elastic · ymao1 · Dec 3, 2025
@@ -57,7 +57,12 @@ export const MyConnector: SingleFileConnectorDefinition = {
     supportedFeatureIds: ['workflows'],
   },
 
-  authTypes: ['bearer'],
+  auth: {
+    types: ['bearer'],
+    headers: {
+      'Content-Type': 'application/json',
+    }
+  },
 
   schema: z.object({
     url: z.string().url().describe('API URL'),
@@ -155,17 +160,23 @@ are specified, defaults to no authentication. Can also specify a custom schema f
 which will be used in place of the default
 
 ```typescript
-authTypes: [
-  // use basic auth type with the default schema
-  'basic',
-  // use api_key_header auth type with a custom header field
-  {
-    type: 'api_key_header',
-    defaults: {
-      headerField: 'custom-api-key-field'
+auth: {
+  types: [
+    // use basic auth type with the default schema
+    'basic',
+    // use api_key_header auth type with a custom header field
+    {
+      type: 'api_key_header',
+      defaults: {
+        headerField: 'custom-api-key-field'
+      }
     }
+  ],
+  // optionally add headers that will be added to all requests
+  headers: {
+    'Content-Type': 'application/json',
   }
-]
+}
 ```
 
 ### Schema

@@ -24,7 +24,7 @@
 import type { z } from '@kbn/zod/v4';
 import type { Logger } from '@kbn/logging';
 import type { LicenseType } from '@kbn/licensing-types';
-import type { AxiosInstance } from 'axios';
+import type { AxiosHeaderValue, AxiosInstance } from 'axios';
 
 export { UISchemas } from './connector_spec_ui';
 
@@ -239,7 +239,10 @@ export interface AuthTypeDef {
 export interface ConnectorSpec {
   metadata: ConnectorMetadata;
 
-  authTypes?: Array<string | AuthTypeDef>;
+  auth?: {
+    types: Array<string | AuthTypeDef>;
+    headers?: Record<string, AxiosHeaderValue>;
+  };
 
   // Single unified schema for all connector fields (config + secrets)
   // Mark sensitive fields with withUIMeta({ sensitive: true })

@@ -12,23 +12,28 @@ import { generateSecretsSchemaFromSpec } from './generate_secrets_schema_from_sp
 
 describe('generateSecretsSchemaFromSpec', () => {
   test('correctly generates schemas for array of auth types', () => {
-    const schema = generateSecretsSchemaFromSpec([
-      'none',
-      'basic',
-      'bearer',
-      'oauth_client_credentials',
-      {
-        type: 'api_key_header',
-        defaults: {
-          headerField: 'custom-api-key-field',
+    const schema = generateSecretsSchemaFromSpec({
+      types: [
+        'none',
+        'basic',
+        'bearer',
+        'oauth_client_credentials',
+        {
+          type: 'api_key_header',
+          defaults: {
+            headerField: 'custom-api-key-field',
+          },
         },
+      ],
+      headers: {
+        'X-Custom-Header': 'CustomValue',
       },
-    ]);
+    });
     expect(z.toJSONSchema(schema)).toMatchSnapshot();
   });
 
   test('returns empty object schema when no auth types are provided', () => {
-    const schema = generateSecretsSchemaFromSpec([]);
+    const schema = generateSecretsSchemaFromSpec({ types: [] });
     expect(z.toJSONSchema(schema)).toMatchSnapshot();
   });
 });
@@ -11,9 +11,9 @@ import { z } from '@kbn/zod/v4';
 import type { ConnectorSpec } from '../connector_spec';
 import { getSchemaForAuthType } from '.';
 
-export const generateSecretsSchemaFromSpec = (authTypes: ConnectorSpec['authTypes']) => {
+export const generateSecretsSchemaFromSpec = (authSpec: ConnectorSpec['auth']) => {
   const secretSchemas: z.core.$ZodTypeDiscriminable[] = [];
-  for (const authType of authTypes || []) {
+  for (const authType of authSpec?.types || []) {
     secretSchemas.push(getSchemaForAuthType(authType));
   }
   return secretSchemas.length > 0

@@ -31,14 +31,9 @@ export const AbuseIPDBConnector: ConnectorSpec = {
     supportedFeatureIds: ['workflows'],
   },
 
