Skip to main content
Endpoints support header authentication via the X-Origin-Token header. This lets you require incoming requests to include a specific token value, providing an additional layer of security beyond IP Filtering.
Header authentication is available for HTTP(S) Endpoints and can be used alongside IP Filtering for additional security.

Use Cases

Header authentication is primarily designed for CDN origin protection. When you place a CDN like AWS CloudFront in front of your Aptible Endpoint, you can configure the CDN to add an X-Origin-Token header with a secret value when forwarding requests, and configure your Endpoint to require that same token. This shared-secret approach helps ensure traffic reaches your app only through the CDN. Direct requests to your Aptible Endpoint URL will receive a 403 Forbidden response because they won’t have the required header. If the token is ever compromised, you should rotate it immediately in both your Endpoint settings and CDN configuration. Additional use cases include:
  • Securing webhooks or API endpoints that should only accept traffic from specific services
  • Adding an extra authentication layer for sensitive internal apps
  • Protecting staging or preview environments from unauthorized access

How It Works

When header authentication is enabled, all incoming requests are checked for the X-Origin-Token header. Requests with a missing or incorrect header value receive a 403 Forbidden response. Requests with a matching token proceed normally to your app. The token value is never exposed in responses.

Enabling Header Authentication

Header authentication is configured via the Aptible Dashboard on a per-Endpoint basis:
  • Edit an existing Endpoint or add a new Endpoint
  • In the Header Authentication Value field, enter your token value
  • Click Save Changes

Token Format Requirements

The token value may only contain:
  • Letters (a-z, A-Z)
  • Numbers (0-9)
  • Underscores (_)
  • Hyphens (-)
  • Colons (:)
  • Periods (.)

Removing Header Authentication

To disable header authentication, clear the Header Authentication Value field and save your changes.

Example: CloudFront Integration

To use header authentication with AWS CloudFront:
  1. Generate a secure random token value (e.g., using a password generator)
  2. Configure the token in your Aptible Endpoint’s Header Authentication Value setting
  3. In CloudFront, add a custom origin header:
    • Header Name: X-Origin-Token
    • Header Value: Your token value
Once configured, requests through CloudFront will include the header and reach your app, while direct requests to your Aptible Endpoint will be blocked.