Auto-Generated Headers
Understand how RESTK automatically generates headers from authentication and body type, and how to override them.
RESTK automatically generates headers based on your authentication configuration and request body type. These headers are displayed as read-only entries in the Headers tab, separate from your custom headers.
Quick Start
Open Headers Tab
Navigate to the Headers tab in your request
View Derived Headers
See read-only headers with "Auth" or "Body" badges at the top
Add Custom Headers
Add your own headers below the derived section
Override if Needed
For Raw body types, add a custom Content-Type header to override the default
Header Types
Headers in RESTK come from three sources:
1. User-Defined Headers
- Source: Manually added by you in the Headers tab
- Editable: Yes
- Synced: Yes, across devices
- Example:
X-Custom-Header: my-value
2. Derived from Authentication
- Source: Generated from your Auth tab configuration
- Editable: No (edit in Auth tab instead)
- Synced: No (regenerated from auth config)
- Badge: Auth badge with lock icon
- Example:
Authorization: Bearer ***(value masked)
3. Derived from Body Type
- Source: Generated from your body type selection
- Editable: No (overridable for Raw body types only)
- Synced: No (regenerated from body type)
- Badge: Body badge
- Example:
Content-Type: application/json
Authorization Header
How It's Generated
The authorization header is automatically created based on your authentication type:
Bearer Token:
Authorization: Bearer ***
Basic Auth:
Authorization: Basic ***
API Key (Header Location):
<your-key-name>: ***
The header name is configurable — it uses whatever key name you set in the Auth tab (e.g., X-API-Key, Authorization, Api-Token).
JWT:
<header-name>: <prefix> ***
Both the header name and prefix are configurable. By default this is Authorization: Bearer <jwt>, but you can customize both to match your API's requirements.
Value Masking
Auth header values are masked (***) in the UI for security, but the full token is sent in the actual request.
Editing Authorization
To change the authorization header:
- Go to the Auth tab
- Select your auth type (Bearer, Basic, API Key, JWT)
- Enter your credentials
- The authorization header updates automatically
You cannot edit the authorization header directly in the Headers tab.
Content-Type Header
How It's Generated
The Content-Type header is automatically set based on your body type:
| Body Type | Content-Type |
|---|---|
| None | (no header) |
| Raw (JSON) | application/json |
| Raw (XML) | application/xml |
| Raw (HTML) | text/html |
| Raw (JavaScript) | application/javascript |
| Raw (Text) | text/plain |
| Form Data | multipart/form-data; boundary=... |
| URL Encoded | application/x-www-form-urlencoded |
| Binary | application/octet-stream |
| GraphQL | application/json |
Overriding Content-Type
Override Only Works for Raw Body Types
You can override the Content-Type header for Raw body types (JSON, XML, Text, etc.). For Form Data and URL Encoded, the Content-Type is always forced from the body type and cannot be overridden — this is necessary because multipart boundaries must match between the header and body.
To override for Raw body types:
Add Custom Header
Click Add Header and enter:
- Key:
Content-Type - Value: Your custom type (e.g.,
application/vnd.api+json)
Save
Your custom Content-Type now overrides the body-driven one
Revert Override:
Delete your custom Content-Type header, and the body-driven one reappears.
Auto-Generated System Headers
RESTK also auto-generates standard HTTP headers for every request:
| Header | Value | Purpose |
|---|---|---|
| Host | (from URL) | Dynamically extracted from request URL |
| User-Agent | RestkClient/{version}({build}) | Identifies RESTK with app version and build number |
| Accept | */* | Indicates accepted response types |
| Accept-Encoding | gzip, deflate, br | Supported compression formats |
| Connection | keep-alive | Connection reuse strategy |
| Restk-Token | (UUID) | Unique per-request identifier for tracking |
Hiding Auto-Generated Headers
Auto-generated headers can be managed in two ways:
- Hide all: Use the "Show/Hide Auto-Generated" toggle at the top of the Headers tab to collapse the entire section
- Disable individually: Toggle specific auto-generated headers off to prevent them from being sent
Hidden or disabled auto-generated headers are still visible when you expand the section, but disabled ones are not sent in the actual request.
Display Layout
Headers Tab Structure
Derived Headers (Read-Only)
- Lock icon (no checkbox)
- Badge showing source ("Auth" or "Body")
- Cannot be deleted or disabled
- Clicking the badge navigates to the source tab
User Headers (Editable)
- Checkbox to enable/disable
- Delete button (trash icon)
- Fully editable key and value
Header Precedence
When you click Send, headers are resolved in this order of priority (highest first):
- Authorization header — from auth config, handled separately. Cannot be overridden via the Headers tab
- Content-Type for Form Data / URL Encoded — forced from body type, cannot be overridden
- User-defined headers — your custom headers have the highest priority for all other keys
- Content-Type for Raw body types — user override wins if present, otherwise body-driven default
- Auto-generated system headers — lowest priority, only applied if the key isn't already set by a higher source
Summary
| Header | Can Override? |
|---|---|
| Authorization | No — always from Auth tab |
| Content-Type (Form Data / URL Encoded) | No — forced from body type |
| Content-Type (Raw) | Yes — add a custom header |
| Host, User-Agent, Accept, etc. | Yes — add a custom header with the same key |
Sync Behavior
What Syncs
- User-defined headers: Key, value, enabled status, order
- Content-Type override: If you added a custom one
- Auth type: The auth type (Bearer, Basic, etc.)
What Doesn't Sync
- Authorization header values: Regenerated per-device from auth config
- Derived headers: Recalculated on each device
- Auto-generated header settings: Local preferences
Best Practices
- Don't Duplicate Auth Headers — Use the Auth tab instead of manual headers
- Override Content-Type Sparingly — Body-driven values are usually correct, and Form Data / URL Encoded cannot be overridden
- Use Custom Headers for APIs — Add
X-API-Key,X-Request-ID, etc. as user headers - Review Derived Headers — Click badges to verify source configuration
- Hide Auto-Generated — Reduce clutter by hiding system headers
Troubleshooting
Authorization Header Not Appearing
Check:
- Auth type is not "None" or "Inherit"
- Auth configuration is complete
- Credentials are entered
Solution:
- Go to Auth tab and configure authentication
Content-Type Wrong Value
Check:
- Body type matches your needs
- No custom Content-Type override exists (for Raw body types)
- For Form Data / URL Encoded, Content-Type is always automatic
Solution:
- Change body type in Body tab
- Delete custom Content-Type to use body-driven default
Can't Edit Authorization Header
This is correct behavior — Authorization headers are read-only in the Headers tab.
Solution:
- Edit authentication in the Auth tab