-  authTypes: [
-    {
-      type: 'api_key_header',
-      defaults: {
-        headerField: 'Key',
-      },
-    },
-  ],
+  auth: {
+    types: [{ type: 'api_key_header', defaults: { headerField: 'Key' } }],
+  },
 
   actions: {
     checkIp: {

@@ -31,14 +31,9 @@ export const AlienVaultOTXConnector: ConnectorSpec = {
     supportedFeatureIds: ['workflows'],
   },
 
-  authTypes: [
-    {
-      type: 'api_key_header',
-      defaults: {
-        headerField: 'X-OTX-API-KEY',
-      },
-    },
-  ],
+  auth: {
+    types: [{ type: 'api_key_header', defaults: { headerField: 'X-OTX-API-KEY' } }],
+  },
 
   actions: {
     getIndicator: {

@@ -31,14 +31,9 @@ export const GreyNoiseConnector: ConnectorSpec = {
     supportedFeatureIds: ['workflows'],
   },
 
-  authTypes: [
-    {
-      type: 'api_key_header',
-      defaults: {
-        headerField: 'key',
-      },
-    },
-  ],
+  auth: {
+    types: [{ type: 'api_key_header', defaults: { headerField: 'key' } }],
+  },
 
   actions: {
     getIpContext: {

@@ -31,14 +31,9 @@ export const ShodanConnector: ConnectorSpec = {
     supportedFeatureIds: ['workflows'],
   },
 
-  authTypes: [
-    {
-      type: 'api_key_header',
-      defaults: {
-        headerField: 'X-Api-Key',
-      },
-    },
-  ],
+  auth: {
+    types: [{ type: 'api_key_header', defaults: { headerField: 'X-Api-Key' } }],
+  },
 
   actions: {
     searchHosts: {

@@ -32,14 +32,9 @@ export const URLVoidConnector: ConnectorSpec = {
     supportedFeatureIds: ['workflows'],
   },
 
-  authTypes: [
-    {
-      type: 'api_key_header',
-      defaults: {
-        headerField: 'X-Api-Key',
-      },
-    },
-  ],
+  auth: {
+    types: [{ type: 'api_key_header', defaults: { headerField: 'X-Api-Key' } }],
+  },
 
   actions: {
     scanDomain: {

@@ -31,19 +31,15 @@ export const VirusTotalConnector: ConnectorSpec = {
     supportedFeatureIds: ['workflows'],
   },
 
-  authTypes: [
-    {
-      type: 'api_key_header',
-      defaults: {
-        headerField: 'x-apikey',
+  auth: {
+    types: [
+      {
+        type: 'api_key_header',
+        defaults: { headerField: 'x-apikey' },
+        overrides: { meta: { 'x-apikey': { placeholder: 'vt-...' } } },
       },
-      overrides: {
-        meta: {
-          'x-apikey': { placeholder: 'vt-...' },
-        },
-      },
-    },
-  ],
+    ],
+  },
 
   actions: {
     scanFileHash: {

@@ -128,6 +128,22 @@ const connectorType: jest.Mocked<ConnectorType> = {
   executor: jest.fn(),
 };
 
+const connectorTypeWithGlobalHeaders: jest.Mocked<ConnectorType> = {
+  id: 'test-with-global-headers',
+  name: 'Test with Global Headers',
+  minimumLicenseRequired: 'basic',
+  supportedFeatureIds: ['alerting'],
+  validate: {
+    config: { schema: z.object({ bar: z.boolean() }) },
+    secrets: { schema: z.object({ baz: z.boolean() }) },
+    params: { schema: z.object({ foo: z.boolean() }) },
+  },
+  executor: jest.fn(),
+  globalAuthHeaders: {
+    'x-custom-header': 'custom-header-value',
+  },
+};
+
 const systemConnectorType: jest.Mocked<ConnectorType> = {
   id: '.cases',
   name: 'Cases',
@@ -354,6 +370,38 @@ describe('Action Executor', () => {
       expect(mockRateLimiterLog).toBeCalledWith('test');
     });
 
