I read the documentation about secret tokens in APM. It looks like we can only set a single token on the APM server. If the secret_token in apm-server.yml has been enabled, it means that all agents will have to be configured with that same token. On javascript applications, it's a waste to set the token since users can open the javascript file and read the code. I didn't want to put the token in the frontend to prevent giving an idea about our APM server. How should we set it up in such a way that frontend applications don't have to set token while our backend application can use the token?
Found out secret_token is not needed by RUM. There was no need to modify Nginx and override Authorization bearer.