The "master.conf" section in http://docs.puppetlabs.com/puppetserver/1.0/configuration.html#masterconf describes the allow-header-cert-info setting which can be used for enabling authentication via the use of X-Client- headers. This documentation isn't very clear about the scope of the APIs that the X-Client- headers control. For many end users, the distinction between the "Ruby Puppet master-bound" vs. the "Clojure-bound puppet-admin and CA" endpoints is probably not very clear. To make this more clear, it might be better to, in the "master.conf" section of the documentation, list out all of the endpoints that the allow-header-cert-info setting can control. The same could be done for the "ca.conf" and puppet-admin section of the "puppetserver.conf" for further clarity.