diff --git a/pkg/apis/options/common.go b/pkg/apis/options/common.go
new file mode 100644
index 00000000..60d352a5
--- /dev/null
+++ b/pkg/apis/options/common.go
@@ -0,0 +1,14 @@
+package options
+
+// SecretSource references an individual secret value.
+// Only one source within the struct should be defined at any time.
+type SecretSource struct {
+	// Value expects a base64 encoded string value.
+	Value []byte
+
+	// FromEnv expects the name of an environment variable.
+	FromEnv string
+
+	// FromFile expects a path to a file containing the secret value.
+	FromFile string
+}
diff --git a/pkg/apis/options/header.go b/pkg/apis/options/header.go
new file mode 100644
index 00000000..0b2e1b69
--- /dev/null
+++ b/pkg/apis/options/header.go
@@ -0,0 +1,44 @@
+package options
+
+// Header represents an individual header that will be added to a request or
+// response header.
+type Header struct {
+	// Name is the header name to be used for this set of values.
+	// Names should be unique within a list of Headers.
+	Name string `json:"name"`
+
+	// PreserveRequestValue determines whether any values for this header
+	// should be preserved for the request to the upstream server.
+	// This option only takes effet on injected request headers.
+	// Defaults to false (headers that match this header will be stripped).
+	PreserveRequestValue bool `json:"preserveRequestValue"`
+
+	// Values contains the desired values for this header
+	Values []HeaderValue `json:"values"`
+}
+
+// HeaderValue represents a single header value and the sources that can
+// make up the header value
+type HeaderValue struct {
+	// Allow users to load the value from a secret source
+	*SecretSource
+
+	// Allow users to load the value from a session claim
+	*ClaimSource
+}
+
+// ClaimSource allows loading a header value from a claim within the session
+type ClaimSource struct {
+	// Claim is the name of the claim in the session that the value should be
+	// loaded from.
+	Claim string `json:"claim,omitempty"`
+
+	// Prefix is an optional prefix that will be prepended to the value of the
+	// claim if it is non-empty.
+	Prefix string `json:"prefix,omitempty"`
+
+	// BasicAuthPassword converts this claim into a basic auth header.
+	// Note the value of claim will become the basic auth username and the
+	// basicAuthPassword will be used as the password value.
+	BasicAuthPassword *SecretSource
+}