Steps to reproduce:

having 2 preprocessing rules in LLD rule (dependent item with JSON input)

• JSONPath: $.pageEntries
• JavaScript containing following lines (logging just for debugging purposes):

var oidc_credentials_json_string = '{"grant_type": "password", "accessCode1": "{$CLOUD.APP.GW.ACCESS.CODE.1}", "accessCode2": "{$CLOUD.APP.GW.ACCESS.CODE.2}", "scope": "openid h"}';
Zabbix.log(2, oidc_credentials_json_string);
var token_json_string = request_oidc.post("{$CLOUD.APP.OIDC.ACCESS.URL}" + "/oidc/grantToken", oidc_credentials_json_string);
Zabbix.log(2, token_json_string);

Result:

• macro values with access codes not used in the request when set as secret text, as seen in /var/log/zabbix/zabbix_proxy.log (active proxy traffic encrypted with PSK):

{"grant_type": "password", "accessCode1": "******", "accessCode2": "******", "scope": "openid h"}

• => request fails returning invalid authentication

Expected:

• secret text macros in JavaScript could be usable on zabbix_proxy (masking values in the log file in such case is OK)

Workaround:

• use plain text macros, then they are used, but also visible in ZBX frontend and zabbix_proxy.log (not preferred)
• for script items macro values can be provided as input parameters, then this problem is probably not present (not tested recently, but slightly remembered from the past), but parameters cannot be set for preprocessing steps (maybe there is another workaround, e.g. to add those macros somehow into input JSON, e.g. by preceeding preprocessing steps - not tested)