diff --git a/cmd/src/main.go b/cmd/src/main.go
index 8fc7f1fcec..9e63c49762 100644
--- a/cmd/src/main.go
+++ b/cmd/src/main.go
@@ -58,6 +58,9 @@ var (
 	// The following arguments are deprecated which is why they are no longer documented
 	configPath = flag.String("config", "", "")
 	endpoint   = flag.String("endpoint", "", "")
+
+	errConfigMerge                 = errors.New("when using a configuration file, zero or all environment variables must be set")
+	errConfigAuthorizationConflict = errors.New("when passing an 'Authorization' additional headers, SRC_ACCESS_TOKEN must never be set")
 )
 
 // commands contains all registered subcommands.
@@ -154,6 +157,11 @@ func readConfig() (*config, error) {
 	}
 
 	cfg.AdditionalHeaders = parseAdditionalHeaders()
+	// Ensure that we're not clashing additonal headers
+	_, hasAuthorizationAdditonalHeader := cfg.AdditionalHeaders["authorization"]
+	if cfg.AccessToken != "" && hasAuthorizationAdditonalHeader {
+		return nil, errConfigAuthorizationConflict
+	}
 
 	// Lastly, apply endpoint flag if set
 	if endpoint != nil && *endpoint != "" {
@@ -168,5 +176,3 @@ func readConfig() (*config, error) {
 func cleanEndpoint(urlStr string) string {
 	return strings.TrimSuffix(urlStr, "/")
 }
-
-var errConfigMerge = errors.New("when using a configuration file, zero or all environment variables must be set")
diff --git a/cmd/src/main_test.go b/cmd/src/main_test.go
index 3fe93eb2a5..6b25654e7f 100644
--- a/cmd/src/main_test.go
+++ b/cmd/src/main_test.go
@@ -151,6 +151,13 @@ func TestReadConfig(t *testing.T) {
 				AdditionalHeaders: map[string]string{"foo-bar": "bar-baz", "foo": "bar"},
 			},
 		},
+		{
+			name:        "additional headers SRC_HEADERS_AUTHORIZATION and SRC_ACCESS_TOKEN",
+			envToken:    "abc",
+			envEndpoint: "https://override.com",
+			envHeaders:  "Authorization:Bearer",
+			wantErr:     errConfigAuthorizationConflict.Error(),
+		},
 	}
 
 	for _, test := range tests {