Documentation from open-source Apple API implementations (such as AltSign on GitHub ) and platform wikis confirm that while some HTTP fields can be omitted during testing, omitting X-Apple-I-MD-M causes the IdMS backend to reject the request and return an authentication error. Security Implementations and Vulnerability Mitigation
Like many Apple security mechanisms, it’s: x-apple-i-md-m
X-APPLE-I-MD-M.