There are two possible ways of authenticating STRING transactions. The traditional way is "authentication by setup" where the port of the operator system is accessible only by allowed clients by means of VPN / IP setup. We don't recommend this way but it would be still possible with STRING. The next level would be some external authentication for instance by HTTP or similar transfer protocols, maybe including client certificates for HTTPS. External authentication is not visible inside the STRING protocol and thus out of scope.
Internal authentication has to be optional and could be in addition to the external one or "standalone". STRING will not define ways of authentication but just define a header with some standard fields.