Security and transformation are different concerns, and mixing them weakens both. A token fetched inside a map, a password embedded in a component, an API key passed through business logic — each scatters secrets across artifacts, makes rotation a hunt, and entangles “is this caller allowed” with “what does this field map to.” The transformation layer should be able to assume the connection is already trusted.

Configure authentication where the connection is actually made: on the receive or send port and its adapter, using the platform’s authentications rather than inline secrets. The message arriving on the bus is then already authenticated, and everything inside reasons purely about content. This also keeps credentials externalized and rotatable in one place.