Should API bug reports include sanitized request bodies by default?

A Software Q&A prompt about making API errors reproducible while keeping tokens, cookies, and customer data out of public debugging records.

An API bug report without a request shape is hard to reproduce. But copying the real request can expose tokens, cookies, customer IDs, or private payloads. I think the useful middle is a sanitized request body: same field names, same nulls, same array shape, safe placeholder values. Pair that with method, endpoint, status code, response body, and trace ID if available. Do you expect sanitized request bodies in API bug reports by default, or only after someone asks for them?