So primarily just noting this for anyone else because it was driving me nucking futs, but I do have one suggestion for Lucee as well.
I’ve been trying to work with Google’s Firebase API but have been struggling just getting past basic authentication. The endpoint I was trying to use was:
https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=[API_KEY]
as noted in there documentation here.
Whenever I tried it though I kept getting a 404 error, which returned html, rather than any sort of json error like you normally see with an API.
(in hindsight this should have told me where the error was right away, but I also found some comments on stackoverflow suggesting this was no longer the correct endpoint so eh)
Further confusing me was that the request worked when I used postman on my local machine.
My assumption at this point was that either
a) Google was blocking our servers hosted on Azure
b) There was some extra headers being added by either Lucee or postman, or they were using different character encodings or something
After several hours of pulling my hair out, it finally clicked when I went back and looked at the original error message. The path was showing as this.
/v1/accounts%3AsignInWithCustomToken
Lucee was doing it’s job correctly, and escaping the characters
Just setting encodeurl=false fixed it 
So I do have one suggestion that I think would be a huge help for situations like this. One thing that I was trying to do was get a look at the actual HTTP request that was being generated to try and figure out what was actually being sent, and if I was missing something or there was something else being included, etc.
I was actually using requestcatcher.com to catch the request so I could view them, but due to me thinking there wasn’t a problem with the url, I didn’t include the full path (so that was my bad).
But even if I had done this it could have still proved problematic. Since these also contained sensitive authentication info, I was having to truncate the values to avoid security issues, so there still could have been some underlying bug I couldn’t see.
So it would have been really great if the http request generated by lucee could be saved as a string or a file, instead of being sent out. Simplest option would just be to include a flag called ‘debug’ or something like it, and if it’s set, the result variable is just replaced with the string that is the http request.