Oh shit that's true, no websocket headers from browsers :(
It could be a 'secret' included in url but then it will be logged by every damn thing in the middle of you and the relay, not sure if passing long-lived secrets in urls is a good practice.