How can a third party track/fetch a web project's API network calls through code?

Question

I want to know how can third-party apps access API network calls. Like the API's request headers, response headers, payload, etc. Example - Sentry has a feature "Relay" which can track user movements and even records API calls.

Shouldn't there be some browser restriction to such cases, as the sensitive data will also be forwarded?

Answer 1

With Relay the client-side code making the requests is changed so it makes the requests to the Relay server instead.

Since it is receiving the request, it has full access to it.