When Business Central performs outbound HTTP calls — for example, VAT ID validation via the FinanzOnline/EVATR service — the platform automatically appends two internal tracing headers to every request:
traceparent(W3C Trace Context standard)Correlation-Context(containing internal BC telemetry data such as ControlId, ControlEventId, FieldId, TableId, FormId, FilterGroup, and SearchFilter values)
Problem
These headers are intended for internal platform observability and carry BC-internal metadata that has no meaning for the receiving external service. Sending them to third-party APIs causes several issues:
- HTTP 400 errors on strict endpoints — Some external APIs (e.g. the German BZST EVATR/VIES endpoint
api.evatr.vies.bzst.de) reject requests with a400 Bad Requestresponse when unexpected headers are present, making the VAT validation fail entirely. A subsequent retry seconds later with the same payload succeeds (HTTP 200) — confirming the header is the root cause, not the payload itself. - Data minimisation / privacy — The
Correlation-Contextheader exposes internal BC infrastructure details (form IDs, table IDs, active filter configuration) to external parties, which is undesirable from a data minimisation perspective. - Unpredictable compatibility — Any extension or AppSource app that uses
HttpClientinherits this behavior without being able to opt out, making integrations fragile against strict third-party endpoints.
Expected behavior
Platform-internal tracing headers should only be forwarded to Microsoft-controlled endpoints (e.g. Azure services, Microsoft APIs). For all external, non-Microsoft HTTP calls they should be stripped before the request leaves the BC platform.
Workaround / current state
There is no AL-level API to remove or suppress specific request headers added by the platform. AL developers can add headers but cannot remove platform-injected ones. The only current workaround is retrying on failure, which is unreliable.
Suggested solution
Provide one or more of the following:
- Automatically strip
traceparentandCorrelation-Contextfrom outboundHttpClientrequests to non-Microsoft domains. - Expose a property on
HttpRequestMessageor a platform setting that allows AL code to opt out of platform-injected headers. - Document clearly which headers the platform injects and under what conditions.
