When you make a request via Postman or any other tool or application that can send HTTP requests, the request will be received by the underlying Azure App Service web app (note that Azure Functions are built on top of App Services) that first checks the presence of the header name code either in the query string collection or in the Request Body. If it finds it, then it validates the value of the code query string with the function keys. If it's a valid one, then it authorizes the request and allows the runtime to process the request. Otherwise, it throws an error with a 401 Unauthorized message.