This is an example of a Burp Suite Action Script that can be used in Repeater. It extracts the `access_token` parameter from the most recent matching request in the Proxy tab and updates the Authorization Bearer header with the new value.

get_access_token_from_proxy.java

// @irsdl
// === Config: set what you want to match ===
final String TARGET_HOST  = "oauth.example.io"; // target domain
final String PATH_PREFIX  = "/auth/realms/onba/openid-connect/token";   // match exact or any child path
final short STATUS_CODE = 200; // match the status code where the response has access_token

// Build a ProxyHistoryFilter that only matches completed host+path hits
burp.api.montoya.proxy.ProxyHistoryFilter filter = new burp.api.montoya.proxy.ProxyHistoryFilter() {
    @Override
    public boolean matches(burp.api.montoya.proxy.ProxyHttpRequestResponse rr) {
        if (!rr.hasResponse()) return false; // only completed entries
        var req = rr.finalRequest();
        var svc = req.httpService();
        var statusCode = rr.response().statusCode();
        if (svc == null) return false;

        // match by host + path (ignore query)
        String path = req.pathWithoutQuery();
        boolean hostOk = svc.host().equalsIgnoreCase(TARGET_HOST);
        boolean pathOk = path.equals(PATH_PREFIX) || path.startsWith(PATH_PREFIX + "/");
        boolean statusOk = (statusCode == STATUS_CODE);
        return hostOk && pathOk && statusOk;
    }
};

// Pull only matching items from Proxy history
java.util.List<burp.api.montoya.proxy.ProxyHttpRequestResponse> matches = api.proxy().history(filter);

if (matches.isEmpty()) {
    logging.logToOutput("No Proxy history matches for host=" + TARGET_HOST + " pathPrefix=" + PATH_PREFIX);
    return;
}

// Pick the most recent by ZonedDateTime
burp.api.montoya.proxy.ProxyHttpRequestResponse latest =
    matches.stream()
           .max(java.util.Comparator.comparing(burp.api.montoya.proxy.ProxyHttpRequestResponse::time))
           .orElse(null);

if (latest == null) {
    logging.logToOutput("Unexpected: no 'latest' after filtering.");
    return;
}

// Read request/response
var req = latest.finalRequest();                 // HttpRequest
var res = latest.response();                     // HttpResponse

int status = res.statusCode();
String url  = req.url();                         // (string URL for convenience)
String mime = latest.mimeType().toString();
String body = res.bodyToString();                // use res.body() for bytes

logging.logToOutput("Matched latest: " + req.method() + " " + url);
logging.logToOutput("Status=" + status + " | MIME=" + mime + " | bodyLen=" + body.length());

// --- Inline example: extract a JSON field "token" (no helper methods) ---
java.util.regex.Matcher m =
    java.util.regex.Pattern.compile("\"access_token\"\\s*:\\s*\"([^\"]+)\"").matcher(body); // regex to read the access token

String token = "";
if (m.find()) {
    token = m.group(1);
    logging.logToOutput("Extracted token: " + token);
} else {
    logging.logToOutput("No token field found in response body.");
}


if (token!=""){
    httpEditor.requestPane().set(requestResponse.request().withUpdatedHeader("Authorization", "Bearer "+ token));
}