Gateway Headers Reference
The Consumer portal uses two sets of headers depending on the integration chain.
WEB Chain Headers
These headers are used for browser, mobile app, and portal-driven flows on /web/v1/consumer/** endpoints.
Authentication
| Header | Description |
|---|---|
Authorization | Bearer <jwt> — JWT access token from login |
X-SC-Session-Id | Secure Channel session ID (required for encrypted endpoints) |
Gateway Context
| Header | Description |
|---|---|
X-PORTAL-ACCESS-CODE | Consumer portal access code |
X-Client-Hash | Client device fingerprint |
X-Request-Id | Unique request identifier (UUID) |
CF-Connecting-IP | Client IP address |
Cf-Ray | Cloudflare ray ID |
cf-ipcountry | Client country code |
X-Forwarded-Proto | Protocol (https) |
User-Agent | Client user agent |
X-LOCALE | Request locale |
Accept-Language | Accepted language |
X-Workspace-Id | Workspace context (for workspace-scoped operations) |
Geo/CF Headers (injected by CDN)
| Header | Description |
|---|---|
cf-region | Client region |
cf-ipcity | Client city |
cf-iplatitude | Client latitude |
cf-iplongitude | Client longitude |
cf-postal-code | Client postal code |
cf-timezone | Client timezone |
API Chain Headers
These headers are used for server-to-server flows on /api/v1/consumer/** endpoints, authenticated with API keys.
Authentication
| Header | Description |
|---|---|
X-Api-Key | API key identifier |
X-Signature | HMAC signature of the request |
X-Timestamp | Unix timestamp (60s validity window) |
X-Nonce | Unique request identifier for replay protection |
Signature Computation
signature = HMAC-SHA256(apiSecret, method + path + timestamp + nonce + bodyHash)Common Headers
| Header | Constant | Used by |
|---|---|---|
X-SC-Session-Id | SESSION_ID_HEADER | SCv2 |
X-SC-Version | VERSION_HEADER | SCv2 |
Content-Type | application/json | All requests |