diff --git a/proto/opamp.proto b/proto/opamp.proto
index e8d9dfa..1e233c4 100644
--- a/proto/opamp.proto
+++ b/proto/opamp.proto
@@ -515,6 +515,14 @@ message DownloadableFile {
     // https://github.com/open-telemetry/opamp-spec/blob/main/specification.md#code-signing
     // for recommendations.
     bytes signature = 3;
+
+    // Optional headers to use when downloading a file. Typically used to set
+    // access tokens or other authorization headers. For HTTP-based protocols
+    // the Agent should set these in the request headers.
+    // For example:
+    // key="Authorization", Value="Basic YWxhZGRpbjpvcGVuc2VzYW1l".
+    // Status: [Development]
+    Headers headers = 4;
 }
 
 message ServerErrorResponse {
diff --git a/specification.md b/specification.md
index a9027d9..e86953a 100644
--- a/specification.md
+++ b/specification.md
@@ -154,6 +154,7 @@ Status: [Beta]
       - [DownloadableFile.download_url](#downloadablefiledownload_url)
       - [DownloadableFile.content_hash](#downloadablefilecontent_hash)
       - [DownloadableFile.signature](#downloadablefilesignature)
+      - [DownloadableFile.headers](#downloadablefileheaders)
   * [Custom Messages](#custom-messages)
     + [Motivation](#motivation)
     + [CustomCapabilities](#customcapabilities)
@@ -2412,7 +2413,9 @@ should download the file:
   and the file SHOULD be downloaded from the location specified in the
   [download_url](#downloadablefiledownload_url) field of the
   [DownloadableFile](#downloadablefile-message) message. The Agent SHOULD use an
-  HTTP GET message to download the file.
+  HTTP GET message to download the file. The Agent SHOULD include the HTTP
+  headers provided in the [headers](#downloadablefileheaders) field for the GET
+  request.
 
 The procedure outlined above allows the Agent to efficiently download only new
 or changed packages and only download new or changed files.
@@ -2605,6 +2608,7 @@ message DownloadableFile {
     string download_url = 1;
     bytes content_hash = 2;
     bytes signature = 3;
+    headers headers = 4; // Status: [Development]
 }
 ```
 
@@ -2627,6 +2631,16 @@ authenticity of the downloaded file, for example can be the
 The exact signing and verification method is Agent specific. See
 [Code Signing](#code-signing) for recommendations.
 
+##### DownloadableFile.headers
+
+Status: [Development]
+
+Optional headers to use for the HTTP GET request. Typically used to set access
+tokens or other authorization headers. For HTTP-based protocols the Agent
+should set these in the request headers.
+For example:
+key="Authorization", Value="Basic YWxhZGRpbjpvcGVuc2VzYW1l".
+
 ### Custom Messages
 
 Status: [Development]