> ## Documentation Index
> Fetch the complete documentation index at: https://www.aptible.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Header Authentication

[HTTP(S) Endpoints](/core-concepts/apps/connecting-to-apps/app-endpoints/https-endpoints/overview) support header authentication via the `X-Origin-Token` header. This lets you require incoming requests to include a specific token value, providing an additional layer of security beyond [IP Filtering](/core-concepts/apps/connecting-to-apps/app-endpoints/ip-filtering).

<Info>
  Header authentication is available for HTTP(S) Endpoints and can be used alongside [IP Filtering](/core-concepts/apps/connecting-to-apps/app-endpoints/ip-filtering) for additional security.
</Info>

## Use Cases

Header authentication is primarily designed for CDN origin protection. When you place a CDN like AWS CloudFront in front of your Aptible Endpoint, you can configure the CDN to add an `X-Origin-Token` header with a secret value when forwarding requests, and configure your Endpoint to require that same token.

This shared-secret approach helps ensure traffic reaches your app only through the CDN. Direct requests to your Aptible Endpoint URL will receive a `403 Forbidden` response because they won't have the required header. If the token is ever compromised, you should rotate it immediately in both your Endpoint settings and CDN configuration.

Additional use cases include:

* Securing webhooks or API endpoints that should only accept traffic from specific services
* Adding an extra authentication layer for sensitive internal apps
* Protecting staging or preview environments from unauthorized access

## How It Works

When header authentication is enabled, all incoming requests are checked for the `X-Origin-Token` header. Requests with a missing or incorrect header value receive a `403 Forbidden` response. Requests with a matching token proceed normally to your app. The token value is never exposed in responses.

## Enabling Header Authentication

Header authentication is configured via the Aptible Dashboard on a per-Endpoint basis:

* Edit an existing Endpoint or add a new Endpoint
* In the **Header Authentication Value** field, enter your token value
* Click **Save Changes**

## Token Format Requirements

The token value may only contain:

* Letters (a-z, A-Z)
* Numbers (0-9)
* Underscores (`_`)
* Hyphens (`-`)
* Colons (`:`)
* Periods (`.`)

## Removing Header Authentication

To disable header authentication, clear the **Header Authentication Value** field and save your changes.

## Example: CloudFront Integration

To use header authentication with AWS CloudFront:

1. Generate a secure random token value (e.g., using a password generator)
2. Configure the token in your Aptible Endpoint's **Header Authentication Value** setting
3. In CloudFront, add a custom origin header:
   * Header Name: `X-Origin-Token`
   * Header Value: Your token value

Once configured, requests through CloudFront will include the header and reach your app, while direct requests to your Aptible Endpoint will be blocked.