First REST Operation - Custom Header

I have a vendor that is sending an HL7 message. But when I asked for more detail about their mapping tables, they told me they typically don't supply that but supply an API for customers to call so they don't have to define tables and it is more dynamic.

So with that being said I am creating my first REST operation. I understand the gist of how a REST operation works in working with other types out Non HL7 Operations (SOAP, SQL) before. You send a request and get a response back, that part I understand.

What I am not comprehending is how secure it can be if they only give you an ID, and a Secret pass code to work with.

How secure is it if they are not requiring a Certificate, or Credentials?

• I have created a simple client TLS configuration for this Operation, I am just not sure how secure it is, and how to send a custom header within the call.

If the ID and Secret pass code has to be sent in the header, how does one create a Custom Header for authentication with the API?  

This is what I have to pass to them for Authentication...

{
"Key" : "xxxxxxxxxxxxxxxxxxxxxxxx",
"Id": "xxxxx",
"Secret": "xxxxx",
"Resource": "xxxxx",
"Instance" : "xxxxx"
}

Forgive me but I am just not finding the right documentation to point me in the direction I am looking for.