
SanjayaV.79926 (Red Energy) asked a question.
I have a requirement to authenticate users within a back-end application. According to documentation in https://developer.okta.com/docs/reference/api/authn, it seems I should be using the trusted application authentication.
In the example given for trusted application authentication, there are headers for `User-Agent` and `X-Forwarded-For` to pass information to Okta about the end user.
From a quick test I did, it does not seem to be mandatory to have those two headers for a successful authentication. For example, the following request succeeds:
```
curl -X POST \
https://mydomain.okta.com/api/v1/authn \
-H 'Accept: application/json' \
-H 'Authorization: SSWS MyAPIToken' \
-H 'Content-Type: application/json' \
-d '{
"username": "user@example.com",
"password" : "correcthorsebatterystaple"
}
```
(Note that I have a `SSWS` header to make the request a trusted application authentication, but there's no X-Forwarded-For or User-Agent headers set in the request)
My questions are:
- What would be the impact of not passing through User-Agent and X-Forwarded-For headers?
- It is possible that Okta would start rejecting requests with high volume of authentication requests originating from my back-end application? (Legitimate volume due to multiple users trying to authenticate themselves)

Hey there! Sorry for the lack of response here on the Discussions forum. If you’re still looking for an answer, I would recommend checking out our Developer resources, including the Developer Forum (https://devforum.okta.com/) and documentation. If you are unable to find the solutions you're looking for there, we would encourage you to contact our dedicated Developer Support team at developers@okta.com, and they will be able to help you out.