Here's a link to /api/redirect?auth-token=TOPSECRET. The auth-token param is intended for the API route--it should not be sent along to the external redirect target.

Link to an API route that redirects to nextjs.org

Here's a link to /middleware/redirect?auth-token=TOPSECRET. The auth-token param is intended for the middleware function--it should not be sent along to the external redirect target.. This works when running locally, but when deployed to Vercel the auth-token param is incorrectly appended to the redirect target.

Link to a middleware/edge function that redirects to nextjs.org