The services work fine by now and anyone can query the details of our products. That may be a problem. The details of the products are not necessarily public information. We have to ensure that we serve the data only to partners who are eligible to see it.
To ensure that, we need something in the request that proves that the request comes from a partner. This information is typically a password or some other secret. It could be placed into the GET request parameters or into the HTTP request header. It is better to put it into the header because the information is secret and not to be seen by anybody.