Yes, X-Auth-Token is specific to Slash GraphQL. It’s the only header that Slash GraphQL uses for authentication / authorization for admin functionality (creating / updating databases, etc…)
Any header that you put in the auth magic comment will be added to the Access-Control-Allow-Headers header, so you can use any header you’d like. X-Auth-Token is one we see commonly used.
I believe these two are unused in dgraph itself.