diff --git a/README.md b/README.md
index a4a0a0b..a085340 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,8 @@ however if you initially set up via `npm adduser` and add your token u can still
 
 ## Features
 
-- ✅ Only 2 config options: `endpoint`, `timeout`
+- ✅ Only 1 required config option: `endpoint`
+- ✅ Optional config options: `timeout`, `signupUrl`, `headers`
 - ✅ Native `fetch()` (Node.js 18+)
 - ✅ Timeout & Error Handling
 - ✅ **JWT Support**: Web UI login works unchanged if you have added users via npm adduser
@@ -38,7 +39,9 @@ auth:
   '@practical/verdaccio-api-token':
     endpoint: https://your-api.com/verdaccio/verify  # Required 
     timeout: 5000  # Optional (ms)
-    signupUrl: your signup page  # Optional 
+    signupUrl: your signup page  # Optional
+    headers:  # Optional
+      X-Custom-Header: some-value
 
 # set your auth config as u like
 packages:
diff --git a/index.ts b/index.ts
index c33fc99..fb69f3b 100644
--- a/index.ts
+++ b/index.ts
@@ -4,6 +4,7 @@ interface ApiTokenAuthConfig {
     endpoint: string;
     signupUrl?: string;
     timeout?: number;
+    headers?: Record<string, string>;
 }
 
 interface VerdaccioStuff {
@@ -57,6 +58,7 @@ export = function apiTokenAuth(
     const endpoint = config.endpoint;
     const signupUrl = config.signupUrl || 'your signup page';
     const timeout = config.timeout ?? 5000;
+    const extraHeaders = config.headers ?? {};
 
     // Cache validated tokens with their user data for performance
     // Tokens are removed from cache when validation fails on subsequent requests
@@ -114,7 +116,8 @@ export = function apiTokenAuth(
                     'Content-Type': 'application/json',
                     'Cache-Control': 'no-cache, no-store, must-revalidate',
                     'Pragma': 'no-cache',
-                    'Expires': '0'
+                    'Expires': '0',
+                    ...extraHeaders
                 },
                 body: requestBody,
                 signal: controller.signal,