user={email} when the request should use a user-owned secret for a specific user.
Authorization
OAuth callers must own the user secret. Ifuser is supplied, it must match the OAuth subject.
API-key callers run as the API key’s service account. The service account must have use_proxy_secrets, and the target secret must grant that service account per-secret use_proxy.
Behavior
The proxy sets the upstreamAuthorization header from the secret value. OAuth credential secrets are refreshed when needed and saved as a new secret version.
The proxy supports normal HTTP requests, WebSocket upgrades, and streaming SSE responses.