We replied to a support ticket about this as well. I’m copying our answer there to share it with anyone finding this topic in a search:
It’s important to note that we don’t send the token through. What the
signedsetting is for is signing the JSON Web Signature. This is mentioned in Netlify docs here:Rewrites and proxies | Netlify Docs
signeddoesn’t send the token. It instead uses the token to sign the JWS and then the signed JWS is passed to the proxied app.If you’re not using JSW, but need to send the token as is, you would need to put the token into the netlify.toml file as a literal string.
Fool has an example of how to find/replace placeholders with environment variables configured at Netlify here:
[Support Guide] Using environment variables on Netlify correctly - #26 by fool