diff --git a/core/src/enterprise/auth.ts b/core/src/enterprise/auth.ts
index 8e326b82d1..c89ff2f21f 100644
--- a/core/src/enterprise/auth.ts
+++ b/core/src/enterprise/auth.ts
@@ -20,7 +20,10 @@ import { got } from "../util/http"
 import { RuntimeError, InternalError } from "../exceptions"
 import { gardenEnv } from "../constants"
 
-export const authTokenHeader = "x-access-auth-token"
+// If a GARDEN_AUTH_TOKEN is present and Garden is NOT running from a workflow runner pod,
+// switch to ci-token authentication method.
+export const authTokenHeader =
+  gardenEnv.GARDEN_AUTH_TOKEN && !gardenEnv.GARDEN_GE_SCHEDULED ? "x-ci-token" : "x-access-auth-token"
 export const makeAuthHeader = (clientAuthToken: string) => ({ [authTokenHeader]: clientAuthToken })
 
 // TODO: Add error handling and tests for all of this
diff --git a/core/src/enterprise/secrets/garden/get-secret.ts b/core/src/enterprise/secrets/garden/get-secret.ts
index 854747c0c7..ec83e50727 100644
--- a/core/src/enterprise/secrets/garden/get-secret.ts
+++ b/core/src/enterprise/secrets/garden/get-secret.ts
@@ -9,6 +9,7 @@
 import { got, GotResponse } from "../../../util/http"
 import { GetSecretsParams } from ".."
 import { StringMap } from "../../../config/common"
+import { authTokenHeader } from "../../auth"
 
 export async function getSecretsFromGardenCloud({
   log,
@@ -19,7 +20,7 @@ export async function getSecretsFromGardenCloud({
 }: GetSecretsParams): Promise<StringMap> {
   try {
     const url = `${enterpriseDomain}/secrets/projectUid/${projectId}/env/${environmentName}`
-    const headers = { "x-access-auth-token": clientAuthToken }
+    const headers = { [authTokenHeader]: clientAuthToken }
     const res = await got(url, { headers }).json<GotResponse<any>>()
     if (res && res["status"] === "success") {
       return res["data"]