization"/>
<Header name="Accept"/>
<Header name="accept-encoding"/>
<Header name="cache-control"/>
<Header name="cookie"/>
<Header name="Postman-Token"/>
</Headers>
</Remove>
So, you have to remove <Header name="Authorization"/>