+    test(`successfully  ${label} with any defined auth headers`, async () => {
+      mockGetRequestBodyByte.mockReturnValue(300);
+      encryptedSavedObjectsClient.getDecryptedAsInternalUser.mockResolvedValueOnce(
+        connectorSavedObject
+      );
+      connectorTypeRegistry.get.mockReturnValueOnce(connectorTypeWithGlobalHeaders);
+
+      if (executeUnsecure) {
+        await actionExecutor.executeUnsecured(executeUnsecuredParams);
+      } else {
+        await actionExecutor.execute(executeParams);
+      }
+
+      expect(connectorTypeWithGlobalHeaders.executor).toHaveBeenCalledWith({
+        actionId: CONNECTOR_ID,
+        services: expect.anything(),
+        config: {
+          bar: true,
+        },
+        secrets: {
+          baz: true,
+        },
+        params: { foo: true },
+        logger: loggerMock,
+        connectorUsageCollector: expect.any(ConnectorUsageCollector),
+        globalAuthHeaders: {
+          'x-custom-header': 'custom-header-value',
+        },
+        ...(executeUnsecure ? {} : { source: SOURCE }),
+      });
+    });
+
     for (const executionSource of [
       {
         name: `http`,

@@ -535,6 +535,7 @@ export class ActionExecutor {
             config: validatedConfig,
             secrets: validatedSecrets,
             taskInfo,
+            globalAuthHeaders: actionType.globalAuthHeaders,
             configurationUtilities,
             logger,
             source,

@@ -149,6 +149,77 @@ describe('getAxiosInstance', () => {
     expect(getCustomAgents).toHaveBeenCalledWith(configurationUtilities, logger, 'http://test3');
   });
 
+  test('returns axios instance configured for api_key_header auth and additional headers', async () => {
+    const getAxios = getAxiosInstanceWithAuth({
+      authTypeRegistry,
+      configurationUtilities,
+      logger,
+    });
+    const result = await getAxios({
+      additionalHeaders: {
+        'X-Custom-Header': 'i-am-a-custom-header-string',
+        'X-Version': '1.0.0',
+      },
+      connectorId: '1',
+      secrets: {
+        authType: 'api_key_header',
+        'X-Custom-Auth': 'i-am-a-custom-auth-string',
+      },
+    });
+
+    expect(result).not.toBeUndefined();
+    expect(result!.defaults.auth).toBeUndefined();
+    expect(result!.defaults.headers.common).toEqual(
+      expect.objectContaining({
+        'X-Custom-Header': 'i-am-a-custom-header-string',
+        'X-Version': '1.0.0',
+        'X-Custom-Auth': 'i-am-a-custom-auth-string',
+      })
+    );
+
+    // @ts-expect-error
+    expect(result!.interceptors.request.handlers.length).toBe(1);
+
+    // @ts-expect-error
+    const result2 = result!.interceptors.request.handlers[0].fulfilled({ url: 'http://test3' });
+    expect(getCustomAgents).toHaveBeenCalledWith(configurationUtilities, logger, 'http://test3');
+  });
+
+  test('auth type configured headers take precedence over additional headers', async () => {
+    const getAxios = getAxiosInstanceWithAuth({
+      authTypeRegistry,
+      configurationUtilities,
+      logger,
+    });
+    const result = await getAxios({
+      additionalHeaders: {
+        'X-Custom-Auth': 'place-holder-value',
+        'X-Version': '1.0.0',
+      },
+      connectorId: '1',
+      secrets: {
+        authType: 'api_key_header',
+        'X-Custom-Auth': 'i-am-a-custom-auth-string',
+      },
+    });
+
+    expect(result).not.toBeUndefined();
+    expect(result!.defaults.auth).toBeUndefined();
+    expect(result!.defaults.headers.common).toEqual(
+      expect.objectContaining({
+        'X-Version': '1.0.0',
+        'X-Custom-Auth': 'i-am-a-custom-auth-string',
+      })
+    );
+
+    // @ts-expect-error
+    expect(result!.interceptors.request.handlers.length).toBe(1);
+
+    // @ts-expect-error
+    const result2 = result!.interceptors.request.handlers[0].fulfilled({ url: 'http://test3' });
+    expect(getCustomAgents).toHaveBeenCalledWith(configurationUtilities, logger, 'http://test3');
+  });
+
   test('returns axios instance configured for oauth client credentials auth when connector token client is undefined', async () => {
     (requestOAuthClientCredentialsToken as jest.Mock).mockResolvedValueOnce({
       tokenType: 'Bearer',