In the pre-registration hook, I am making an http request to my app’s API for a list of whitelisted email addresses. Can I simply make a GET request using an http package, and not add in an authorization header? Does Auth0 add this header to the request?
No, from the perspective of calling an external service, either your own API or other third-party service, you can consider hooks as just any other Node.js code you would implement and that you could run locally, in particular, you’ll have to perform the call in such way that it includes the necessary requirements for the API in question.
This means that if the API requires some sort of authentication, you’re responsible to provide it even if the API happens to also be defined in Auth0.