X-dev-access Yes May 2026
Never allow X-Dev-Access: yes to bypass authentication. Require a valid API key, JWT, or session cookie first. The header should only unlock additional diagnostics, not replace identity verification.
Developers often need to see real-time changes without cache interference. x-dev-access: yes might instruct a CDN, reverse proxy, or application cache to skip caching for that request. x-dev-access yes
| Scenario | Explanation |
|----------|-------------|
| Internal API gateway | An organization uses this header to bypass rate limiting, logging, or security checks for internal dev tools. |
| Mock or proxy server | Tools like Postman, WireMock, or custom proxies might use x-dev-access: yes to return mock data or disable real side effects. |
| Low-code / no-code platforms | Some internal systems (e.g., Retool, Budibase) allow custom headers to toggle dev-mode for API connectors. |
| Legacy or niche SaaS | A few B2B services have undocumented headers to enable developer sandbox features (e.g., skipping email verification). | Never allow X-Dev-Access: yes to bypass authentication
Imagine a new API endpoint /v3/payments/refund/batch. It is ready for developer testing but not for public consumption. The API gateway can be configured to return 404 Not Found unless x-dev-access: yes is present. This allows frontend and mobile developers to test the integration while the endpoint remains hidden from external users. Developers often need to see real-time changes without