====== X-PawPub-Actor header ======

When sending an authenticated request to another [[instance]], it may be an action initiated by a local [[objects:actor]] (on your instance), which is indicated by the ''**X-PawPub-Actor**'' HTTP request header, the value of which must be the URI of an actor you control (i.e. under the same hostname as what your [[authentication]] token is valid for).

For example:

<code http>
POST /actor/1/follow HTTP/1.1
Host: remote-instance.example
Authorization: Bearer ...
X-PawPub-Actor: https://local-instance.example/actor/jhimmy
Content-Length: 0

</code>

===== Security considerations =====

When receiving an incoming request with an ''X-PawPub-Actor'' header, you should verify that an ''Authorization'' header is also present, and is valid, and that its token was issued for the same domain/port combination as the actor specified. You should also reject the request if the actor can't be resolved.


{{page>include:stub}}