I haven’t tried to use “Body” when setting credential location. “Header” worked in this case.
And yes, the PATCH call should return null for the bearerToken so the token isn’t displayed in plaintext, which can be a security concern as these responses are often logged.