Hey probably kinda depends on the specific setup you have.
But in the room in the "onAuth()" callback you can access the header via the request object you get.
so on client side set the header with your accessToken
then for /matchmake or sessions endpoints i would add a express middleware
this would work if you use the express setup for the colyseus server:
also you have have to set on client side the header with some sort of intercepter
this doc helps if you develop you client for the web: