Gateway Headers Reference
All headers injected or expected by the SlaunchX gateway layer.
Secure Channel Headers
| Header | Required | Chain | Description |
|---|---|---|---|
X-SC-Session-Id | Conditional | WEB | Secure Channel session ID. Required for endpoints that accept encrypted payloads. |
X-SC-Version | Conditional | WEB | Secure Channel protocol version. Sent alongside X-SC-Session-Id. |
Content-Type for Secure Channel
When Secure Channel is active, the request body contains a binary SCv2 envelope, but the Content-Type header remains application/json;charset=UTF-8. The gateway detects encrypted payloads by inspecting the binary magic bytes, not the Content-Type.
Gateway Headers (WEB Chain)
| Header | Required | Chain | Description |
|---|---|---|---|
X-Request-Id | Required | WEB / API | Unique request identifier (UUID). Used for tracing and idempotency. |
X-PORTAL-ACCESS-CODE | Required | WEB | Portal access code. Identifies which portal the request is entering through. |
X-Workspace-Id | Conditional | WEB | Workspace context. Required for workspace-scoped operations. |
X-LOCALE | Optional | WEB | Response locale override (e.g., en, zh). |
X-Client-Hash | Required | WEB | Client device fingerprint. Must remain stable across the session. |
User-Agent | Required | WEB / API | Client user agent string. |
Accept-Language | Optional | WEB / API | Preferred response language. |
Cloudflare Headers
These headers are injected by Cloudflare and forwarded by the gateway. In local development, you must set them manually.
| Header | Required | Chain | Description |
|---|---|---|---|
CF-Connecting-IP | Required | WEB / API | Client IP address (set by Cloudflare). |
cf-ipcountry | Required | WEB / API | Client country code (ISO 3166-1 alpha-2). |
Cf-Ray | Required | WEB / API | Cloudflare ray ID for request tracing. |
X-Forwarded-Proto | Required | WEB / API | Forwarded protocol (https). |
cf-region | Optional | WEB / API | Client region. |
cf-ipcity | Optional | WEB / API | Client city. |
cf-iplatitude | Optional | WEB / API | Client latitude. |
cf-iplongitude | Optional | WEB / API | Client longitude. |
cf-postal-code | Optional | WEB / API | Client postal code. |
cf-timezone | Optional | WEB / API | Client timezone. |
Authentication Headers
| Header | Required | Chain | Description |
|---|---|---|---|
Authorization | Conditional | WEB | Bearer <JWT>. Required for authenticated endpoints. |
Exposed-Credential-Check | Optional | WEB | Indicates the credential has been checked against breach databases. |
API Chain Headers
| Header | Required | Chain | Description |
|---|---|---|---|
X-Api-Key | Required | API | API key identifier. |
X-Timestamp | Required | API | Request timestamp (epoch seconds). Must be within 60 seconds of server time. |
X-Nonce | Required | API | Unique nonce for replay protection. |
X-Signature | Required | API | HMAC signature of the request. |