Importance of User-Agent and X-Forwarded-For headers in trusted application authentication

I have a requirement to authenticate users inside a back-end application. According to documentation in, it seems I should be using the trusted application authentication.

In the example given for trusted application authentication, there are headers for User-Agent and X-Forwarded-For to pass information to Okta about the end user.

From a quick test I did, it does not seem to be mandatory to have those two headers for a successful authentication. For example, the following request succeeds:

curl -X POST \ \
  -H 'Accept: application/json' \
  -H 'Authorization: SSWS MyAPIToken' \
  -H 'Content-Type: application/json' \
  -d '{
  "username": "",
  "password" : "correcthorsebatterystaple"
}  '

(Note that I have a SSWS header but no X-Forwarded-For or User-Agent headers set in the request)

My questions are:

  1. What would be the impact of not passing through User-Agent and X-Forwarded-For headers?

  2. It is possible that Okta would start rejecting requests with high volume of authentication requests originating from my back-end application? (Legitimate volume due to multiple users trying to authenticate themselves)

According to Okta support team, these two headers only matters for matrics, but not the actual authentication function.