1

When Business Central performs outbound HTTP calls — for example, VAT ID validation via the FinanzOnline/EVATR service — the platform automatically appends two internal tracing headers to every request:

  • traceparent (W3C Trace Context standard)
  • Correlation-Context (containing internal BC telemetry data such as ControlId, ControlEventId, FieldId, TableId, FormId, FilterGroup, and SearchFilter values)

Problem

These headers are intended for internal platform observability and carry BC-internal metadata that has no meaning for the receiving external service. Sending them to third-party APIs causes several issues:

  1. HTTP 400 errors on strict endpoints — Some external APIs (e.g. the German BZST EVATR/VIES endpoint api.evatr.vies.bzst.de) reject requests with a 400 Bad Request response when unexpected headers are present, making the VAT validation fail entirely. A subsequent retry seconds later with the same payload succeeds (HTTP 200) — confirming the header is the root cause, not the payload itself.
  2. Data minimisation / privacy — The Correlation-Context header exposes internal BC infrastructure details (form IDs, table IDs, active filter configuration) to external parties, which is undesirable from a data minimisation perspective.
  3. Unpredictable compatibility — Any extension or AppSource app that uses HttpClient inherits this behavior without being able to opt out, making integrations fragile against strict third-party endpoints.

Expected behavior

Platform-internal tracing headers should only be forwarded to Microsoft-controlled endpoints (e.g. Azure services, Microsoft APIs). For all external, non-Microsoft HTTP calls they should be stripped before the request leaves the BC platform.

Workaround / current state

There is no AL-level API to remove or suppress specific request headers added by the platform. AL developers can add headers but cannot remove platform-injected ones. The only current workaround is retrying on failure, which is unreliable.

Suggested solution

Provide one or more of the following:

  • Automatically strip traceparent and Correlation-Context from outbound HttpClient requests to non-Microsoft domains.
  • Expose a property on HttpRequestMessage or a platform setting that allows AL code to opt out of platform-injected headers.
  • Document clearly which headers the platform injects and under what conditions.


Category: Development
STATUS DETAILS
New