diff --git a/docs/developer-guide/extensions/proxy-extensions.md b/docs/developer-guide/extensions/proxy-extensions.md
index e75cc03beae2c..8074537170811 100644
--- a/docs/developer-guide/extensions/proxy-extensions.md
+++ b/docs/developer-guide/extensions/proxy-extensions.md
@@ -243,7 +243,7 @@ same headers are also sent to the backend service. The backend service
 must also validate if the validated headers are compatible with the
 rest of the incoming request.
 
-### Outgoing Requets Headers
+### Outgoing Requests Headers
 
 Requests sent to backend services will be decorated with additional
 headers. The outgoing request headers are documented below:
diff --git a/server/extension/extension_test.go b/server/extension/extension_test.go
index 51d281960013c..cb71f01a2148b 100644
--- a/server/extension/extension_test.go
+++ b/server/extension/extension_test.go
@@ -342,9 +342,11 @@ func TestExtensionsHandler(t *testing.T) {
 		f.rbacMock.On("EnforceErr", mock.Anything, rbacpolicy.ResourceExtensions, rbacpolicy.ActionInvoke, mock.Anything).Return(extAccessError)
 	}
 
-	secrets := make(map[string]string)
-	secrets["extension.auth.header"] = "Bearer some-bearer-token"
 	withExtensionConfig := func(configYaml string, f *fixture) {
+		secrets := make(map[string]string)
+		secrets["extension.auth.header"] = "Bearer some-bearer-token"
+		secrets["extension.auth.header2"] = "Bearer another-bearer-token"
+
 		settings := &settings.ArgoCDSettings{
 			ExtensionConfig: configYaml,
 			Secrets:         secrets,
@@ -363,6 +365,9 @@ func TestExtensionsHandler(t *testing.T) {
 
 	startBackendTestSrv := func(response string) *httptest.Server {
 		return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			for k, v := range r.Header {
+				w.Header().Add(k, strings.Join(v, ","))
+			}
 			fmt.Fprintln(w, response)
 		}))
 
@@ -482,6 +487,7 @@ func TestExtensionsHandler(t *testing.T) {
 		require.NoError(t, err)
 		actual := strings.TrimSuffix(string(body), "\n")
 		assert.Equal(t, response1, actual)
+		assert.Equal(t, "Bearer some-bearer-token", resp1.Header.Get("Authorization"))
 
 		require.NotNil(t, resp2)
 		assert.Equal(t, http.StatusOK, resp2.StatusCode)
@@ -489,6 +495,7 @@ func TestExtensionsHandler(t *testing.T) {
 		require.NoError(t, err)
 		actual = strings.TrimSuffix(string(body), "\n")
 		assert.Equal(t, response2, actual)
+		assert.Equal(t, "Bearer another-bearer-token", resp2.Header.Get("Authorization"))
 	})
 	t.Run("will return 401 if sub has no access to get application", func(t *testing.T) {
 		// given
@@ -667,9 +674,15 @@ extensions:
   backend:
     services:
     - url: %s
+      headers:
+      - name: Authorization
+        value: '$extension.auth.header'
       cluster:
         name: %s
     - url: %s
+      headers:
+      - name: Authorization
+        value: '$extension.auth.header2'
       cluster:
         server: %s
 `
@@ -731,8 +744,8 @@ extensions:
   backend:
     services:
     - url: https://httpbin.org
-	  headers:
-	  - value: '$some.secret.key'
+      headers:
+      - value: '$some.secret.key'
 `
 }
 
@@ -743,7 +756,7 @@ extensions:
   backend:
     services:
     - url: https://httpbin.org
-	  headers:
-	  - name: some-header-name
+      headers:
+      - name: some-header-name
 `
 }