Heroku drain requests authentication

I am configuring Loki and Promtail to receive logs from Heroku drain but one thing concerns me. Namely when each Heroku drain has separate token which Heroku sends in Logplex-Drain-Token HTTP header. Token can be used for authenticating requests from Heroku. However in the Promtail configuration I cannot find anything related to this. Does this mean I have to wide open configured port on the system so anyone could send requests to it?